Web - Client

My attack scenario is to steal the admin cookie.
I found a payload that triggers the js without user interaction.
so, i reported this page to the admin.
When viewing this vulnerable page, my cookie is sent to a webhook, but the admin’s cookie is blank.

am i missing something?

this is probably a hint `blahblah+document.cookie -> blahblah document.cookie`