Engineering

Privilege Escalation Audit Prompt

Find the path from user to admin — audit for vertical and horizontal escalation: mass-assignment of roles, unchecked elevation, and operations that trust client-supplied privilege.

Overview

Privilege escalation is when a normal user becomes more than they should be — by setting their own role in a form, hitting an admin route that forgot its check, or editing a record they horizontally shouldn't reach. This prompt audits for both vertical (user→admin) and horizontal (user→other user) escalation, focusing on the places privilege is assigned, changed, or assumed.

Why This Works

Tracing escalation paths (from→to→via) makes findings concrete and fixable
Mass-assignment of roles is a common, severe, and easily-missed bug
Covering indirect/chained paths catches escalation no single-endpoint review would

Best for

Apps with roles, admin panels, or tiered privilege
Code that assigns or changes user permissions
Security review of privilege-sensitive flows

Not for

Designing the role model — use the RBAC Design Prompt
General broken-access-control — use the Authorization Review Prompt

Use cases

Auditing for user-to-admin escalation before launch
Checking role-assignment endpoints for over-grant
Finding mass-assignment that lets users set their own privilege

Customize This Resource

Opens this resource in the related tool with the fields pre-filled. Customize role, tone, and behavior rules — then generate your prompt.

Prompt Template

ROLE
You are auditing code for privilege escalation paths — ways a user gains access beyond their intended level.

INPUT
[Paste the code: user/role models, the endpoints that assign or change privilege, and sensitive operations]

AUDIT FOR ESCALATION
1. MASS ASSIGNMENT: can a user set their own role, permissions, or tenant by including extra fields in a request the server trusts?
2. ELEVATION ENDPOINTS: every place privilege is granted or changed — is the actor authorized to grant it, and can they grant more than they hold?
3. UNCHECKED ADMIN PATHS: admin or privileged operations missing an authorization check.
4. HORIZONTAL: can a user act on another user's resources at the same privilege level (the IDOR-flavored escalation)?
5. TRUST OF CLIENT DATA: any privilege or role decision based on a value the client supplies rather than the server derives.
6. INDIRECT PATHS: chained operations where each is allowed but the sequence yields elevation (e.g. invite-self-as-admin).

SEVERITY
Tag [CRITICAL]/[MAJOR]/[MINOR]. Self-service role assignment and unchecked admin paths are CRITICAL.

OUTPUT
Findings by severity, each tracing the escalation path (from what, to what, via what). Findings only.

Related Resources

Explore more resources that work well with this one.

Related Tools

Code Review Prompt Generator

Tip: Save time by exploring related resources and tools that integrate with this workflow.

Explore all resources