def checkGetURL(flow, results):
if (flow.url.find('https://api.venmo.com/v1/stories/target-or-actor') == 0
):
flow.source = 'Venmo Stories Sync'
elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
and flow.url.find('target-or-actor') == -1):
type = 'User Action: Viewed Story'
info = flow.url[flow.url.find('stories/') + 8:]
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/account/two-factor/token'):
flow.source = 'Venmo Login'
type = 'User Info: 2FA Device'
info = AppDefault.findJSONListNonSpaced(flow.responseContent,
'devices')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/account'):
flow.source = 'Venmo Account Sync'
type = 'User Info: Venmo ID'
info = flow.responseContent[flow.responseContent.find('"id":') + 7:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Venmo Account Creation Time'
info = flow.responseContent[flow.responseContent.find('"date_joined":'
) + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Phone Number'
info = flow.responseContent[flow.responseContent.find('"phone":') +
10:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Email Address'
info = flow.responseContent[flow.responseContent.find('"email":') +
10:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Venmo Zendesk ID'
info = flow.responseContent[flow.responseContent.
find('"zendesk_identifier":') + 23:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/notifications') == 0):
type = 'User Action: Venmo'
info = 'Checked Notifications'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/users?query=') == 0):
type = 'User Action: Venmo Search'
info = AppDefault.findFormEntry(flow.requestContent, 'query')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/users') == 0
and flow.url.find('/friends') == -1):
type = 'User Action: Viewed Profile'
info = flow.responseContent[flow.responseContent.find('"display_name":'
) + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/users') == 0
and flow.url.find('/friends') > -1):
type = 'User Action: Viewed Friends of Profile'
info = flow.url[flow.url.find('/users/') + 7:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://www.linkedin.com') == 0):
flow.source = 'LinkedIn'
if (flow.requestContent.find('"trackingToken":') > -1):
type = 'LinkedIn Tracking Token'
info = flow.requestContent[flow.requestContent.
find('"trackingToken":') + 18:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.url.find('https://www.linkedin.com/li/track') == 0):
flow.source = 'LinkedIn Tracker'
if (flow.requestContent.find('"advertiserId":') > -1):
type = 'Ad ID'
info = flow.requestContent[flow.requestContent.
find('"advertiserId":') + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('"appState":') > -1):
type = 'System Info: LinkedIn App State'
info = flow.requestContent[flow.requestContent.find('"appState":'
) + 13:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('"connectionType":') > -1):
type = 'System Info: Connection Type'
info = flow.requestContent[flow.requestContent.
find('"connectionType":') + 19:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('"deviceModel":') > -1):
type = 'System Info: Model'
info = flow.requestContent[flow.requestContent.
find('"deviceModel":') + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('"osVersion":') > -1):
type = 'System Info: OS Version'
info = flow.requestContent[flow.requestContent.find('"osVersion":'
) + 14:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('clientEventStats') > -1):
type = 'LinkedIn Client Event Stats'
for info in AppDefault.findJSONListNonSpaced(
flow.requestContent, 'clientEventStats').split(
' },\n {'):
results.append(Result.Result(flow, type, info))
body = flow.requestContent
type = 'LinkedIn Client Event'
while body.find('"eventBody":') > -1:
body = body[body.find('"eventBody":'):]
#info = AppDefault.findJSONSection(body, 'eventBody')
info = body[:body.find(' {\n "eventBody":')]
results.append(Result.Result(flow, type, info))
body = body[20:]
elif (flow.url.find('https://www.linkedin.com/uas/authenticate') == 0):
flow.source = 'LinkedIn Login'
type = 'User Info: Username'
info = AppDefault.findFormEntry(flow.requestContent, 'session_key')
results.append(Result.Result(flow, type, info))
type = 'User Info: Password'
info = AppDefault.findFormEntry(flow.requestContent,
'session_password')
results.append(Result.Result(flow, type, info))
type = 'LinkedIn Session ID'
info = AppDefault.findFormEntry(flow.requestContent, 'JSESSIONID')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/pushRegistration') == 0):
