Exploits the trust a site has for a particular user Generally involves Web sites that rely completely on the identification of the user for security Involves "tricking" a user into unknowingly sending an HTTP request of the attacker's choosing Represents the best reason to disable register_globals No easy solution - depends on application design