## GodObjectProfile CSRF Flaw Exposes User Profiles to Unauthorized Manipulation via GET Requests
A critical Cross-Site Request Forgery vulnerability has been identified in the GodObjectProfile action within a .NET 9 application, allowing external sites to silently mutate user profile data without consent. The flaw stems from state-changing operations being exposed through GET query parameters, violating a fundamental principle of web security that treats GET requests as idempotent and read-only. Unlike traditional CSRF attacks that require tricking users into submitting forms, this vulnerability enables state manipulation simply by embedding a URL in an external page — a logged-in user's browser automatically sends the request with active session credentials.

The affected endpoint at /Home/GodObjectProfile contains anchor links structured as `<a href="?action=update&field=Name&value=UpdatedName">`, which directly trigger profile field updates when visited. Security researchers warn that any external website can embed these URLs to force profile mutations on authenticated users without their knowledge. The HomeController.cs and corresponding Views/Home/GodObjectProfile view are confirmed to contain this pattern. The vulnerability produces no error logs — the application processes the state change silently, making detection particularly difficult for both users and administrators.

The risk is classified as blocking, indicating severe potential impact on user accounts and data integrity. Applications that share sessions or authentication domains with vulnerable instances face amplified exposure. Security teams should audit all controller actions in .NET 9 applications for similar patterns, particularly in profile management and user preference endpoints. Immediate remediation requires migrating all state-changing operations to POST requests protected by ASP.NET anti-forgery tokens, while implementing server-side validation to reject GET-based mutations regardless of authentication state.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: csrf, vulnerability, asp.net, .NET 9, web-security
- **Credibility**: unverified
- **Published**: 2026-05-05 19:31:44
- **ID**: 79535
- **URL**: https://whisperx.ai/en/intel/79535