Multiple Vulnerabilities in daun.me Social Media Platform
Overview
Daun.me is a social media platform by Amanz. Multiple vulnerabilities was identified in the platform and swiftly fixed by the developer.
Notes
The application is built on top of Next.js framework, which means that during the assessment, only the client-side requests and API responses were observable without direct knowledge of the underlying route structure.
As a result, this report focuses on the functionalities that exhibited security vulnerabilities rather than specific route endpoints.
Each finding is based on observed behavior and the impact on the application’s security.
Vulnerabilities
1. Server-Side Request Forgery (SSRF) on URL Metadata Endpoint
The application is vulnerable to Server-Side Request Forgery (SSRF) in the endpoint responsible for fetching metadata from user-supplied URLs.
This functionality is triggered when viewing a post containing a link to an external source. Below is an example of legitimate metadata retrieval for a YouTube link.
Below is the response returned from the request:
The issue arises from the fact that the application does not properly restrict user-supplied URLs. If an attacker can modify the request URL, the server will fetch and return metadata for any valid URL without restriction. While this behavior might seem intended, it introduces a significant security risk.
By supplying internal addresses such as http://localhost:80, an attacker can probe internal services, retrieve metadata from private endpoints, or even exploit vulnerabilities in internal applications that are not meant to be exposed externally.
This could lead to unauthorized access to sensitive information, server-side request smuggling, or even internal service enumeration, depending on the application’s infrastructure. Without proper validation and filtering, this SSRF vulnerability could be leveraged for further exploitation, potentially leading to a more severe security compromise.
2. Broken Authorization on Like Post Functionality
The application lacks proper authorization checks when liking a post. By modifying the userId parameter in the request, an attacker can make it appear as if another user has liked a post, leading to unauthorized actions and manipulation of engagement metrics.
Here is the original request sent when liking a post.
As you can see, there are two parameter values in the request: “16298” represents the postId, while “4218” corresponds to the userId of the user liking the post.
To demonstrate the vulnerability, I modified the userId parameter to another user’s ID. As a result, my post was liked by that user, confirming the broken authorization issue.
Here is the post I used as proof of concept: https://daun.me/rempah/7306347246675562496.
3. Insecure Direct Object Reference (IDOR) on View Notification
The application is vulnerable to Insecure Direct Object Reference (IDOR) in the notification system. By modifying the userId parameter in the request, an attacker can access notifications belonging to other users, leading to unauthorized data exposure.
Here is the original request sent when viewing a notification.
As you can see, there is a parameter value, “4218”, which represents the userId. When I changed this value to another user’s ID, the server returned notifications belonging to that user. Below is an example request using userId 1 for the user @aman.
Here is the screenshot of the response.
Timeline
- 2025-03-15: Contact developer via email
- 2025-03-15: Developer responded
- 2025-07-16: Public release of security advisory