I need a seasoned security practitioner to approach my production site exactly as a black-hat would—only with ethical intent. The single target is Cross-Site Request Forgery. I’m not after a broad vulnerability sweep right now; I want to know, as quickly as possible, whether a determined attacker can exploit CSRF to change state, steal data, or pivot deeper. Scope • Public-facing web application (URL supplied after hire) • All user roles, from anonymous visitor to admin, are in scope • No restrictions on tooling—Burp Suite, OWASP ZAP, custom scripts, Kali Linux, or anything else that helps you think like an adversary Turnaround ASAP. I’d like initial confirmation of test start within hours of award and a full report the moment you finish, ideally within the next couple of days. Deliverables 1. A concise executive summary describing overall risk 2. Step-by-step reproduction notes and proof-of-concept requests or scripts 3. Recommended remediations and references to relevant OWASP guidance 4. Optional follow-up call to walk me through the findings Acceptance Criteria • At least two independently reproducible CSRF attack paths or, if none exist, clear evidence of attempted exploitation methods and why they failed • Proof-of-concept must demonstrate impact (e.g., unauthorized state change) without permanently harming data or availability • Report provided in both PDF and plain-text formats If you thrive on thinking like the bad guys—while keeping everything 100 % above board—let’s get started right away.