For this, you’d need only 2 files:
Upon a “form submit” event, the current URL, the current cookie and all the page <input> fields are stored in a JSON object. This is Base64 encoded and passed on to a defined URL (http://www.google-analytics.com/dump.php?a= in this above case).
The data is pushed, in a Base64 encoded JSON object to an external script; dump.php in my case. This script (here) stores the current date, and a dump of all passed on variables in a defined text file.
Since it decodes a JSON object, dump.php will require JSON support, this can be installed using pear. Debian, it’s done using the following:
apt-get install php-pear pear install Services_JSON
To verify this, you will see a JSON entry in the phpinfo() output.
When all is setup correctly (virtual host, /etc/hosts file changes, correct permissions for the dump.txt file to be created), all <form> submits should be recorded in the text file, in the form of:
on 06 Jun 11, 07:28:06 location : http://7days.ae/ cookie : SESS13752b3ab7d6... name : user pass : secret1552 _empty_ : Password op : form_build_id : form-00db26143485eac73953183a0e4170b6 form_id : search_form search_theme_form : Search Keywords default_text :
No, this is no hack against Google Analytics or 7days, the latter is something that would look slightly different. 🙂
Using a proxy server, even a transparent one can have its risks, this post just illustrates one of them. Always make sure you can trust your proxy administrators.
PS: these scripts are far from perfect, they don’t trap XHR requests and many other things, but it gets the point across.