What is privilege escalation in one sentence?

Privilege escalation is when an attacker turns a limited level of access into a higher one, gaining rights they were never supposed to have.

What is the difference between vertical and horizontal privilege escalation?

Vertical escalation gains higher-level rights, such as a standard user becoming an administrator. Horizontal escalation moves sideways to another user's account at the same level to access their data.

How does privilege escalation happen in web apps?

Commonly through broken access control — missing authorization checks, insecure direct object references that let a user request another user's records, or hidden admin functions reachable by changing a parameter.

Why is privilege escalation so important to attackers?

An initial foothold is usually low-privilege and limited. Escalation is the step that converts it into the access needed to steal data, move laterally, or take over an entire environment.

How do you prevent privilege escalation?

Enforce least privilege, check authorization on every request server-side, patch promptly, separate duties, and monitor for unusual privilege use. Limiting standing privilege limits how far any single compromise can go.

Glossary · Security

What is Privilege Escalation?

Privilege escalation is the step where an attacker takes a small amount of access and turns it into a lot. Almost no breach starts with full control — it starts with a single low-privilege foothold, like one phished employee account. Escalation is the move that converts that toehold into administrator rights, domain control, or another user's data. It is the difference between a contained incident and a catastrophe.

Two directions

Escalation moves up or sideways. Vertical privilege escalation gains a higher tier of rights — a standard user becoming an administrator, a low-level service account gaining root, an ordinary application user reaching admin functions. Horizontal privilege escalation stays at the same level but jumps to a different account: accessing another customer's records, another tenant's data, another employee's mailbox. Both violate the same principle — a subject ends up able to do something it was never authorized to do — and in practice attackers chain the two, hopping sideways to find an account with a clearer path up.

In web applications

At the application layer, escalation almost always traces back to broken access control — the category that now tops the OWASP Top 10. The classic shape is an insecure direct object reference: the app trusts an ID in the request, so changing /invoice/123 to /invoice/124 returns someone else's invoice. Close cousins include admin endpoints that are hidden in the UI but not actually protected on the server, role checks done only in the browser, and mass-assignment bugs that let a user set their own role field. The common thread: authorization that is assumed rather than enforced on every request.

In systems and networks

On hosts and networks the toolkit differs but the goal is identical. Attackers exploit unpatched local vulnerabilities, abuse misconfigured permissions on files and services, harvest credentials cached in memory or config files, and ride over-privileged service accounts to expand reach. In Windows environments this is the heart of Active Directory attacks, where a foothold on one workstation is patiently leveraged into domain-administrator control. Each hop relies on some standing privilege that was broader than it needed to be — which is exactly the surface defenders can shrink.

How to limit it

The master principle is least privilege: every user, service, and process gets the minimum rights it needs and nothing more, so a compromise yields little. In applications, enforce authorization on the server for every request and never trust an identifier or a role sent by the client. Separate duties so no single account can both approve and execute sensitive actions. Patch promptly to close the local flaws used for vertical escalation. And monitor for the signature of escalation in progress — an account suddenly using rights it never has before. You cannot always stop the first foothold, but you can make escalation hard.

At QUANT LAB

Privilege escalation is the core of what our offensive work measures. A penetration test assumes a foothold and asks the question that matters most: how far can it go? In web app testing we hammer access control — swapping IDs, calling hidden admin routes, and tampering with role fields. In Active Directory assessments we map the path from a single workstation to domain dominance. On the build side, the systems we ship default to least privilege and server-side authorization on every request, so a stolen low-level account stays a low-level problem.

The link to the rest of the kill chain

Escalation rarely stands alone. It is the bridge between the initial access an attacker gets — through social engineering, a stolen credential, or an exploited bug — and the objective, whether that is data theft or detonating ransomware across a network. That is why limiting standing privilege pays off so broadly: it does not just stop one technique, it severs the middle of nearly every intrusion. Cut the escalation step and many attacks stall out with nothing to show for the foothold.

Long-form deep-dives that use this term

All posts

Related terms

How far would a foothold get in your environment?

We test the escalation path from a single account to full control and build for least privilege by default. Book a 30-minute call.

Active Directory pentest