if (flow.requestContent.find('"pushNotificationTokens":') > -1):
type = 'LinkedIn Push Notification Token'
if (AppDefault.findJSONListNonSpaced(
flow.requestContent, 'pushNotificationTokens').find(',') >
-1):
for info in AppDefault.findJSONListNonSpaced(
flow.requestContent,
'pushNotificationTokens').split(','):
info = info.strip()
info = info[1:len(info) - 1]
else:
info = AppDefault.findJSONListNonSpaced(
flow.requestContent, 'pushNotificationTokens')
info = info[1:len(info) - 1]
info = info.strip()
info = info[1:len(info) - 1]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/growth/contacts?action=uploadContacts'
) == 0):
flow.source = 'LinkedIn Contacts Upload'
type = 'User Info: Contact'
for info in flow.requestContent.split(' },\n {'):
if (info.find('"fullName":') > -1):
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/voyager/api/mux') == 0):
type = 'User Action: Update Profile'
info = flow.requestContent[flow.requestContent.find('"requests":'):]
info = info[:info.find('"dependentRequests":')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/feed/follows?action=unfollow'
) == 0):
type = 'User Action: LinkedIn Unfollow'
info = flow.requestContent[flow.requestContent.find('"urn":') + 8:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/identity/profiles') == 0
and flow.url.find('normSkills') > -1):
type = 'User Action: Add Skill'
info = AppDefault.findJSONListNonSpaced(flow.requestContent,
'elements')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/messaging/conversations') ==
0):
if (flow.url.find('conversations?') > -1):
type = 'User Action: LinkedIn'
info = 'Viewed Conversations'
else:
type = 'User Action: Viewed LinkedIn Conversation'
info = flow.url[flow.url.find('conversations/') + 14:]
if (info.find('/') > -1 and info.find('/') < info.find('?')):
info = info[:info.find('/')]
elif (info.find('?') > -1):
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/voyager/api/contentcreation')
== 0):
type = 'User Action: LinkedIn Post'
info = flow.requestContent[flow.requestContent.find('"text":') + 9:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/relationships/invitations')
== 0):
type = 'User Action: Invitation Response'
inviterid = flow.url[flow.url.find('invitations/') + 12:]
inviterid = inviterid[:inviterid.find('?')]
action = flow.url[flow.url.find('?action=') + 8:]
action = action[:action.find('&')]
info = inviterid + ': ' + action
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://api.venmo.com') == 0):
flow.source = 'Venmo'
if (flow.url == 'https://api.venmo.com/v1/oauth/access_token'):
flow.source = 'Venmo Login'
if (flow.requestContent.find('phone_email_or_username:'******'Venmo Username'
info = AppDefault.findFormEntry(flow.requestContent,
'phone_email_or_username')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('password:'******'Venmo Password'
info = AppDefault.findFormEntry(flow.requestContent, 'password')
results.append(Result.Result(flow, type, info))
if (flow.responseContent.find('"access_token":') > -1):
type = 'Venmo Access Token'
info = flow.responseContent[flow.responseContent.
find('"access_token":') + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.responseContent.find('"id":') > -1):
type = 'Venmo Access Token'
info = flow.responseContent[flow.responseContent.find('"id":') +
7:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/account/two-factor/token'):
flow.source = 'Venmo Login'
type = 'User Action: 2FA Sent'
info = AppDefault.findFormEntry(flow.requestContent, 'via')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/users/devices'):
type = 'User Info: Location'
info = flow.responseContent[flow.responseContent.find('"location":') +
13:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Venmo Client'
info = flow.responseContent[flow.responseContent.find('"browser":') +
12:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Venmo ID'
info = flow.responseContent[flow.responseContent.find('"id":') + 7:]
info = info[:info.find(',')]
results.append(Result.Result(flow, type, info))
type = 'User Action: Venmo Device Login Time'
info = flow.responseContent[flow.responseContent.find('"created_at":'
) + 15:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/device-tokens/android'):
type = 'System Info: Venmo Token'
info = AppDefault.findFormEntry(flow.requestContent, 'device_token')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/contacts'):
type = 'User Info: Contact'
contacts = AppDefault.findJSONListNonSpaced(flow.requestContent,
