XSS exploitation: AJAX isn’t working properly

I am working on a test case with a website demonstration. For now, I’ve discovered reflected XSS on the website for the profile preview, meaning the data is not sent to the server-side. Next, when I look through the source code, I got the comment that may be used to exploit the XSS vulnerability. However, I don’t even know how and where I should start. What I’ve tried is:

  • to put the header using Burp Suite, and use the URL with retrieve.php, but get unauthorized with a blank page
  • I’ve also looked at how xhttp works, but it seems not helpful

The comment:

//TODO: Fix up the background POST request, AJAX isn't working properly!
var xhttp = new XMLHttpRequest();
// add in headers
// csrf => testing123321
// X-Auth => custom-auth

The summary is:

  1. I’ve got an account for testing.
  2. The XSS vulnerability is on the profile preview mode, code is not sent to the server.
  3. I’ve got the comment, which is suspicious of the exploitation.

The question is kind of generic, but what can I do? Or where should I start to learn?