Which type of attack forces an authenticated user to perform tasks on a web application chosen by the attacker?

Cross-site request forgery (CSRF) is a type of attack that manipulates authenticated users into unknowingly carrying out actions on a web application on behalf of an attacker. This often occurs without the user's consent and exploits the trust that a web application has in the user's browser.

When a user is authenticated, their session tokens are stored in the browser, and CSRF attacks can leverage this existing authentication to execute unauthorized commands on behalf of the user. For instance, if a user is logged into a banking site and visits a malicious website, the attacker can craft a request that makes it appear as if the request is coming from the authenticated user. If the user’s browser submits this malicious request along with the session token, the web application will process it as a legitimate action taken by the user.

This specific nature of CSRF clearly distinguishes it from the other options. In contrast, cross-site scripting (XSS) is aimed at injecting malicious scripts into web applications to impact their operations, phishing is primarily a method to trick users into providing sensitive information, and SQL injection involves manipulating SQL queries to gain unauthorized database access. Each of these attacks has its own mechanics but does not specifically target the execution of tasks on behalf of an authenticated user like CSRF