Attacker sends cross-origin request to vulnerable URL 3. Attacker takes action on behalf of user, or infers information about the user's data in the vulnerable app. Bugs: Cross-site request forgery (CSRF), XS-leaks, timing, ... <form action="/transferMoney"> <input name="recipient" value="Lukas" /> <input name="amount" value="10" /> <form action="//victim.example/transferMoney"> <input name="recipient" value="Attacker" /> <input name="amount" value="∞" />