In the above example, when a user is tricked into loading this web page, the evil web form performs a bank transfer to the attacker's account, leveraging the user's active browser session with the bank. The form also has a target
which displays the results in a hidden iframe
so that the user does not notice the malicious request.