Some developers create complex application flows to avoid these kinds of attacks, for example, confirming critical actions. But, in the end, we just need to understand how the process works using an HTTP proxy, not automating the attack in the same way as the others.