🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Token Horizontal Privilege Escalation

Horizontal Privilege Escalation happen when a user can access another users resources. Usually this vulnerability is exploited by tampering with the user identifier in the token.

Remediation

  • Do not use easily guessable or public user identifier
  • Check the authenticated session is authorised to access a requested resource

Metadata

  • Severity: high
  • Slug: token-horizontal-privilege-escalation

CWEs

  • 639: Authorization Bypass Through User-Controlled Key
  • 266: Incorrect Privilege Assignment

OWASP

  • A01:2021: Broken Access Control
  • A04:2021: Insecure Design
  • A07:2021: Identification and Authentication Failures

Available Labs

Open Csharp labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.