Dashboard/Broken Access Control/Vertical Privilege Escalation

Vertical Privilege Escalation

Medium

#privilege-escalation

#owasp-a01

#rbac

Overview

This lab exposes a privilege escalation flaw where the API accepts role changes from client-side requests without server-side validation.

Scenario

You are a standard user. The application has an update profile endpoint that accepts a JSON body. The role field is included in the request and is blindly trusted by the server.

Exploit Steps

01Login as a standard user and intercept the profile update request
02Observe the JSON body includes a 'role' field set to 'user'
03Modify the 'role' field to 'admin' and resend the request
04Verify your account now has admin privileges

routes/profile.js

// Vulnerable — accepts role from client
app.put('/api/profile', authenticate, (req, res) => {
  const { name, email, role } = req.body;
  
  // ❌ Role is directly taken from user input
  db.query(
    'UPDATE users SET name = ?, email = ?, role = ? WHERE id = ?',
    [name, email, role, req.user.id]
  );
  
  res.json({ message: 'Profile updated' });
});

This code contains a known vulnerability. Never deploy code like this in production. Use the Secure Mode toggle to see the remediation.