A Cross-Site Request Forgery is an attack in which a user's browser is clandestinely directed to retrieve information or perform an action on a site without that user's knowledge. In these types of attacks, the user is presumed to have access to the targeted site. It is perhaps better explained with an example.
Let's assume a member of Local Bank and Trust of Bedford Falls just visited the bank's website in their browser. The user logged in, performed some actions, and never explicitly logged out leaving the authentication cookie in their browser's cache. Later, while surfing the seedy side of the Web, they visit a site of questionable repute.
On this site, someone has placed a script file that submits a funds transfer request to the website of Local Bank and Trust of Bedford Falls' website via an AJAX invocation. This script has no visible action the user can see. However, the user is still technically logged into the bank site and this script is successful...