'contacts')
for info in contacts.split(' },\n {'):
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/payments'):
type = 'User Action: Venmo Payment'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
and flow.url.find('/likes') > -1):
type = 'User Action: Liked Story'
info = flow.url[flow.url.find('stories/') + 8:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
and flow.url.find('/comments') > -1):
type = 'User Action: Commented on Story'
info = flow.url[flow.url.find('stories/') + 8:]
info = info[:info.find('/')]
info = info + ': ' + AppDefault.findFormEntry(flow.requestContent,
'message')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url == 'https://android.clients.google.com/c2dm/register3'):
if (flow.requestHeaders['app'] == 'com.google.android.apps.tachyon'):
flow.source = 'Google Duo Login'
elif (flow.requestHeaders['app'] == 'com.google.android.apps.maps'):
flow.source = 'Google Maps Login'
type = 'System Info: Device ID'
info = flow.requestContent
info = info[info.find('device:') + 7:]
info = info[:info.find('\n')]
info = info.strip()
results.append(Result.Result(flow, type, info))
type = 'Token'
info = flow.responseContent
info = info[info.find('token=') + 6:]
info = info.strip()
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://inbox.google.com/sync') == 0):
flow.source = 'Gmail Inbox Sync'
elif (flow.url.find('https://mail.google.com/mail/ads') == 0):
flow.source = 'Gmail Ads'
elif (flow.url == 'https://www.googleapis.com/plusdatamixer/v1/mutate'):
flow.source = 'Google Drive'
elif (flow.url.find('https://www.googleapis.com/discussions/v1/targets') ==
0):
flow.source = 'Google Drive Comments'
elif (flow.url.find('https://docs.google.com/document/create') == 0):
flow.source = 'Google Docs'
type = "User Action"
info = 'Create New Document: ' + AppDefault.findFormEntry(
flow.requestContent, 'title')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://docs.google.com/document/d') == 0):
flow.source = 'Google Docs'
if (flow.url.find('/save?') > -1):
type = 'User Action: Edit Document'
temp = AppDefault.findFormEntry(flow.requestContent, 'bundles')
temp = AppDefault.findJSONListNonSpaced(flow.requestContent,
'commands')
temp = temp[2:len(temp) - 2]
commands = []
print(flow.requestContent)
for item in temp.split('},{'):
commands.append(item)
for item in commands:
entries = {}
print(item)
for i in item.split(','):
#print(i.split(':'))
temp = i.split(':')[0]
temp2 = i.split(':')[1]
entries[temp] = temp2
print(entries)
if ('"s"' in entries.keys()):
type = 'User Action'
info = 'Inserted ' + entries['"s"']
results.append(Result.Result(flow, type, info))
if ('"si"' in entries.keys()):
type = 'User Action'
info = 'Deleted Index: ' + entries['"si"']
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://www.googleapis.com/batch/drive/v2internal'):
if (flow.requestContent.find('{"additionalRoles":') > -1):
flow.source = 'Google Drive'
type = 'User Action'
info = flow.requestContent[flow.requestContent.
find('{"additionalRoles":'):]
info = info[:info.find('}') + 1]
info = 'File Role Change: ' + info
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find(
'GET https://www.googleapis.com/drive/v2internal/files') > -1):
flow.source = 'Google Drive File Lookup'
elif (flow.url.find('https://photosdata-pa.googleapis.com') == 0):
flow.source = 'Google Photos'
if (len(flow.requestContent.split('\n')) == 4):
lines = flow.requestContent.split('\n')
if (lines[0].strip() == '1 {' and lines[1].strip()[:2] == '1:'
and lines[2].strip() == '}'
and lines[3].strip()[:2] == '2:'):
type = 'User Action'
info = 'Create New Share: ' + lines[3].strip()[3:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://photos.googleapis.com/data/upload') == 0):
flow.source = 'Google Photos Upload'
type = 'User Action'
info = 'Photo Uploaded: ' + flow.requestHeaders[
'x-goog-upload-file-name']
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://www.googleapis.com/datamixer/v1/batchfetch'):
if (len(flow.requestContent.split('\n')) == 22
and len(flow.requestContent.split('\n')[12].strip()[3:]) > 0):
type = 'User Action'
info = 'Contact Search: ' + flow.requestContent.split(
'\n')[12].strip()[3:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.googleapis.com/calendar') == 0):
flow.source = 'Google Calendar'
if (flow.url.find('/events') > -1):
type = 'User Action: Event Creation/Update'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url.find('/habits') > -1):
