CSRF attacks exploit the fact that a user’s browser automatically sends session cookies (or similar authentication tokens) to the web application once the user is authenticated. An attacker crafts a malicious request (often embedded in an HTML or JavaScript element on a different site) and tricks the user’s browser into sending that request to the target site. Since the browser includes the user’s valid authentication cookies, the web application processes the request as if it came from the legitimate user—potentially allowing unauthorized actions such as changing account settings, making financial transactions, etc.
****
A) While HTTP headers are important for authentication, CSRF attacks don't directly manipulate headers. Instead, they exploit the fact that the browser automatically sends cookies (which handle authentication) with requests.
B) This describes a Cross-Site Scripting (XSS) attack, not a CSRF attack. XSS exploits the browser's trust in a website to execute malicious scripts, while CSRF exploits the web application's trust in an authenticated user.
D) This describes an injection attack, such as SQL injection or command injection, where malicious code is injected into user input to manipulate server-side behavior. CSRF attacks, on the other hand, focus on tricking the user's browser into sending unauthorized requests.