https://www.hacksplaining.com/prevention/csrf Change request type and the exposed token meant for security sets up a man in the middle attack for the intercepted packets. An attack like this is generally executed after access has been gained to a remote computer through various means. The reason for a man in the middle attack as opposed to just remotely controlling the host pc is to perfectly imitate the user w/o making it obvious in commonly checked log files on their end. So no... not a bug but it being easily exposed makes it vulnerable to a very specific type of exploits. ~~~ javascript:void((function(){var a,b;a=b=0;(function(c){var d,e,f,g;for(d=0;d<c.length;d++){try{arguments.callee(c.frames[d]);}catch(h){}}e=c.document.forms;for(f=0;f<e.length;f++){g=e[f];if(g.method.toLowerCase()=="post"){g.method="GET";a++;}b++;}})(top);alert(a+" of "+b+" forms changed from POST to GET");})()) ~~~ >Protecting against CSRF (commonly pronounced “sea-surf”) requires two things: ensuring that GET requests are side-effect free, and ensuring that non-GET requests can only be originated from your client-side code. Above lets you change to get requests client side. I won't post the java to show the csrf_token in the first place. There's multiple ways to execute an attack w/ only those 2 abilities. @pmyb2 edited a bit. I suck at explaining things.