When creating a website, we tend to code the client-side and the server-side together. We build the pages and forms a user will interact with on the client-side, then build the server-side URLs that respond when the user performs an action.
However, requests can be triggered to the server-side code from anywhere - not just the client-side code we write. This is one of the most powerful aspects of how internet is designed: it allows linking between sites. But it also the cause of a common security flaw, cross-site request forgery (CSRF).
A CSRF attack occurs when a user is tricked into interacting with a page or script on a third-party site that generates a malicious request to your site. All your server will see is an HTTP request from an authenticated user. However, an attacker takes control over the form of the data sent in the request to cause mischief.
Imagine you run the micro-blogging service that allows your users to tweep their opinions at each other in 280-character-sized chunks.
Mal is a hacker who has noticed that posts on your service are created using GET requests. This means that all the information is carried in the URL of the HTTP request.
Mal modifies the post-creation URL to include a malicious payload. Now he has to find some way to get a victim to visit the URL in their browser.