While performing an assessment on a banking site, you discover the following link: hnps://mybank.com/xfer.aspMer_toMaccount_number]&amount-[dollars]
Assuming authenticated banking users can be lured to your web site, which crafted html tag may be used to launch a XSRF attack?
To launch a CSRF (Cross-Site Request Forgery) attack, the attack needs to trigger an action on the bank's site without the user's consent. The <img> tag can be used to make a GET request to the bank's transfer endpoint when the image attempts to load. This simulated request will use the authenticated user's credentials if they are logged in, potentially triggering a money transfer. The crafted HTML tag <img src='https://mybank.com/xfer.asp?xfer_to=[attacker_account]&amount=[dollars]'> makes an automatic request to the bank's transfer URL with the specified parameters, which is the correct approach to launch a CSRF attack in this context.
The correct choice for launching a CSRF attack in this scenario is: D. <img src="https://mybank.com/xfer.asp?xfer_to=[attacker_account]&amount=[dollars]"> This uses the img tag to exploit the CSRF vulnerability by making a GET request to the bank's transfer endpoint when the image attempts to load, thus possibly triggering a fund transfer if the user is authenticated and CSRF protections are absent or inadequate.