[ Thanks to Nobody for this link.
]
“Site tasks are usually linked to specific urls (Example:
http://site/stocks?buy=100&stock=ebay) allowing specific
actions to be performed when requested. If a user is logged into
the site and an attacker tricks their browser into making a request
to one of these task urls, then the task is performed and logged as
the logged in user. Typically you’ll use Cross Site Scripting to
embed an IMG tag or other HTML/JavaScript code to request a
specific ‘task url’ which gets executed without the users
knowledge. These sorts of attacks are fairly difficult to detect
potentially leaving a user debating with the website/company as to
whether or not the stocks bought the day before we initiated by the
user after the price plummeted.”