A shopper remains logged into a storefront that does not add protective checks on each transaction. While they visit a third-party blog, a purchase is unexpectedly processed using their session. Which action explains how the attacker causes the order?
An injected piece of code that resets client passwords through embedded scripts
An automated clone of the retail site that stores user information offline
A hidden form that reuses the logged-in session to send the unwanted request
A short timer that forces the user to log out, leading to credential exposure
This scenario showcases Cross-Site Request Forgery (CSRF). The correct approach involves sending a concealed request that rides on the shopper's active credentials. The attacker hosts code on another page that silently submits the form or request to the storefront. The shopper, still logged in, unknowingly dispatches the request, and the store accepts it as if the shopper initiated it. The other listed options do not align with this session-based exploit. Tricks involving code injection to change passwords or automated site duplication for offline credential gathering do not directly trigger an instantaneous transaction in the user’s name. Timing out sessions does not enable a forced purchase either.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does CSRF work in general?
Open an interactive chat with Bash
What are anti-CSRF tokens and how do they prevent attacks?
Open an interactive chat with Bash
What is the role of the SameSite cookie attribute in CSRF defense?