The poor victim in this scenario will log into his account using the login page of Mutillidae. Once in, he browses to his blog page (using the left menu and then selecting OWASP 2017 | CSRF | Add to your blog). He uses his blog to add a new article (you know the guy is a super blogger!):