What is Horizontal Privilege Escalation?
Horizontal privilege escalation is when a user can see another user’s data that they shouldn’t have access to. For example, if you can view your account but change the URL to see someone else’s account, that’s a security problem called Insecure Direct Object Reference (IDOR).
Example of IDOR
Say your account page has this URL:
https://example.com/myaccount?id=123
If someone changes id=123 to a different number, they could accidentally see another user’s account. This happens because the website isn’t protecting users’ data properly.
How Some Sites Try to Prevent It
Websites sometimes use special codes, like long GUIDs instead of numbers, to make guessing harder. But even these codes can show up in other parts of the website, like messages or comments, where they can be misused.
Horizontal privilege escalation exposes private data and shows why websites need strong security controls to protect each user’s information.
Acknowledgment: This document references information from PortSwigger Web Security and ChatGPT.
Top comments (0)