- Status Closed
-
Assigned To
cbay - Private
Opened by rulebreker - 02.07.2026
Last edited by cbay - 03.07.2026
FS#365 - Cross-Site Request Forgery (CSRF) in Notification "Seen" Endpoint Leads to Unauthorized Notification
Description
The application is vulnerable to Cross-Site Request Forgery (CSRF) on the notification "Seen" endpoint. An attacker can craft a malicious HTML page that silently triggers the notification "seen" request from a victim's browser while the victim is authenticated.
Because the endpoint accepts the request without validating a CSRF token or verifying the request origin, the victim's notification status is changed without their knowledge or consent.
Although this does not expose sensitive information, it allows unauthorized modification of user data, violating the integrity of the victim's account.
CVSS v3.1 → Score: 4.3 (Medium)
Steps to Reproduce
- Login to Attacker Account (Account A) using Firefox.
- Navigate to Notifications.
- Ensure at least one notification is available.
- Enable Burp Suite Intercept.
- Click Seen on a notification.
- Capture the request.
- Send the request to Burp Engagement Tools.
- Generate a CSRF PoC.
- Modify the generated PoC by changing:
method="POST" to method="GET"
- Save the HTML file.
- Login to Victim Account (Account B) using another browser (Chrome).
- Ensure the victim has at least one unread notification.
- Open the generated CSRF PoC in the victim's browser.
- Click Submit Request.
- Observe that the victim's notification is automatically marked as Seen without the victim performing the action.
Actual Behaviour
- The notification is marked as Seen in the victim's account simply by visiting and submitting the attacker-controlled HTML page.
- No CSRF protection, Origin validation, or SameSite-based mitigation prevents the request.
Expected Behaviour
- The server should reject any state-changing request that does not contain a valid CSRF token and should verify the request originates from a trusted source.
- Only the authenticated user performing the action from the legitimate application should be able to mark notifications as Seen.
Impact
- Unauthorized modification of notification status.
- Attackers can manipulate notification state without user consent.
- Users may miss important notifications because they appear as already read.
- Demonstrates missing CSRF protection on a state-changing endpoint.
- Indicates other sensitive endpoints may also be vulnerable to CSRF.
Business Impact
- Loss of integrity of user account data.
- Important alerts, security notifications, or business messages may be marked as read without the user's knowledge.
- Reduced user trust due to unauthorized account actions.
- Reveals a security control weakness that could affect higher-risk endpoints if the same protection is missing elsewhere.
Remediation
- Implement anti-CSRF tokens for all state-changing requests.
- Validate the Origin and Referer headers.
- Use SameSite=Lax or preferably SameSite=Strict for session cookies where appropriate.
- Ensure endpoints that modify data only accept the intended HTTP method (e.g., POST) and cannot be invoked via GET.
- Follow the Synchronizer Token Pattern or another robust CSRF defense mechanism across the application.
Video Proof of Concept:
Google Drive link → https://drive.google.com/drive/folders/1v9Y7TFbgv-FFztKX23aL_ZNkDu3GCqWT?usp=drive_link
Conclusion
The notification "Seen" endpoint lacks proper CSRF protection, allowing an attacker to force authenticated users to unknowingly mark their notifications as read. While the immediate impact is limited to unauthorized state modification, it represents a clear integrity issue and indicates that CSRF protections may be absent from other state-changing endpoints. Implementing standard CSRF defenses will prevent unauthorized cross-site requests and strengthen the application's overall security posture.
Thanks
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Screencast From 2026-07-02 22...
Screenshot From 2026-07-02 22...
Hello,
Can you confirm that the issue is now fixed?
Kind regards,
Cyril
Hi Team,
Thank you for addressing the reported issue.
I have completed the retest, and I can confirm that the vulnerability has been successfully fixed. I was unable to reproduce the issue using the previously reported steps.
RE-TEST POC → https://drive.google.com/file/d/16Fx2Saq2UWgoo4nLzTD4UOc4Umc6Zd5K/view?usp=sharing
Thank you for the prompt resolution.
Thanks, can you open a support ticket to claim your bounty?