I don't know what you mean with the frontpage part, but you could try replacing that evilcode part with a javascript redirction thing wich places the cookie in the query string of a logger you set up, wich is indeed a cross site scripting vulnerability. That server should not echo that "GET evilcode HTTP/1.0" part. I don't know if you tried useing javascript for real, maybe it's filtered.