Just wanted to share a simple XSS cookie stealer that I like to use for demos. Primarily I put this into a post because I’ve seen many use the document.location in their payloads, but this will cause victim browser to be redirected to attacker, which is not very nice (not stealthy).
Put the following in a script tag, or as part of attributes or otherwise JavaScript source, and you should be able to receive the cookie as part of a request for an image on attacker IP.
This script does not write the image to the website, but loads the source, containing the cookie (if it is not marked as HTTP Only). All you have to do now is to host a webserver on your attackerIP and you should be able to see cookies appear in the web-server logs.
Python3 webserver:
python3 -m http.server attackerPort
Python2 webserver:
python -m SimpleHTTPServer attackerPort
PHP webserver
php -S attackerIP:attackerPort