Privilege Escalation in Saas
How Privilege Escalation Manifests in Saas
Privilege escalation in Saas applications often stems from improper authorization checks that allow users to access resources or perform actions beyond their intended permissions. Unlike traditional web applications, Saas platforms frequently implement multi-tenant architectures where a single codebase serves multiple organizations, each with distinct permission boundaries.
The most common privilege escalation pattern in Saas involves Business Logic Flaws (BFLA), where the application fails to properly validate whether a user should access specific data or functionality. For example, a user might manipulate request parameters to access another organization's data, or exploit gaps in role-based access control (RBAC) implementations.
Consider this Saas-specific vulnerability pattern:
// Vulnerable Saas code - missing tenant validation
async function getUserData(userId, req) {
const user = await User.findById(userId);
return user;
}
// Attacker modifies userId parameter to access other tenants' data
const maliciousRequest = { userId: '5f3a2b1c9e7d4a2b1c3d5e6f' };
The critical flaw here is the absence of tenant isolation. A proper Saas implementation should verify that the requesting user belongs to the same organization as the target user:
// Secure Saas pattern - tenant validation
async function getUserData(userId, req) {
const user = await User.findById(userId);
// Verify tenant membership
if (user.organizationId !== req.user.organizationId) {
throw new Error('Unauthorized access to cross-tenant data');
}
return user;
}
Another Saas-specific escalation vector involves role inheritance chains. Many Saas platforms implement hierarchical roles where higher-level roles inherit permissions from lower ones. Attackers can exploit overly permissive role definitions:
// Vulnerable role inheritance
const roles = {
'member': ['read:own_data'],
'manager': ['read:own_data', 'read:team_data'],
'admin': ['read:own_data', 'read:team_data', 'read:organization_data'],
'super_admin': ['*'] // Dangerous wildcard
};
// Attacker gains super_admin through role manipulation
Feature flag exploitation represents another Saas-specific escalation method. When feature flags control access to premium functionality, insufficient validation can allow users to bypass subscription tiers:
// Vulnerable feature flag check
async function premiumFeature(req) {
const featureEnabled = await FeatureFlag.isEnabled('premium_export');
if (featureEnabled) {
return performExport();
}
throw new Error('Feature not available');
}
// Secure pattern with subscription validation
async function premiumFeature(req) {
const featureEnabled = await FeatureFlag.isEnabled('premium_export');
const hasSubscription = await Subscription.hasPremiumFeature(req.user.id);
if (featureEnabled && hasSubscription) {
return performExport();
}
throw new Error('Unauthorized or subscription required');
}
Saas-Specific Detection
Detecting privilege escalation in Saas applications requires examining both authentication flows and authorization boundaries. The key is identifying where tenant isolation breaks down and where role-based access controls are insufficiently enforced.
Manual detection involves testing for common Saas privilege escalation patterns:
# Test for IDOR (Insecure Direct Object Reference)
# Attempt to access other tenants' resources by modifying IDs
curl -X GET "https://api.yoursaas.com/v1/users/12345" \
-H "Authorization: Bearer $TOKEN" \
-H "X-Tenant-ID: $CURRENT_TENANT"
# Test for privilege escalation through role manipulation
curl -X POST "https://api.yoursaas.com/v1/admin/revoke" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"userId": "67890", "role": "admin"}'
Automated scanning with middleBrick provides systematic coverage of Saas-specific privilege escalation vectors. The scanner tests unauthenticated endpoints for privilege escalation vulnerabilities by attempting to access restricted functionality without proper authentication.
middleBrick's BFLA (Business Logic Flaws and Privilege Escalation) check specifically targets Saas applications by:
- Testing for missing tenant validation across all endpoints
- Attempting role escalation through parameter manipulation
- Verifying that feature flags are properly gated by subscription levels
- Checking for insecure direct object reference vulnerabilities
- Validating that administrative functions require appropriate privileges
The scanner examines API responses for indicators of privilege escalation, such as:
{
"endpoint": "/api/v1/organizations/{orgId}/users",
"test_case": "tenant_isolation_failure",
"vulnerability": "BOLA",
"severity": "high",
"remediation": "Implement tenant validation middleware to verify organization membership before data access"
}
For Saas applications using OpenAPI specifications, middleBrick can analyze the spec to identify potential privilege escalation vectors before runtime testing. The tool resolves all $ref references to understand the complete API surface and maps role-based access controls defined in the spec against actual implementation.
