CSRF occurs because the request is ultimately made by the victim user's session. It is an attack that exploits the trust that a victim's browser has established with a remote web service. In the case of the GET method CSRF, a victim is enticed to access a URL that contains the parameters that define the terms of the malicious transaction. In the case of the POST method CSRF, the victim is enticed to browse to a web page that defines the parameters that are then forwarded on to the vulnerable server, by the victim's browser, to perform the malicious transaction. In either case, the transaction is performed because the request originates from the browser of the victim, who has already established a trusted session with the vulnerable application.