A8 – Cross-Site Request Forgery
Given the nature of this threat, the official OWASP documentation defines it with a use case of an attack:
A CSRF attack forces a logged-on victim's browser to send a forged HTTP request, including the victim's session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim's browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Perhaps one of the most typical cases is the one the documentation exposes as the canonical attack of this kind.
The problem is an application that allows a user to send a request to a bank using plain text, without any cyphering, for instance, http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243.
In this case, an attacker builds another request that will transfer funds from the victim's account to the attacker's account. To make it work, the attacker embeds this code...
