CSRF is an attack that tricks a victim into submitting a malicious request with the identity and privileges of the victim to perform an undesired function on the victim's behalf. For most applications, browsers will automatically include any associated session information such as the user's session cookie, token, IP address, and sometimes Windows domain credential NTLM hashes. If the victim user is currently authenticated to the site, the site will have no way to distinguish between the forged request sent by the victim and a legitimate request sent by the victim.
CSRF attacks target application functionality that causes a state change on the server, such as changing the victim's email address, password, or various other application configuration settings. The adversary does not receive a response if the attack was successful, only the victim does. As such, CSRF attacks target state-changing configuration requests that are performed in an automated fashion. Embedded IoT devices...