One thing I can't wrap my head around with CSRF attacks is how an attack can lure us to a different site and still be able to use our session data.
I thought that if the browser is pointed to a website like "trustworthysite.com" then all requests(forms, ajax, xmlhttprequests, etc) would have to be to the same domain
eg.
<form action="http://trustworthysite.com/login" method="POST">
Your name: <input type="text"><br/>
<input type="hidden" name="amount" value="10000">
<input type="hidden" name="recipient" value="evil_hacker">
</form>
or
$.ajax({
url: "http://trustworthysite.com/post",
type: "POST",
data: postData,
success: function (data) {
},
error: function () {
}
});
But if the attacker lured use to "malicioussite.com" and then tried to run the Javascript code above wouldn't it fail because it is a "cross-orgin" request?
How could it still work?
The Same Origin Policy stops JavaScript from reading the response from a different origin. It doesn't stop the request being made (except under some limited circumstances).
CSRF attacks are primarily about sending malicious instructions, not about stealing data.