Cross-Site Request Forgery (CSRF) tricks a logged-in victim's browser into sending a state-changing request, such as changing an email or transferring funds, to a site where they are authenticated. Because the browser automatically attaches the session cookie, the server cannot distinguish the forged request from a legitimate one unless an anti-CSRF token is required.
The CSRF generator builds an auto-submitting HTML form that POSTs your target parameters on page load, plus a fetch/XHR variant for JSON or custom-content-type endpoints. Host the page, lure an authenticated victim to it, and the request fires with their cookies attached, demonstrating the missing token protection.
When a form cannot be auto-submitted, clickjacking can frame the real page and trick the user into clicking the action; the generator can output a clickjacking overlay PoC for this. Note that SameSite=Lax or Strict cookies and proper anti-CSRF tokens defeat most CSRF, so test whether the target relies on either control.
Yes. The CSRF generator is free and produces the PoC form and script 100% client-side, so your target endpoints and parameters never leave your machine. Use the generated proof-of-concept pages only against applications you are authorized to test.