def checkPostURL(flow, results):
flow.source = 'Canvas'
if (flow.url == 'https://my.champlain.edu/auth/login'):
flow.source = 'Canvas Login'
type = 'User Info: Canvas Username'
info = AppDefault.findFormEntry(flow.requestContent, 'username')
results.append(Result.Result(flow, type, info))
#type = 'User Info: Canvas Password'
#info = AppDefault.findFormEntry(flow.requestContent, 'password')
#results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/login/oauth2/token') == 0):
type = 'System Info: Canvas Client ID'
info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
results.append(Result.Result(flow, type, info))
type = 'System Info: Canvas Client Secret'
info = AppDefault.findFormEntry(flow.requestContent, 'client_secret')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/calendar_events/?calendar_event') == 0):
type = 'User Action: Created Calendar Event'
info = flow.responseContent
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://graph.facebook.com') == 0):
if (flow.requestContent.find('advertiser_id:') > -1):
type = 'Ad ID'
info = AppDefault.findFormEntry(flow.requestContent,
'advertiser_id')
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find('device_id:') > -1):
type = 'Ad ID'
info = AppDefault.findFormEntry(flow.requestContent, 'device_id')
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
flow.source = 'Netflix'
if (flow.url.find(
'https://android.prod.cloud.netflix.com/android/samurai/config') ==
0):
type = 'System Info: Build'
info = AppDefault.findFormEntry(flow.requestContent, 'osDisplay')
results.append(Result.Result(flow, type, info))
type = 'System Info: Chipset'
info = AppDefault.findFormEntry(flow.requestContent, 'chipsetHardware')
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://wss-mobile.slack.com') == 0):
flow.source = 'Slack'
if (len(AppDefault.findFormEntry(flow.requestContent, 'token')) > 25):
type = 'Slack Token'
info = AppDefault.findFormEntry(flow.requestContent, 'token')
results.append(Result.Result(flow, type, info))
if (len(AppDefault.findFormEntry(flow.requestContent, 'push_token')) > 25):
type = 'Slack Push Token'
info = AppDefault.findFormEntry(flow.requestContent, 'push_token')
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://oauth.reddit.com/api/subreddit_autocomplete') ==
0):
type = 'User Action: Typed in Search'
info = '"' + AppDefault.findFormEntry(flow.requestContent,
'query') + '"'
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://graph.facebook.com') == 0):
if (flow.requestContent.find('anon_id:') > -1):
type = 'Facebook Anonymous ID'
info = AppDefault.findFormEntry(flow.requestContent, 'anon_id')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('advertiser_id:') > -1):
type = 'Ad ID'
info = AppDefault.findFormEntry(flow.requestContent,
'advertiser_id')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('installer_package:') > -1):
type = 'App Installer'
info = AppDefault.findFormEntry(flow.requestContent,
'installer_package')
results.append(Result.Result(flow, type, info))
if (flow.url.find('/activities') > -1):
type = 'User Action: ' + AppDefault.findFormEntry(
flow.requestContent, 'application_package_name')
if (AppDefault.findFormEntry(flow.requestContent,
'event') == 'CUSTOM_APP_EVENTS'):
info = AppDefault.findFormEntry(flow.requestContent,
'custom_events')
else:
info = AppDefault.findFormEntry(flow.requestContent, 'event')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
flow.source = 'Netflix'
if (flow.url.find('https://android-appboot.netflix.com/appboot') == 0):
type = 'User Action: App Launch'
info = 'Netflix opened'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://android.prod.cloud.netflix.com/ichnaea/log')
== 0):
type = 'Netflix Event'
info = flow.requestContent[flow.requestContent.find('"event_type":') +
15:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'Ad ID'
info = flow.requestContent[flow.requestContent.find('"advdevtag_id":'
) + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://android.prod.cloud.netflix.com/aui/pathEvaluator') == 0):
type = 'Secure Netflix ID'
info = AppDefault.findFormEntry(flow.requestContent, 'secureNetflixId')
results.append(Result.Result(flow, type, info))
type = 'Netflix ID'
info = AppDefault.findFormEntry(flow.requestContent, 'netflixId')
results.append(Result.Result(flow, type, info))
type = 'Netflix FLWSSN'
info = AppDefault.findFormEntry(flow.requestContent, 'flwssn')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://android.prod.cloud.netflix.com/android') == 0
):
if (flow.requestContent.find('path:') > -1
