원클릭으로
sc-privilege-escalation
Privilege escalation vector detection — role manipulation, admin bypass, and RBAC circumvention
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Privilege escalation vector detection — role manipulation, admin bypass, and RBAC circumvention
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-privilege-escalation |
| description | Privilege escalation vector detection — role manipulation, admin bypass, and RBAC circumvention |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects privilege escalation vulnerabilities where users can elevate their access level by manipulating role claims, accessing unprotected admin endpoints, tampering with JWT role fields, bypassing RBAC checks, or exploiting default/test admin accounts. Focuses on the boundary between user roles and the mechanisms that enforce them.
Called by sc-orchestrator during Phase 2. Runs against applications with role-based access.
**/*auth*, **/*role*, **/*permission*, **/*admin*, **/*guard*,
**/*middleware*, **/*policy*, **/*rbac*, **/*acl*,
**/routes/*, **/controllers/*, **/*user*
"role", "isAdmin", "is_admin", "is_superuser", "is_staff",
"hasRole", "hasPermission", "admin", "moderator", "superuser",
"role_id", "user_type", "privilege", "grant", "permission_level"
1. Role Manipulation via Request Body:
// VULNERABLE: User can set their own role
app.post('/api/users', async (req, res) => {
const user = await User.create(req.body);
// If req.body = { name: "attacker", email: "...", role: "admin" }
// The attacker becomes admin!
});
// SAFE: Ignore role from request
app.post('/api/users', async (req, res) => {
const user = await User.create({
name: req.body.name,
email: req.body.email,
role: 'user' // Always set to default
});
});
2. JWT Role Claim Tampering:
# VULNERABLE: Trusting role from JWT without server-side verification
@app.route('/admin')
def admin_panel():
token = decode_jwt(request.headers['Authorization'])
if token['role'] == 'admin': # Role stored in JWT, client can forge!
return render_admin()
# SAFE: Check role from database, not JWT
@app.route('/admin')
@login_required
def admin_panel():
user = User.query.get(current_user.id)
if user.role != 'admin':
abort(403)
return render_admin()
3. Admin Endpoint Without Auth Middleware:
// VULNERABLE: Admin route without auth middleware
r.GET("/admin/users", handlers.ListAllUsers)
r.GET("/admin/settings", handlers.GetSettings)
// SAFE: Admin routes behind auth + role middleware
admin := r.Group("/admin")
admin.Use(authMiddleware, requireRole("admin"))
admin.GET("/users", handlers.ListAllUsers)
admin.GET("/settings", handlers.GetSettings)
4. Default Admin Accounts:
# VULNERABLE: Default admin in seed/migration
User.objects.create_superuser('admin', 'admin@example.com', 'admin123')
/admin/../user)?