Without CSRF Protection

The attacker's tab silently POSTs using the victim's session cookie.

👤

Victim

🏦 bank.com

evil.com

https://bank.com/account

Welcome back, Alex

You are logged in. Your session cookie is set for bank.com.

🏦

bank.com

Waiting

POST /transfer NO TOKEN

💸 Transfer went through. $5,000 moved.