<form action= "https://bank.com/transfer" method= "POST" > <input name= "to" value= "attacker" > <input name= "amount" value= "10000" > </form> <script> document . forms [ 0 ]. submit () </script> Enter fullscreen mode Exit fullscreen mode Five lines of HTML on a malicious page. When a user who's logged into bank.com in another tab visits this page, the browser auto-submits the form, attaches their session cookie, and ten thousand dollars leave their account. They didn't click anything. The malicious site didn't see their password. There was no XSS, no breach, no leak in the traditional sense. The browser did exactly what it was designed to do. That's CSRF — Cross-Site Request Forgery — and it's been the classic "confused deputy" attack on the web for two decades. Let's walk through what makes it work, why CORS doesn't help, and the one cookie flag that mostly killed it around 2020. Why the browser attaches your cookie to that request Cookies belong to a domain.…