type = 'User Action: Habit Creation/Update'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/sync') ==
0):
type = 'User Action'
info = 'Synced Hangouts'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/clients/setactiveclient'
) == 0):
type = 'User Action'
info = 'Opened Google Hangouts'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/presence/setpresence')
== 0):
if (flow.requestContent.find('8 {') > -1):
type = 'User Action'
info = flow.requestContent[flow.requestContent.find('8 {'):]
info = info[info.find('2: ') + 3:]
info = info[:info.find('\n')]
info = 'Set Hangouts Status: ' + info
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/getconversation'
) == 0):
type = 'User Action'
info = 'Opened Conversation'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/devices/sendoffnetworkinvitation'
) == 0):
type = 'User Action'
info = flow.requestContent[flow.requestContent.find('2 {'):]
while (info[info.find('1: ') + 3:info.find('1: ') + 4] != '1'):
info = info[3:]
info = info[info.find('2 {'):]
info = info[info.find('3: ') + 3:]
info = info[:info.find('\n')]
info = 'Sent Hangouts Invitation: ' + info
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/setfocus')
== 0):
type = 'User Action'
info = 'Opened Conversation'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/settyping'
) == 0):
type = 'User Action'
info = 'Changed Typing Status'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/sendchatmessage'
) == 0):
type = 'User Action'
info = 'Sent Message'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/hangouts/v1android/media_sessions/query'
) == 0):
type = 'User Action'
info = 'Opened Call'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/hangouts/v1android/hangout_participants/remove'
) == 0):
type = 'User Action'
info = 'Left Call'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://android.googleapis.com/auth'):
flow.source = AppDefault.findFormEntry(flow.requestContent, 'app')
def checkGetURL(flow, results):
if (flow.url.find('https://www.googleapis.com/drive/v2internal/files') == 0
):
flow.source = 'Google Drive File Lookup'
elif (flow.url.find('https://www.googleapis.com/drive/v2internal/changes')
== 0):
flow.source = 'Google Drive File Sync'
elif (flow.url.find('https://www.googleapis.com/discussions/v1/authors') ==
0):
flow.source = 'Google Drive Comments'
elif (flow.url.find('https://docs.google.com/document/d') == 0):
flow.source = 'Google Docs'
if (flow.url.find('leave') > -1):
type = 'User Action'
info = 'Document Deleted: '
docID = flow.url[35:]
docID = docID[:docID.find('/')]
info = info + docID
results.append(Result.Result(flow, type, info))
else:
type = 'User Action'
info = 'Document Opened: '
docID = flow.url[35:]
docID = docID[:docID.find('/')]
info = info + docID
if (flow.responseContent.find('":"') > -1
and flow.url.find('edit') > -1):
name = flow.responseContent[flow.responseContent.find('"t":"'
) + 5:]
name = name[:name.find('"')]
info = info + ' (' + name + ')'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://docs.google.com/spreadsheets/d') == 0):
flow.source = 'Google Sheets'
if (flow.url.find('leave') > -1):
type = 'User Action'
info = 'Document Deleted: '
docID = flow.url[39:]
docID = docID[:docID.find('/')]
info = info + docID
results.append(Result.Result(flow, type, info))
else:
type = 'User Action'
info = 'Spreadsheet Opened: '
docID = flow.url[39:]
docID = docID[:docID.find('/')]
info = info + docID
if (flow.responseContent.find('":"') > -1 and
(flow.url.find('edit') > -1 or flow.url.find('model') > -1)):
name = flow.responseContent[flow.responseContent.find('"t":"'
) + 5:]
name = name[:name.find('"')]
info = info + ' (' + name + ')'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.googleapis.com/calendar') == 0):
flow.source = 'Google Calendar'
if (flow.responseContent.find('notificationSettings') > -1):
type = 'User Info: Notification Settings'
info = AppDefault.findJSONSection(flow.responseContent,
'notificationSettings')
results.append(Result.Result(flow, type, info))
elif (flow.responseContent.find('"kind": "calendar#events"') > -1
or flow.url.find('/events') > -1):
type = 'User Info: Calendar Events'
info = AppDefault.findJSONListNonSpaced(flow.responseContent,
'items')
if (len(info) > 2):
results.append(Result.Result(flow, type, info))
elif (flow.url.find('/habits') > -1):
type = 'User Info: Habits'
info = flow.responseContent
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/voice/v1/users/@me/account?key=') == 0
):
