This is a lab. Any username/password is accepted (we're not the auth boundary today).
Welcome …. Balance: $50,000
Note for the developer: hidden CSRF token still TODO.
In a real CSRF, the victim clicks a malicious link/page. Click below to simulate it.