How do I test for privilege escalation in bug bounty programs?

Create two accounts with different roles. Capture authenticated requests from the lower-privileged account and replay them with modified parameters, tokens, or role identifiers. Check if the application enforces authorization on every endpoint, not just the UI.

What tools help find privilege escalation bugs?

Burp Suite's Autorize extension automates access control testing by replaying requests with different session tokens. AuthMatrix helps test role-based access. For JWT-based apps, jwt_tool and jwt.io help identify claim tampering opportunities.

Privilege Escalation for Bug Bounty in 2026: How to Find Vertical and Horizontal Privesc in Real Targets

Q: What is the difference between vertical and horizontal privilege escalation?

Vertical privilege escalation means gaining higher-level access (e.g., user to admin). Horizontal privilege escalation means accessing another user's resources at the same privilege level (e.g., user A accessing user B's data).

Key Takeaways

Privilege escalation is consistently rated high/critical severity — it's one of the highest-paying bug classes in bounty programs
Most privesc bugs exist because authorization is enforced in the UI but not on the server — always test the API directly
Two-account testing (one low-priv, one high-priv) is the foundation of every privesc hunt
JWT claim tampering, IDOR-to-admin chains, and role parameter manipulation are the three most common vectors
Autorize (Burp extension) automates the tedious part — use it on every target with role-based access

Why Privilege Escalation Pays Well

Privilege escalation sits at the intersection of access control and business logic — two areas where automated scanners consistently fail. A scanner can find a reflected XSS in seconds, but it cannot understand that changing role=user to role=admin in a POST body grants full administrative access. That's why privesc bugs command high payouts: they require human reasoning, and they almost always have direct business impact.

In 2026, broken access control remains the #1 category in the OWASP Top 10. Programs on HackerOne and Bugcrowd routinely pay $1,000–$15,000+ for privilege escalation findings, depending on impact.

Vertical vs. Horizontal Privilege Escalation

Vertical privilege escalation means moving up the permission hierarchy — user to moderator, moderator to admin, admin to superadmin. These are typically critical severity because they give an attacker capabilities they were never intended to have.

Horizontal privilege escalation means accessing resources belonging to another user at the same privilege level — viewing another user's profile, modifying their settings, or reading their private data. These are typically high severity and often overlap with IDOR.

The most impactful findings chain both: start with horizontal access to discover an admin user's ID, then use that ID to escalate vertically.

The Two-Account Method

Every privilege escalation test starts with two accounts:

Account A — the highest-privilege role you can access (admin, manager, team lead)
Account B — the lowest-privilege role (free user, viewer, guest)

The workflow:

Log in as Account A and map every endpoint, action, and API call available to that role
Log in as Account B in a separate browser or Burp session
Replay Account A's requests using Account B's session token
Any request that succeeds is a privilege escalation bug

This sounds simple, and it is — but most hunters skip it because it's tedious. Autorize automates step 3.

Setting Up Autorize for Automated Testing

Autorize is a Burp Suite extension that replays every request with a lower-privileged session cookie automatically. Setup:

Install Autorize from the BApp Store
Log in as Account B (low-priv) and copy the session cookie
Paste the cookie into Autorize's configuration
Browse the application as Account A (high-priv)
Autorize replays every request with Account B's cookie and flags responses that match — meaning the low-priv user got the same data

Color coding: red = enforced (access denied), orange = possible bypass (similar response), green = confirmed bypass (identical response). Focus on the green and orange results.

Common Privilege Escalation Vectors

1. Role Parameter Manipulation

Some applications include the user's role in the request body during registration or profile updates:

POST /api/users/register
{"email": "user@example.com", "password": "...", "role": "user"}

Change "role": "user" to "role": "admin". If the server doesn't validate this server-side, you've just created an admin account. This is more common than you'd expect — especially in applications built with frameworks that auto-bind request parameters to database models (mass assignment).

2. JWT Claim Tampering

JWTs often contain role or permission claims in the payload:

{"sub": "12345", "role": "user", "iat": 1713000000}

Attack vectors:

Algorithm confusion — change "alg": "RS256" to "alg": "HS256" and sign with the public key
None algorithm — set "alg": "none" and remove the signature
Claim modification — change "role": "user" to "role": "admin" with a weak or known signing key
kid injection — manipulate the kid header to point to a file you control or to /dev/null

Use jwt_tool to automate these checks: python3 jwt_tool.py <token> -M at runs all known attack modes.

