Which of the following conditions must be given to allow a tester to exploit a Cross-Site Request Forgery
(CSRF) vulnerable web application?

A.
The victim user must open the malicious link with an Internet Explorer prior to version 8.

B.
The session cookies generated by the application do not have the HttpOnly flag set.

C.
The victim user must open the malicious link with a Firefox prior to version 3.

D.
The web application should not use random tokens.