Bug WikiSecurity & Access ControlPrivilege escalation
1 example

Privilege escalation

Unauthorized elevation of user privileges.

[ FAQ1 ]

What is privilege escalation?

Privilege escalation occurs when an attacker leverages security weaknesses or misconfigurations to elevate their permissions from lower-level access to more sensitive or administrative privileges. This typically involves exploiting bugs, insecure access controls, or flawed authorization mechanisms within applications or operating systems. Privilege escalation vulnerabilities enable attackers to access confidential data, modify protected resources, or even take complete control of systems, posing significant security risks.
[ FAQ2 ]

How to prevent privilege escalation

To prevent privilege escalation, implement strict access control measures adhering to the principle of least privilege, ensuring users and applications receive only the minimal permissions necessary. Regularly audit and update authorization mechanisms to verify that permissions are correctly configured and consistently enforced. Keep software and operating systems up to date to patch known vulnerabilities promptly. Employ security monitoring and logging to detect unusual privilege elevation attempts proactively. Training developers and administrators on secure configuration practices helps further reduce the risk of privilege escalation vulnerabilities.
m47r1x/webgoat·#1
diff block
+package org.owasp.webgoat.lessons.missingac;
+
+import java.util.List;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.springframework.jdbc.core.RowMapper;
+import org.springframework.jdbc.core.namedparam.MapSqlParameterSource;
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
+import org.springframework.stereotype.Component;
+import org.springframework.util.CollectionUtils;
+
+@Component
+public class MissingAccessControlUserRepository {
+
+ private final NamedParameterJdbcTemplate jdbcTemplate;
+ private final RowMapper<User> mapper =
+ (rs, rowNum) ->
+ new User(rs.getString("username"), rs.getString("password"), rs.getBoolean("admin"));
+
+ public MissingAccessControlUserRepository(LessonDataSource lessonDataSource) {
+ this.jdbcTemplate = new NamedParameterJdbcTemplate(lessonDataSource);
+ }
+
+ public List<User> findAllUsers() {
+ return jdbcTemplate.query("select username, password, admin from access_control_users", mapper);
+ }
+
+ public User findByUsername(String username) {
+ var users =
+ jdbcTemplate.query(
+ "select username, password, admin from access_control_users where username=:username",
+ new MapSqlParameterSource().addValue("username", username),
+ mapper);
+ if (CollectionUtils.isEmpty(users)) {
+ return null;
+ }
+ return users.get(0);
+ }
+
+ public User save(User user) {
+ jdbcTemplate.update(
+ "INSERT INTO access_control_users(username, password, admin)"
+ + " VALUES(:username,:password,:admin)",
+ new MapSqlParameterSource()
+ .addValue("username", user.getUsername())
+ .addValue("password", user.getPassword())
+ .addValue("admin", user.isAdmin()));
+ return user;
Greptile
greptile
logic: No validation on admin flag allows privilege escalation. Add authorization check to prevent regular users from creating admin accounts.