I’m able to execute reflected xss on an internal application which does not have internet access. The developer is asking me to exploit the issue. he also assures that the session id is mapped to IP and userid so it not exploitable. I want to validate the statement by actually trying to grab cookie from other user. Can someone help me with the steps and how to setup server to gab cookies