Using CSRF, if a victim happens to be logged into their bank site, an unintended request could force them to wire transfer out their own money. Or, in another context, CSRF could cause a user to post a derogatory comment on their blog or someone else's. Worse still, it could force a hack another Web site or download illegal content. The possibilities are endless.
To Web servers, one request looks more or less just like another. The challenge of this particular issue is detection. The unintended request is legitimate (not hacked up), the user is the right user (authenticated), and the request is being made directly to the real Web site (no man-in-the-middle). The only problem is the victim did not intend to make the request, but the Web server doesn't know that. And the scary part is the vast majority of Web sites are vulnerable with users having very little ability to defend themselves against CSRF.More information:
This was first published in November 2006