Case file

Sequential letter IDOR across the archive

Foundations web engagement: love-letter app assigned sequential archive numbers; authenticated users could open other users’ letters by changing the numeric id.

Foundations16 minWeb · IDOR · Access Control
01

Engagement summary

Registered account; created letter id=3; decrementing to 2 and 1 returned other users’ letters including the engagement artifact.

LOVE LETTER LOCKER advertised that every letter received a unique archive number. After signup, creating a letter produced a URL with id=3. Changing the path/query to id=2 and id=1 returned other users’ content without an ownership check — classic sequential IDOR on a sentimental data store.

Business impact

Sequential object ids plus missing authz expose private correspondence at scale. Bind letter reads to the owning user_id in the query; use non-guessable ids only as secondary hardening.

02

Register, create, and walk ids downward

Letter URLs accepted foreign ids; id=1 disclosed the protected letter.

OPERATOR · WEB

savvy@lab:~$ # register + login; create letter → /letters/3

savvy@lab:~$ curl -s -b 'session=<cookie>' http://target/letters/2

# another user's letter body returned

savvy@lab:~$ curl -s -b 'session=<cookie>' http://target/letters/1

THM{1_c4n_r3ad_4ll_l3tters_w1th_th1s_1d0r}

Remediation

Authorize letter_id against session user. Return 404 for unauthorized ids. Add integration tests that attempt cross-user reads.