CSRF

CSRF is an attack with the help of which an attacker exploits a valid user session in a manner that allows certain actions to be performed on the behalf of currently logged-in user. For example, let's say an admin user is logged into the application and has a valid session cookie set at the browser. There is an option for the admin to delete all users from website by clicking the delete all button, which internally invokes the HTTP request http://www.mysite.com/delete?users=all. One of the properties of the web browser to send the session parameters/cookies to the server for every subsequent request after the user has logged in to the application. This can be exploited by the attacker by crafting a fake page that has an HTML image, such as <img src"http://www.mysite.com/delete?users=all" style="display:hidden">. The attacker can send the link of this fake page to the admin who would be currently logged in to his website mysite.com. Not aware of the malicious intent, if the admin user loads the web page, the HTTP request to delete all users will be triggered on their behalf, and the valid session cookies will be sent, causing the server to delete all users.