Privilege escalation means finding a way to access resources belonging to another user on a system. It is one of the primary methods that black-hat hackers use to expand their attacks and gain access to more resources and assets, making it a crucial concept in cybersecurity.
Privilege escalation is especially important for web application security because web vulnerabilities are usually the first vector of a complex cyberattack. Malicious hackers often start by exploiting a web vulnerability to gain basic access to certain resources and then continue with privilege escalation attacks to get more permissions and control.
As a result of privilege escalation, an attacker may be able to gain unauthorized access to sensitive data and perform many malicious activities such as installing malware (e.g. ransomware), introducing malicious code (e.g. a web shell), or even completely hijacking one or many computer systems.
There are two types of privilege escalation techniques: horizontal privilege escalation and vertical privilege escalation.
Privilege escalation may be possible for a number of reasons, including:
The following is an example of a complex attack that includes privilege escalation.
As you can see, the attacker started by gaining the privileges of a sales representative’s user account with very limited capabilities. However, by continuing with other attacks, the attacker was able to elevate privileges to a higher level, first getting access to a privileged account and eventually gaining complete control of the system.
Detecting privilege escalation while it happens is very difficult because the attacker often performs actions that are indistinguishable from those of a regular user. Intrusion prevention systems (IPS) may be helpful in interactive detection, but many privilege escalation attempts can only be traced back through detailed log analysis later.
In the case of sensitive systems, you could set up alerts for every logon to an administrative account or for every use of sudo or a similar command, but depending on how the system is used, you are likely to get a lot of false positives.
Since privilege escalation is not a specific type of vulnerability but rather a typical chain of events resulting from several successful exploits, eliminating the underlying security weaknesses is the only effective way to prevent privilege escalation vulnerabilities. However, you must be aware that completely preventing privilege escalation is next to impossible in practice because it would require you to address every single weakness in the IT system.
To prevent privilege escalation:
To mitigate the impact of privilege escalation, you should harden your systems to make it more difficult for attackers to escalate even if vulnerabilities are not yet fixed. Here are a few approaches that help:
Privilege escalation means finding a way to access resources belonging to another user or process on a system. Privilege elevation happens when the target user has higher privileges, most often administrative privileges. Privilege elevation is much more common than horizontal privilege escalation because it is more advantageous to the attacker.
Learn more about why privilege escalation is an important concept.
Privilege escalation is one of the primary methods that black-hat hackers use to expand their attacks and gain access to more resources and assets, making it a crucial concept in cybersecurity. Through privilege escalation, an attacker might start from a simple web vulnerability and escalate to eventually gain full control over the web server.
Find out more about the Capital One attack caused by SSRF with privilege escalation.
The only effective way of preventing privilege escalation is to eliminate security weaknesses that could allow it. In practice, completely eliminating the risk of privilege escalation is next to impossible because you would have to find and address every single security weakness. The best practice to minimize risk is to run regular security tests using tools such as DAST vulnerability scanners.