How to Exploit Horizontal Privilege Escalation: From Parameter Tampering to XSS

This article documents a complete horizontal privilege escalation process, demonstrating how modifying POST parameters, REST‑style URL parameters, and cookie fields can lead to unauthorized view, edit, and delete operations, and how to combine these with self‑XSS and CSRF techniques.

Modify POST parameters to achieve unauthorized view and delete.

Alter REST‑style path parameters to perform unauthorized modifications.

Change cookie fields to bypass login and gain unauthenticated access.

Inject XSS payloads during unauthorized edits to steal full cookies.

0x01 Unauthorized View and Delete

注册登录进入个人中心，一通胡乱测试，发现可通过修改参数来越权查看或修改任意用户资料。这里以教育经历为例演示。

1. Create a record, then modify it.

2. Intercept and replay the request, using infoId to reference the object, which returns user information and opens edit mode.

3. By changing infoId, the server returns other users' data; deleting with a modified POST parameter also removes arbitrary user information.

4. Edit personal self‑evaluation; the infoId appears in the path and can be altered to affect other accounts.

5. Changes are saved and visible when refreshing the target account.

6. The REST‑style parameter allows path manipulation, which is the root cause of this vulnerability. Reference: https://blog.csdn.net/weixin_44750790/article/details/118195473

0x02 Bypass Login Unauthorized Access

前面一顿操作，一直没能获取到手机号邮箱等敏感信息，结果发现这些基本信息的编辑使用的不是同一套流程，为了能扒出来，就有了下文。

1. The preview request shows no obvious GET/POST parameters, indicating no direct object reference vulnerability.

2. Using variable‑control method, delete cookie fields one by one to identify the effective field; only career_id remains.

3. Decoding career_id reveals the user ID (e.g., 5160397).

4. Brute‑force other career_id values with Burp Intruder and retrieve other users' resumes.

5. Using the obtained ID, access and edit the victim's resume.

6. Replace the original cookie with the captured one to bypass login and perform unauthorized profile edits and deletions.

0x03 Leveraging Self‑XSS for Further Privilege

正经的越权到上面差不多就结束了，下面就是利用的“歪门邪道”。

1. The personal‑center credential only validates career_id; other pages validate additional cookie fields.

2. The resume edit page contains a stored XSS (self‑XSS) vector.

3. By injecting an XSS payload during unauthorized resume edits, an attacker can combine privilege escalation with XSS.

另外，不难从前面的请求包中看出，这些资料编辑操作，一定是存在CSRF漏洞的。那么，又一套“CSRF + self_xss”组合拳。接下来就等目标访问了……

0x04 Summary

Use variable‑control method to delete parameters or cookie fields and identify the effective ones.

Obfuscate the identified parameters or cookie fields and test further.

Modify parameter or cookie values to perform unauthorized CRUD operations.

Combine privilege escalation with other vulnerabilities (e.g., XSS, CSRF) to increase impact.

Privilege escalation can also be tested with Burp plugins like Authz, though they mainly focus on view‑level bypasses.