Critical CSRF Vulnerability in GodObjectProfile Allows Forced Profile Modifications via GET Requests

A critical Cross-Site Request Forgery (CSRF) vulnerability has been identified in the GodObjectProfile component of a .NET 8 MVC application, allowing unauthorized state-mutating operations through standard GET requests. The flaw, reported through the project's issue tracker, exposes authenticated users to forced profile modifications without their knowledge or consent.

The vulnerability stems from the absence of anti-forgery token validation on the /Home/GodObjectProfile endpoint. Unlike properly secured applications, where state-changing operations require POST requests with validated tokens, this implementation permits profile updates through URL parameters alone. An attacker could craft a malicious link that, when clicked by a logged-in user, silently modifies the victim's profile data. This represents a fundamental violation of the stateless request principle that governs secure web application design.

Security researchers have classified the issue as high-risk, noting its direct alignment with OWASP Top 10 2017 category A5:2017 (Broken Access Control). The attack vector is particularly concerning given its low barrier to exploitation—successful compromise requires only that a target user visit a crafted link while authenticated. Organizations running this Demo1 application face potential risks including unauthorized profile alterations, contact information changes, and credential manipulation. Mitigation requires refactoring all state-mutating operations to reject GET methods and implementing robust anti-forgery token validation on remaining POST pathways.