type = 'User Info: Account ID'
info = AppDefault.findFormEntry(flow.requestContent, 'key')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://slack.com/api') == 0):
flow.source = 'Slack'
if (len(AppDefault.findFormEntry(flow.requestContent, 'token')) > 25):
type = 'Slack Token'
info = AppDefault.findFormEntry(flow.requestContent, 'token')
results.append(Result.Result(flow, type, info))
if (len(AppDefault.findFormEntry(flow.requestContent, 'push_token')) > 25):
type = 'Slack Push Token'
info = AppDefault.findFormEntry(flow.requestContent, 'push_token')
results.append(Result.Result(flow, type, info))
if (flow.url == 'https://slack.com/api/experiments.getByVisitor'):
type = 'System Info: Slack Experiments'
info = flow.responseContent
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://sessions.bugsnag.com/'):
if ('Bugsnag-Api-Key' in flow.requestHeaders.keys()):
type = 'Bugsnag API Key'
info = flow.requestHeaders['Bugsnag-Api-Key']
results.append(Result.Result(flow, type, info))
if (AppDefault.findJSONItem(flow.requestContent, 'packageName') == 'com.Slack'):
flow.source = 'Slack Bugsnag'
type = 'Current Slack Screen'
info = AppDefault.findJSONItem(flow.requestContent, 'activeScreen')
results.append(Result.Result(flow, type, info))
type = 'Slack Foreground Status'
info = AppDefault.findJSONItem(flow.requestContent, 'inForeground')
results.append(Result.Result(flow, type, info))
type = 'Slack Session ID'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'id')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'user'), 'id')
results.append(Result.Result(flow, type, info))
type = 'Session Start Time'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'startedAt') + ' UTC'
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
make = AppDefault.findJSONItem(flow.requestContent, 'manufacturer')
model = AppDefault.findJSONItem(flow.requestContent, 'model')
info = make + ' ' + model
results.append(Result.Result(flow, type, info))
type = 'System Info: OS Version'
info = AppDefault.findJSONItem(flow.requestContent, 'osName') + ' ' + AppDefault.findJSONItem(flow.requestContent, 'osVersion')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.findTeam'):
type = 'User Action: Domain Lookup'
info = AppDefault.findFormEntry(flow.requestContent, 'domain')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.findUser'):
type = 'User Action: Login'
info = AppDefault.findFormEntry(flow.requestContent, 'email')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(flow.responseContent, 'user_id')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.signin'):
type = 'User Info: Password'
info = AppDefault.findFormEntry(flow.requestContent, 'password')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(flow.responseContent, 'user')
results.append(Result.Result(flow, type, info))
type = 'User Info: Team ID'
info = AppDefault.findFormEntry(flow.requestContent, 'team')
results.append(Result.Result(flow, type, info))
type = 'Slack Token'
info = AppDefault.findJSONItem(flow.responseContent, 'token')
results.append(Result.Result(flow, type, info))
type = 'User Info: Email'
info = AppDefault.findJSONItem(flow.responseContent, 'user_email')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/users.counts'):
channels = AppDefault.findJSONListNonSpaced(flow.responseContent, 'channels')
channels = channels[2:]
for channel in channels.split('},'):
type = 'Slack Channel Info'
info = channel
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/conversations.history'):
type = 'Channel Messages Sync Channel'
info = AppDefault.findFormEntry(flow.requestContent, 'channel')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/beacon/track/'):
type = 'System Info: Performance Tracking'
info = AppDefault.findFormEntry(flow.requestContent, 'data')
info = base64.b64decode(info)
info = info.decode("UTF-8")
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/chat.postMessage'):
type = 'User Action: Send Message'
info = 'Message "' + AppDefault.findFormEntry(flow.requestContent, 'text') + '" sent to channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/conversations.mark'):
type = 'User Action: Viewed Channel'
info = 'Viewed channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel') + ' at ' + AppDefault.findFormEntry(flow.requestContent, 'ts')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url == 'https://www.reddit.com/api/v1/access_token'):
type = 'System Info: Access Token'
info = flow.responseContent[flow.responseContent.find('"access_token":'
