How CSRF works
Victim logs into bank.com. Attacker's page contains <img src='bank.com/transfer?to=attacker&amount=1000'>. Browser sends request with victim's cookies. Bank processes transfer.
CSRF vs XSS
XSS executes script in victim's browser on the target site. CSRF forges requests without needing script injection on the target. Both abuse trust.
Defenses
CSRF tokens (synchronizer tokens), SameSite cookie attribute, re-authentication for sensitive actions, Origin/Referer header validation.
Lab practice
Cyfotok CSRF lab provides a vulnerable banking-style app. Craft HTML form or fetch request that triggers state-changing action as another user.