Introduction

Love Letter Locker is a web-based challenge focused on IDOR. While interacting with the application, I identified how predictable identifiers could be manipulated to access other users' letters.

Initial Reconnaissance

The room provides a direct entry point to the web application:

I started by navigating to the target in the browser to understand how the application behaves.

The landing page presents two basic options: account creation and login. Since no credentials were provided, I proceeded by creating a new account.

After registering successfully, I logged into the application.

Once inside, I landed on a dashboard that showed my letters along with a small hint:

"Every love letter gets a unique number in the archive. Numbers make everything easier to find."

It also displayed the total number of letters currently in the system.

Exploring Functionality

To understand how the application handles user data, I created a new letter.

The letter was created successfully, and I was able to open it.

To inspect things more closely, I opened the letter in a new tab and focused on the URL structure.

The URL contained a numeric identifier for the letter. Mine was assigned the number 3. That immediately stood out, especially considering the earlier hint about unique numbers.

Accessing Other Letters

At this point, I tested whether the application properly restricts access to other users' data. I modified the letter ID directly in the URL.

First, I switched from 3 to 2.

The application returned another letter without any restriction.

Next, I changed the ID to 1.

This time, I was able to access a different letter, which revealed the flag.

Flag

THM{1_c4n_r3ad_4ll_l3tters_w1th_th1s_1d0r}

Conclusion

This room demonstrates how predictable identifiers in web applications can expose sensitive data when proper access controls are missing.

Thanks for reading.