As per my understanding CSRF attack is about sending the POST data to the target server when the user is logged in to the target server and clicks on a malicious website on another tab. Till this all is fine. My question is the chances of attack is that the malicious website should know the form parameters of the target website and the user also needs to be logged in to the target website. Isn'nt this rare since the malicious website can only attack one or few websites and the user has to be logged in? Am I missing anything?
It is a door better left closed. It happens often enough that most frameworks have CSRF protection built-in.