and AppDefault.findFormEntry(
flow.requestContent, 'path').find('"logBillboardActivity"')
== -1):
type = 'Netflix Browsing Path'
info = AppDefault.findFormEntry(flow.requestContent, 'path')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results): flow.source = 'Keeper Security' if (flow.url == 'https://keepersecurity.com/emergency_check'): type = 'System Info: Brand' info = AppDefault.findFormEntry(flow.requestContent, 'mfg') results.append(Result.Result(flow, type, info)) type = 'System Info: Chipset' info = AppDefault.findFormEntry(flow.requestContent, 'product') results.append(Result.Result(flow, type, info)) type = 'System Info: Model' info = AppDefault.findFormEntry(flow.requestContent, 'model') results.append(Result.Result(flow, type, info)) type = 'Keeper Security Session Token' info = AppDefault.findFormEntry(flow.requestContent, 'session_token') results.append(Result.Result(flow, type, info)) type = 'User Info: Adjust.com Ad ID' info = AppDefault.findFormEntry(flow.requestContent, 'adjust_adid') results.append(Result.Result(flow, type, info)) type = 'User Info: Keeper UID' info = AppDefault.findFormEntry(flow.requestContent, 'uid') results.append(Result.Result(flow, type, info)) type = 'User Info: Email Address' info = AppDefault.findFormEntry(flow.requestContent, 'email') results.append(Result.Result(flow, type, info))
def checkResponseHeaders(flow, headers, results):
if ('Content-Type' in headers.keys()
and headers['Content-Type'][:5] == 'image'):
if ('User-Agent' in flow.requestHeaders.keys()
and flow.requestHeaders['User-Agent'][:30]
== 'com.google.android.apps.photos'):
flow.source = 'Google Photos'
if (flow.url.find('https://ap2.googleusercontent.com') == 0 or \
flow.url.find('https://lh3.googleusercontent.com/a') == 0):
if (AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '246 x 328 px' or \
AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '38 x 50 px' or \
AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '50 x 38 px' or \
AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '28 x 50 px' or \
AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '328 x 328 px'):
flow.source = 'Google Photos Thumbnail'
type = 'User Action'
picName = flow.responseHeaders['content-disposition'][
flow.responseHeaders['content-disposition'].
find('filename=') + 10:]
picName = picName[:picName.find('"')]
info = 'Image Viewed: ' + picName
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
flow.source = 'RocketChat'
if (flow.url.find('https://certify.alexametrics.com/atrk') == 0):
type = 'RocketChat AlexaMetrics Session Cookie'
info = AppDefault.findFormEntry(flow.requestContent, 'sess_cookie')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://q.stripe.com/?event') == 0):
type = 'Stripe Key'
info = AppDefault.findFormEntry(flow.requestContent, 'key')
results.append(Result.Result(flow, type, info))
type = 'Stripe JS ID'
info = AppDefault.findFormEntry(flow.requestContent, 'stripe_js_id')
results.append(Result.Result(flow, type, info))
type = 'Stripe Event'
info = AppDefault.findFormEntry(flow.requestContent, 'event')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://open.rocket.chat/api/v1/settings.public') == 0
and flow.url.find('RegistrationForm') > -1):
type = 'User Action: RocketChat Screen View'
info = 'Viewed Registration Form'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://open.rocket.chat/api/v1/me'):
type = 'User Action: Viewed Profile'
info = 'Viewed own profile'
results.append(Result.Result(flow, type, info))
type = 'RocketChat ID'
info = flow.responseContent[flow.responseContent.find('id":') + 6:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://open.rocket.chat/api/v1/spotlight') == 0):
type = 'User Action: RocketChat Search'
info = AppDefault.findFormEntry(flow.requestContent, 'query')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://open.rocket.chat/api/v1/channels.getAllUserMentionsByChannel'
) == 0):
type = 'User Action: Viewed Channel Mentions'
info = AppDefault.findFormEntry(flow.requestContent, 'roomId')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://open.rocket.chat/api/v1/channels.files') == 0
):
type = 'User Action: Viewed Channel Files'
info = AppDefault.findFormEntry(flow.requestContent, 'roomId')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
#Weather lookup
if (flow.url.find('www.google.com/tg/fe/request?rqt=58') > -1):
flow.source = 'Weather/News Update'
#type = 'Location'
#info = ''
#results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/androidantiabuse/v1/x/create?') > -1):
