Cross Site Request Forgery
Tampering with request that changes a state
Browser sends cookies (trusted sites review them)
Requests coming from somewhere else => vulnerabiltiy
e.g. body onLoad injecting an iframe to the website
onLoad
iframe