DEV Community

Golam_Mostafa
Golam_Mostafa

Posted on

Horizontal privilege escalation

What is Horizontal Privilege Escalation?

Horizontal privilege escalation is when a user can see another user’s data that they shouldn’t have access to. For example, if you can view your account but change the URL to see someone else’s account, that’s a security problem called Insecure Direct Object Reference (IDOR).

Example of IDOR

Say your account page has this URL:

https://example.com/myaccount?id=123
Enter fullscreen mode Exit fullscreen mode

If someone changes id=123 to a different number, they could accidentally see another user’s account. This happens because the website isn’t protecting users’ data properly.

How Some Sites Try to Prevent It

Websites sometimes use special codes, like long GUIDs instead of numbers, to make guessing harder. But even these codes can show up in other parts of the website, like messages or comments, where they can be misused.

Horizontal privilege escalation exposes private data and shows why websites need strong security controls to protect each user’s information.


Acknowledgment: This document references information from PortSwigger Web Security and ChatGPT.


Top comments (0)