) + 15:]
info = info[info.find('"') + 1:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.branch.io/') == 0):
flow.source = 'Branch.io'
content = flow.requestContent
if (flow.url[len(flow.url) - 4:len(flow.url)] == 'open'):
type = 'User Action: App Opened'
info = 'Reddit Opened'
results.append(Result.Result(flow, type, info))
elif (flow.url[len(flow.url) - 5:len(flow.url)] == 'close'):
type = 'User Action: App Closed'
info = 'Reddit Closed'
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
brand = content[content.find('"brand":') + 10:]
brand = brand[:brand.find('"')]
model = content[content.find('"model":') + 10:]
model = model[:model.find('"')]
info = brand + ' ' + model
results.append(Result.Result(flow, type, info))
type = 'User Info: Ad ID'
info = content[content.find('"google_advertising_id":') + 26:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Hardware ID'
info = content[content.find('"hardware_id":') + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Local IP Address'
info = content[content.find('"local_ip":') + 13:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Screen Size'
width = content[content.find('"screen_width":') + 16:]
width = width[:width.find(',')]
height = content[content.find('"screen_height":') + 17:]
height = height[:height.find(',')]
info = width + ' x ' + height
results.append(Result.Result(flow, type, info))
type = 'System Info: WiFi Connection Status'
info = content[content.find('"wifi":') + 8:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'Branch.io Key'
info = content[content.find('"branch_key":') + 15:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: First Install Time'
info = content[content.find('"first_install_time":') + 22:]
info = info[:info.find(',')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Latest Install Time'
info = content[content.find('"latest_install_time":') + 23:]
info = info[:info.find(',')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Latest Update Time'
info = content[content.find('"latest_update_time":') + 22:]
info = info[:info.find(',')]
results.append(Result.Result(flow, type, info))
if (flow.url[len(flow.url) - 4:] == 'open'):
type = 'User Action: Opened App'
info = 'Reddit'
results.append(Result.Result(flow, type, info))
type = 'User info: Branch ID'
info = content[content.find('"identity_id":') + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Device Fingerprint ID'
info = content[content.find('"device_fingerprint_id":') + 26:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url[len(flow.url) - 7:] == 'install'):
type = 'User Action: Installed App'
info = 'Reddit'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://gql.reddit.com/'):
if (flow.responseContent.find('experimentVariants') > -1):
type = 'Experimental Features Config'
info = AppDefault.findJSONListNonSpaced(flow.responseContent,
'experimentVariants')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://gateway.reddit.com/redditmobile/1/android/config') == 0):
type = 'Experimental Features Config'
info = AppDefault.findFormEntry(flow.requestContent, 'experiments')
results.append(Result.Result(flow, type, info))
info = AppDefault.findJSONListNonSpaced(flow.responseContent,
'buckets')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://gateway.reddit.com/redditmobile') == 0):
type = 'Reddit Client ID'
info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
results.append(Result.Result(flow, type, info))
type = 'System Info: Timezone'
info = AppDefault.findFormEntry(flow.requestContent, 'tz_name')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://events.redditmedia.com/v1'):
event = flow.requestContent[flow.requestContent.find('"event_type":') +
14:]
event = event[:event.find('"')]
time = flow.requestContent[flow.requestContent.find('"event_ts":') +
11:]
time = time[:time.find(',')]
if (event == 'cs.app_launch_android'):
type = 'User Action: Reddit Opened'
info = 'Reddit Opened @ ' + time
results.append(Result.Result(flow, type, info))
else:
type = 'Reddit Activity & Info Dump'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://www.reddit.com/api/v1/login'):
if (flow.requestContent.find('passwd:') > -1):
type = 'User Action: Reddit Login'
info = 'Logged in as ' + AppDefault.findFormEntry(
flow.requestContent, 'user')
results.append(Result.Result(flow, type, info))
type = 'User Info: Password'
info = AppDefault.findFormEntry(flow.requestContent, 'passwd')
results.append(Result.Result(flow, type, info))