flow.source = 'DroidGuard'
type = 'System Info: Bootloader'
info = flow.requestContent[flow.requestContent.find('BOOTLOADER'):]
info = info[:info.find('\n')]
info = AppDefault.cleanEncoding(info)
info = info.strip()
info = info[10:]
results.append(Result.Result(flow, type, info))
type = 'System Info: Brand'
info = flow.requestContent[flow.requestContent.find('BRAND'):]
info = info[:info.find('\n')]
info = AppDefault.cleanEncoding(info)
info = info[5:]
info = info.strip()
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
info = flow.requestContent[flow.requestContent.find('MODEL'):]
info = info[:info.find('\n')]
info = AppDefault.cleanEncoding(info)
info = info[5:]
info = info.strip()
results.append(Result.Result(flow, type, info))
type = 'System Info: Serial Number'
info = flow.requestContent[flow.requestContent.find('SERIAL'):]
info = info[:info.find('\n')]
info = AppDefault.cleanEncoding(info)
info = info[6:]
info = info.strip()
results.append(Result.Result(flow, type, info))
elif (flow.url[:27] == 'https://play.googleapis.com'):
flow.source = 'Google Play Store'
#Android Check-in
elif (flow.url == 'https://android.googleapis.com/checkin'
or flow.url == 'https://android.clients.google.com/checkin'):
flow.source = 'Android Check-in'
if (flow.responseContent.find(
'adwords:enable_primes_memory_monitoring') > -1):
temp = flow.responseContent[flow.responseContent.find(
'1: adwords:enable_primes_memory_monitoring'):]
temp = temp[temp.find('2:') + 3:]
temp = temp[:temp.find('\n')]
if (temp == 'true'):
type = 'System Status: Memory Monitoring'
info = 'Android memory is being monitored'
results.append(Result.Result(flow, type, info))
if (flow.responseContent.find(
'adwords:enable_primes_network_monitoring') > -1):
temp = flow.responseContent[flow.responseContent.find(
'1: adwords:enable_primes_network_monitoring'):]
temp = temp[temp.find('2:') + 3:]
temp = temp[:temp.find('\n')]
if (temp == 'true'):
type = 'System Status: Network Monitoring'
info = 'Android network activity is being monitored'
results.append(Result.Result(flow, type, info))
if (flow.responseContent.find(
'adwords:enable_primes_timing_monitoring') > -1):
temp = flow.responseContent[flow.responseContent.find(
'1: adwords:enable_primes_timing_monitoring'):]
temp = temp[temp.find('2:') + 3:]
temp = temp[:temp.find('\n')]
if (temp == 'true'):
type = 'System Status: Timing Monitoring'
info = 'Android timing is being monitored'
results.append(Result.Result(flow, type, info))
if (flow.responseContent.find('adwords:enable_silent_feedback') > -1):
temp = flow.responseContent[flow.responseContent.find(
'1: adwords:enable_silent_feedback'):]
temp = temp[temp.find('2:') + 3:]
temp = temp[:temp.find('\n')]
if (temp == 'true'):
type = 'System Status: Silent Feedback'
info = 'Silent feedback is enabled'
results.append(Result.Result(flow, type, info))
#Location pull
elif (flow.url.find('https://www.googleapis.com/geolocation') > -1):
flow.source = 'Google APIs'
type = 'Location: Cell Towers'
info = flow.requestContent
info = info[info.find('"cellTowers": ['):]
info = info[:info.find(']') + 1]
results.append(Result.Result(flow, type, info))
type = 'Location: WiFi Access Points'
info = flow.requestContent
info = info[info.find('"wifiAccessPoints": ['):]
info = info[:info.find(']') + 1]
results.append(Result.Result(flow, type, info))
type = 'Location: Request Key'
info = flow.url[flow.url.find('key=') + 4:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://app-measurement.com') == 0):
flow.source = 'App Measurement'
if (flow.url == 'https://app-measurement.com/a'):
cleaned = AppDefault.cleanEncoding(flow.requestContent)
if (cleaned.find('app_launched') > -1):
type = 'User Action: App Launched'
info = cleaned[cleaned.find('(1:') + 1:]
info = info[:40]
if (info in appIds.keys()):
info = appIds[info]
results.append(Result.Result(flow, type, info))
if (cleaned.find('app_open') > -1):
type = 'System Info: App Open'
info = cleaned[cleaned.find(':android:') - 14:]
info = info[:39]
if (info in appIds.keys()):
info = appIds[info]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('com.instructure.candroid') > -1):
if (flow.requestContent.find('FindSchoolActivity') > -1):
type = 'User Action: Canvas'
info = 'School Search'
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('SignInActivity') > -1):
type = 'User Action: Canvas'
info = 'Sign In'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://android.googleapis.com/auth'):
flow.source = 'Google Login'
if (AppDefault.findFormEntry(flow.requestContent,
