Alright, I know that I am really close to getting part 1 right, I'm injecting the CSRF img tag into the feedback page using a crafted url, however I am not quite sure what the exact right way to do this is. I definitely understand the premise of this attack, but the only problem is I don't know if I am crafting the URL correctly. I though maybe the checked_out parameter could be changed to checked_in or maybe checkout.php could be changed to checkin.php, but apparently neither are correct because all I'm getting is, 'Success, you have submitted feedback!'.
I'd really appreciate a bump in the right direction for this. This kind of attack is really interesting and crafty and I understand it completely, but I don't know how to make the URL for the img tag correct.
Thanks for any help,
EDIT: Finished, that was a great experience. Any admin can delete this, it is a waste of space now.