The attacker must determine the right values for all the form inputs.
The attacker must target a site that doesn't check the referrer header.
The target site should authenticate in GET and POST parameters, not only cookies.
The target site should have limited lifetime authentication cookies.
© 2013 Zend PHP Certification Exam