E — Elevation of Privilege
Elevation of Privilege is when a user gains permissions they should not have. Authorization is the target.
What it means
A normal user reaches admin-only actions by abusing weak authorization, insecure defaults, or missing role checks.
Why it matters
Once privileges increase, attackers can change settings, access other users’ data, or take over the entire system.
How to mitigate
Enforce server-side authorization checks, follow least privilege, separate duties, and never trust roles coming from the client.
Find the Roles & Endpoint
Elevation of Privilege often starts with discovery. Inspect the page source and find what roles exist — and the internal dev endpoint.
- Find the RBAC roles enum (3 roles).
- Find the internal endpoint path.
Network Status Code
Go back to landing page and visit /internal/.
Open DevTools → Network tab.
What HTTP status code do you see?