'app') == 'com.google.android.gms'):
flow.source = 'Google Mobile Services Login'
if (AppDefault.findFormEntry(flow.requestContent,
'app') == 'com.google.android.gm'):
flow.source = 'GMail Login'
elif (AppDefault.findFormEntry(
flow.requestContent,
'app') == 'com.google.android.googlequicksearchbox'):
flow.source = 'Google Quick Search Login'
elif (AppDefault.findFormEntry(
flow.requestContent, 'app') == 'com.google.android.calendar'):
flow.source = 'Google Calendar Login'
elif (AppDefault.findFormEntry(flow.requestContent,
'app') == 'com.android.vending'):
flow.source = 'Google Play Store Login'
elif (AppDefault.findFormEntry(
flow.requestContent, 'app') == 'com.google.android.contacts'):
flow.source = 'Google Contacts Login'
elif (AppDefault.findFormEntry(
flow.requestContent,
'app') == 'com.google.android.apps.tachyon'):
flow.source = 'Google Duo Login'
type = 'System Info: Android ID'
info = AppDefault.findFormEntry(flow.requestContent, 'androidId')
results.append(Result.Result(flow, type, info))
type = 'System Info: Country'
info = AppDefault.findFormEntry(flow.requestContent, 'device_country')
results.append(Result.Result(flow, type, info))
type = 'System Info: Language'
info = AppDefault.findFormEntry(flow.requestContent, 'lang')
results.append(Result.Result(flow, type, info))
type = 'User Info: Email Address'
info = AppDefault.findFormEntry(flow.requestContent, 'Email')
results.append(Result.Result(flow, type, info))
type = 'System Info: Android Client Signature'
info = AppDefault.findFormEntry(flow.requestContent, 'client_sig')
results.append(Result.Result(flow, type, info))
type = 'System Info: Google Mobile Services Token'
info = AppDefault.findFormEntry(flow.requestContent, 'Token')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/experimentsandconfigs/v1/getExperimentsAndConfigs'
) == 0):
flow.source = 'Experimental Features Config Sync'
elif (flow.url.find('https://ssl.google-analytics.com') == 0):
flow.source = 'Google Analytics'
if (AppDefault.findFormEntry(flow.requestContent, 'cd').find('com.google.android.apps.contacts') > -1 \
and AppDefault.findFormEntry(flow.requestContent, 't') == 'screenview'):
type = 'User Action'
info = 'Viewing Contacts'
results.append(Result.Result(flow, type, info))
elif (AppDefault.findFormEntry(flow.requestContent,
'utc') == 'Create reminder'):
type = 'User Action'
info = 'Google Calendar Reminder Created'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://android.googleapis.com/auth/devicekey'):
flow.source = 'Google Mobile Services'
type = 'System Info: Device Key'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://accounts.google.com/oauth/multilogin'):
flow.source == 'Google Account Login'
temp = flow.responseContent[flow.responseContent.find('"accounts":[') +
11:]
temp = temp[:temp.find('}]+2')]
print(temp)
for account in temp.split('},{'):
print(account)
type = 'User Info: Name'
info = account[account.find('"display_name":') + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Email Address'
info = account[account.find('"display_email":') + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Account ID'
info = account[account.find('"obfuscated_id":') + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url ==
'https://www.googleapis.com/cryptauth/v1/deviceSync/getmydevices'):
flow.source = 'Google Account Device Lookup'
elif (flow.url.find('https://www.google.com/m/voice-search/down?pair=') == 0 \
or flow.url.find('https://www.google.com/m/voice-search/up?pair=') == 0):
flow.source = 'Google Assistant'
type = 'System Info: Assistant Pair ID'
info = AppDefault.findFormEntry(flow.requestContent, 'pair')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://www.google.com/tg/fe/request?rqt=98&bq=0'):
flow.source = 'Assistant Weather Card'
type = 'Location'
info = AppDefault.cleanEncoding(flow.responseContent)
info = info[info.find(' in ') + 4:]
info = info[:info.find('\\') - 1]
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://www.google.com/loc/m/api'):
flow.source = 'Google Location API'
type = 'Location'
info = 'Location'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://mobilenetworkscoring-pa.googleapis.com/v1/GetWifiQuality')
== 0):
flow.source = 'WiFi Strength Query'
type = 'System Info: WiFi Strength'
info = 'Key: ' + flow.url[flow.url.find('key=') + 4:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://firebaseremoteconfig.googleapis.com') == 0):
flow.source = 'Firebase'
if (flow.requestContent.find('"packageName":') > -1):
appName = flow.requestContent[flow.requestContent.
