diff --git a/index.js b/index.js
index bb6c039..bfdaaf7 100644
--- a/index.js
+++ b/index.js
@@ -1,5 +1,6 @@
 import http from 'http';
 import sse from './module/sse.js';
+import xss from './module/xss.js';
 
 const server = http.createServer(async (req, res) => {
     // 设置 CORS 头
@@ -19,11 +20,16 @@ const server = http.createServer(async (req, res) => {
         return;
     }
 
+    if (req.url.startsWith('/xss/test')) {
+        xss(req, res);
+        return;
+    }
+
     res.writeHead(404);
     res.end();
 });
 
 // 监听端口
 server.listen(3000, () => {
-    console.log('SSE server is running at http://localhost:3000/events');
+    console.log('node server is running at http://localhost:3000');
 });
diff --git a/module/xss.js b/module/xss.js
new file mode 100644
index 0000000..2455b5e
--- /dev/null
+++ b/module/xss.js
@@ -0,0 +1,23 @@
+import url from 'url';
+
+export default async function (req, res) {
+    // 设置响应状态码和内容类型
+    res.writeHead(200, { 'Content-Type': 'application/json' });
+
+    // 获取请求的 Cookies，这个只有相同域名才行，没有意义
+    const cookies = req.headers.cookie;
+    // 解析 URL 和查询参数
+    const parsedUrl = url.parse(req.url, true);
+    const queryParams = parsedUrl.query;
+
+    // 返回 JSON 数据
+    const responseData = {
+        message: '我已经获取到该用户的cookie了！',
+        cookies,
+        queryParams,
+        timestamp: new Date().toString(),
+    };
+
+    // 将数据写入响应体
+    res.end(JSON.stringify(responseData));
+}