XSS cookie Stealing with Character limitations


The rules also Include 1. No jQuery 2. Only through making an API AJAX request. 3.character limitation of 100 characters.

Can any suggest me how I can build a payload sticking with these rules.