N OT E The defect in the application’s validation of off-site images is known as

XSRF vulnerabilities primarily arise where HTTP cookies are used to transmit

session tokens. Once an application has set a cookie in a user’s browser, their

browser will automatically submit that cookie back to the application in every

subsequent request. This is so regardless of whether the request originates

from a link provided by the application itself or from a URL received from

elsewhere, such as in an email or on another web site altogether, or from any

other source. If the application does not take precautions against misuse of the

token in this way, then it is vulnerable to XSRF.