For this recipe, we will use the bWApp application in bee-box, http://192.168.56.13/bWapp in this example, and we will set the security level to Medium.
- Once logged in to bWApp, go to the bug Cross Site Request Forgery (Transfer Amount).
- Enter an account number and amount and click on the Transfer button.
- Let's analyze the following request in Burp Suite. All of the parameters are sent via a GET request; by looking at the token parameter included in the URL, we can infer that there is a CSRF protection in place:

- We will try and exploit an XSS and use it to trigger the transfer request. For that, we first need to find the ...