This is the bank's own site, served from api.barisalgun.dev. Logging in here is
the legit step (this is where your password would go in real life). Because this page shares the server's
origin, it can read the CSRF token and make a real transfer. The attacker page on
barisalgun.dev then tries to abuse the session you start here. Open DevTools → Network to
watch the requests.
Click "Log in" first.