This demo shows an example of a Cross Site Request Forgery. Note that it doesn't work in Lynx; you need to use Firefox or similar on your host, and then a proxy to the virtual node.
When a user is accessing the grade system, once logged in a cookie is stored by the users browser so that each subsequent request is remembered. The cookie is sent by the browser to the server in each request to identify that this browser is a logged in user.
Now lets say a logged in user has permissions to perform some operations that other (non-logged in) users cannot. For example, on the grades system, user "steve" is allowed to edit grades of students; other users (whether logged in or not). In the grade system, the editing of grades is implemented by steve selecting a new grade, that new grade being sent via a URL parameter and the database updating the grade. The URL is structured as follows:
grades/updategrade.php?id=STUDENTID&course=CODE&newgrade=GRADE
where STUDENTID, CODE and GRADE are set to appropriate values.
The page updategrade.php also includes PHP code to check that the logged in user is "steve". Therefore if another user tries to visit this page (in attempt to change a grade), an error will be returned and the grade will not be changed. How does the server know that the request is from the user "steve"? Based on the cookie sent.
Try it. Login as user "5012345678" and visit:
http://www.myuni.edu/grades/updategrade.php?id=5012345678&course=its335&newgrade=A
You should find that the grade cannot be upgraded (if it can, then there is a serious error in the PHP code at the server).
Then how does a user (other than "steve") can a grade to change? By tricking steve, while logged in to the grade system, to visit some other website under the control of the malicious user, that contains a link to the updategrade.php page. A common way to do this is to create some normal website which has a hidden link. A hidden link can be created with an image of no size or iframe in HTML.
In this demo, there is a website on another server at:
http://www.freestuff.com/freestuff/
If you look close at the source of that website you will see an image included of 0 size. It is not actually an image however, but a link to the grades system to update a grade. If user "steve" is logged into the grade system, and then visits this other FreeStuff website, his browser will automatically send a request to the updategrade.php page on the grades system. The browser will include his cookie for 192.168.2.21, and so the server knows he is logged in and accordingly updates the grade. The results is that the malicious user has caused steve to update a grade with him knowing.