[&] What is the primary method an attacker uses in a CSRF attack?
- Exploiting SQL Injection vulnerabilities
- Tricking a user into sending a malicious request -- Correct
- Phishing for user credentials
- Executing a man-in-the-middle attack

[&] Why is it difficult to confirm if a web application is vulnerable to CSRF?
- CSRF vulnerabilities are detectable without actual testing.
- CSRF vulnerabilities require manual testing to confirm. -- Correct
- CSRF vulnerabilities only appear under certain timing conditions.
- CSRF vulnerabilities do not rely on user sessions.

[&] What can CSRF attacks authorize an attacker to do without the user's consent?
- Change user account settings -- Correct
- Encrypt web application traffic
- Display advertisements on user's browser
- Steal user session data directly

[&] What mitigation technique can help defend against CSRF attacks?
- Using CAPTCHAs on all forms
- Utilizing token-based validation -- Correct
- Implementing SSL certificates
- Limiting HTTP request methods

[&] Which part of the request are attackers taking advantage of in a CSRF attack?
- The HTTP version used
- The user's session cookie -- Correct
- The origin of the request
- The browser's cache

[&] How can an attacker deliver a malicious CSRF request to a victim?
- By hijacking the victim's internet connection
- By sending a link via email or embedding in a webpage -- Correct
- By altering DNS records to redirect the victim
- By modifying the victim's browser settings remotely