3. IDOR-to-Admin Chains

Sometimes you can't directly escalate your role, but you can access admin resources through predictable IDs:

Find an endpoint like GET /api/users/123/settings
Enumerate user IDs (often sequential) to find admin accounts
Access admin-specific endpoints using the discovered admin user ID
Modify admin settings, reset admin passwords, or extract admin API keys

4. Forced Browsing to Admin Panels

The UI hides admin links from regular users, but the endpoints still exist:

/admin, /admin/dashboard, /admin/users
/api/admin/settings, /api/internal/users
/graphql with admin mutations exposed

Use wordlists like SecLists' raft-medium-directories.txt with ffuf or feroxbuster. Then test each discovered endpoint with your low-priv session token.

5. HTTP Method Switching

Some applications enforce authorization on GET but not on PUT, POST, or DELETE for the same endpoint:

GET /api/users/456 → 403 Forbidden
PUT /api/users/456 → 200 OK (modifies the user)

Always test multiple HTTP methods on every endpoint you find.

6. Path Traversal in Authorization

Middleware that checks paths may be bypassable with path manipulation:

/api/admin/users → blocked
/api/./admin/users → allowed
/api/admin/./users → allowed
/api/v1/../admin/users → allowed
/API/ADMIN/USERS → allowed (case sensitivity mismatch)

Testing GraphQL for Privilege Escalation

GraphQL APIs are particularly prone to privesc because:

Introspection often reveals admin mutations that aren't exposed in the UI
Nested queries can traverse relationships to access unauthorized data
Batch queries can bypass rate limiting on authorization checks

Start with introspection: {"query": "{__schema{types{name,fields{name}}}}"}. Look for mutations like updateUserRole, deleteUser, adminSettings, or any field containing "admin", "role", "permission".

Multi-Step Escalation Chains

The highest-paying privesc bugs aren't single-step — they're chains. A realistic example:

Information disclosure — enumerate user IDs via a public API endpoint
Horizontal privesc — access another user's profile via IDOR
Discover admin user — find a user with "role": "admin" in the response
Password reset takeover — trigger a password reset for the admin account via an unprotected endpoint
Vertical privesc — log in as admin with the new password

Document every step with screenshots and HTTP request/response pairs. Chains that demonstrate full account takeover consistently receive critical severity ratings.

Proving Impact in Your Report

A privesc report that says "I can access admin endpoints" gets triaged as medium. A report that demonstrates concrete impact gets critical. Show:

What data you accessed — "I read 47 other users' PII including email addresses and billing info"
What actions you performed — "I modified another user's account settings" (with permission or on a test account)
The business impact — "An attacker could escalate to admin and export the entire user database"
Reproduction steps — exact HTTP requests with curl commands or Burp screenshots

Checklist: Privilege Escalation Testing

☐ Create accounts at every available role level
☐ Map all endpoints accessible to the highest-privilege role
☐ Set up Autorize with the lowest-privilege session cookie
☐ Browse as high-priv and review Autorize results
☐ Test role parameters in registration and profile update endpoints
☐ Check JWT claims for role/permission fields and test tampering
☐ Enumerate user IDs and test IDOR on admin-specific endpoints
☐ Fuzz for hidden admin paths with ffuf/feroxbuster
☐ Test HTTP method switching on all restricted endpoints
☐ Try path traversal bypasses on authorization middleware
☐ If GraphQL: run introspection and test admin mutations
☐ Document chains with full request/response evidence

Frequently Asked Questions

Do I need multiple accounts to test for privilege escalation?

Yes. Two accounts minimum — one high-privilege and one low-privilege. Some programs provide test accounts; others let you create multiple accounts. If the program only allows one account, you can still test by modifying your own role parameters and JWT claims, but two-account testing is far more thorough.

Is horizontal privilege escalation worth reporting?

Absolutely. Accessing another user's data is a privacy violation and typically rated high severity. If you can chain it into vertical escalation or account takeover, it becomes critical.

What's the difference between IDOR and privilege escalation?

IDOR (Insecure Direct Object Reference) is a specific vulnerability type where changing an object identifier gives you access to another user's resource. Privilege escalation is the broader impact — IDOR is often the mechanism that enables it. An IDOR that lets you access admin resources is a privilege escalation.