In this lesson, we'll learn how to exploit an XSS vulnerability to read the contents of a cookie from our vulnerable website. We'll also make an endpoint on our attacker website to receive and log the cookie we've stolen. This payload will be used and modified in the following lessons to validate vulnerabilities and to verify their mitigation.
I don’t understand this example, cant you just look at the session cookie through the browser just as easily?
Yes, you as the user can look at their own session cookie through the browser, which allows them to authenticate themselves. However, when an attacker performs an xss attack, it allows them to see other people's session cookies, which allows the attacker to authenticate themselves as other people! The XSS is persisted so that when other people log into the site, they execute the attackers code, sending their own session cookie to the attackers servers.
Hope this helps!