When an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing.
Attacker forges a valid request from user to achieve malicious action.
A user is tricked into(this can be by a fishing email) interacting with a script or page on a 3rd party side and this generates a malicious request to legitimate site. Attacker takes control of this data or form sent to the valid site.
To fix, random anti-csrf tokens must be used.
Origin of request must be checked.
Two-factor authenticaton can be enabled.
Ensure Cookies are sent with the SameSite Cookie Attribute
Same origin policy