Continuous monitoring through the Pro plan helps detect when privilege escalation vulnerabilities are introduced during development. The scanner can be integrated into CI/CD pipelines to fail builds when new endpoints lack proper authorization checks.
Saas-Specific Remediation
Remediating privilege escalation in Saas applications requires implementing robust tenant isolation and comprehensive authorization controls. The foundation is a middleware layer that validates every request against the user's permissions and tenant membership.
Tenant isolation middleware for Saas:
// Tenant isolation middleware
const tenantIsolationMiddleware = async (req, res, next) => {
const { userId } = req.user;
const { organizationId } = await User.findById(userId);
// Store tenant context for downstream use
req.tenant = { organizationId };
// Validate that requested resource belongs to tenant
if (req.params.organizationId && req.params.organizationId !== organizationId) {
return res.status(403).json({
error: 'Cross-tenant access forbidden',
code: 'TENANT_ISOLATION_VIOLATION'
});
}
next();
};
// Apply middleware to all routes
app.use(tenantIsolationMiddleware);
Role-based access control implementation for Saas:
// RBAC with tenant-aware permissions
class RBAC {
constructor() {
this.permissions = {
'member': ['read:own_data', 'update:own_profile'],
'manager': ['read:own_data', 'read:team_data', 'update:team_profile'],
'admin': ['read:organization_data', 'manage:users', 'configure:settings'],
'owner': ['*'] // Full organization control
};
}
can(userRole, permission) {
const rolePermissions = this.permissions[userRole] || [];
return rolePermissions.includes(permission) || rolePermissions.includes('*');
}
authorize(user, requiredPermission, resourceTenantId) {
if (!this.can(user.role, requiredPermission)) {
throw new Error('Insufficient permissions');
}
// Additional tenant validation for cross-tenant operations
if (resourceTenantId && user.organizationId !== resourceTenantId) {
throw new Error('Cross-tenant operation forbidden');
}
}
}
// Usage in route handlers
async function updateUserData(req, res) {
const { userId } = req.params;
const rbac = new RBAC();
// Authorize user can update this specific user's data
rbac.authorize(req.user, 'update:user_data', req.tenant.organizationId);
// Verify user belongs to same organization
const targetUser = await User.findById(userId);
if (targetUser.organizationId !== req.tenant.organizationId) {
return res.status(403).json({ error: 'Cross-tenant update forbidden' });
}
// Proceed with update
await targetUser.update(req.body);
res.json({ success: true });
}
Feature flag security for Saas subscription tiers:
// Secure feature flag evaluation
class FeatureFlag {
static async isEnabled(featureName, userId) {
const user = await User.findById(userId);
const subscription = await Subscription.findByOrganizationId(user.organizationId);
// Check if feature is enabled and user has appropriate subscription
const featureConfig = await this.getFeatureConfig(featureName);
const isFeatureEnabled = featureConfig.enabled;
const hasAccess = subscription.hasFeature(featureName);
return isFeatureEnabled && hasAccess;
}
static async requireFeature(featureName, userId) {
const enabled = await this.isEnabled(featureName, userId);
if (!enabled) {
throw new Error(`Feature ${featureName} requires higher subscription tier`);
}
}
}
// Usage in route handlers
async function exportData(req, res) {
await FeatureFlag.requireFeature('premium_export', req.user.id);
// Premium export logic
const data = await performExport();
res.json(data);
}
Input validation to prevent parameter manipulation:
// Input validation middleware
const validateInput = (schema) => {
return (req, res, next) => {
const { error, value } = schema.validate(req.body);
if (error) {
return res.status(400).json({
error: 'Invalid input',
details: error.details
});
}
req.body = value;
next();
};
};
// Usage with privilege escalation prevention
const userUpdateSchema = Joi.object({
userId: Joi.string().required(),
role: Joi.string().valid('member', 'manager', 'admin').optional(),
organizationId: Joi.string().optional()
});
app.put('/users/:userId',
validateInput(userUpdateSchema),
async (req, res) => {
const { userId } = req.params;
const { role, organizationId } = req.body;
// Prevent privilege escalation through role manipulation
if (role && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Role modification forbidden' });
}
// Prevent cross-tenant operations
if (organizationId && organizationId !== req.tenant.organizationId) {
return res.status(403).json({ error: 'Cross-tenant operation forbidden' });
}
// Proceed with update
await User.update(userId, { role });
res.json({ success: true });
}
);