find('"packageName":') + 16:]
appName = appName[:appName.find('"')]
flow.source = flow.source + ' ' + appName
type = 'Firebase ' + appName + ' Instance ID'
info = flow.requestContent[flow.requestContent.
find('"appInstanceId":') + 18:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
#WiFi connectivity check
if (flow.url == 'http://connectivitycheck.gstatic.com/generate_204' or
flow.url == 'https://connectivitycheck.gstatic.com/generate_204'):
flow.source = 'WiFi Connection'
type = 'System Status'
info = 'WiFi connection active'
results.append(Result.Result(flow, type, info))
#Google Ping
elif (flow.url == 'https://www.google.com/generate_204'):
flow.source = 'Google service ping'
elif (flow.url == 'http://www.google.com/gen_204'):
flow.source = 'Google service ping'
elif (flow.url.find('https://android.clients.google.com/gsync') > -1):
flow.source = 'Google Account Data Sync'
type = 'System Info: GCM ID'
info = flow.requestContent[flow.requestContent.find('gcm://?regId=') +
13:flow.requestContent.find('&androidId=')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Android ID'
info = flow.requestContent[flow.requestContent.find('&androidId=') +
11:flow.requestContent.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('preloads?doc=android.autoinstalls.config.') > -1):
flow.source = 'App Preloader'
type = 'System Info: Build'
info = flow.requestContent
info = info[info.find('build_fingerprint:') + 19:]
info = info[:info.find('\n')]
info = info.strip()
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.google.com/complete/search') > -1):
flow.source = 'Google Search History Sync'
elif (flow.url.find('https://app-measurement.com') == 0):
flow.source = 'App Measurement'
type = 'System Info: Application'
info = flow.url[flow.url.find('app/') + 4:flow.url.find('?')]
info = AppDefault.fixUrlEncoding(info)
if (info in appIds.keys()):
info = appIds[info]
results.append(Result.Result(flow, type, info))
type = 'System Info: App Instance ID'
info = flow.requestContent
info = info[info.find('app_instance_id:') + 17:]
info = info[:info.find('\n')].strip()
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.googleapis.com/userlocation/v1/settings')
== 0):
flow.source = 'Android Location Settings Sync'
type = 'System Info: Model'
info = AppDefault.findFormEntry(
flow.requestContent, 'brand') + ' ' + AppDefault.findFormEntry(
flow.requestContent, 'model')
results.append(Result.Result(flow, type, info))
type = 'System Info: Build'
info = AppDefault.findFormEntry(flow.requestContent, 'platform')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.googleapis.com/userlocation/v1/reports')
== 0):
flow.source = 'Location Report'
type = 'Location Info'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url[:27] == 'https://play.googleapis.com'):
flow.source = 'Google Play Store'
elif (flow.url[:38] == 'https://g.tenor.com/v1/categories?key='):
flow.source = 'Tenor GIF Keyboard'
elif (flow.url.find(
'https://playatoms-pa.googleapis.com/v1/archiveDownload') == 0):
flow.source = 'Google Play Store Download'
elif (flow.url.find('https://www.google.com/complete/search') == 0):
flow.source = 'Google Search History Sync'
elif (flow.url == 'https://clients3.google.com/generate_204'):
flow.source = 'Google Connectivity Check'
elif (flow.url.find(
'https://www.googleapis.com/plus/v2whitelisted/people/me') == 0):
flow.source = 'Google Friends Lookup'
elif (flow.url.find('https://www.gstatic.com/android/keyboard') == 0):
flow.source = 'Android Keyboard'
def checkPostURL(flow, results):
if (flow.url.find('https://api.venmo.com') == 0):
flow.source = 'Venmo'
if (flow.url == 'https://api.venmo.com/v1/oauth/access_token'):
flow.source = 'Venmo Login'
if (flow.requestContent.find('phone_email_or_username:'******'Venmo Username'
info = AppDefault.findFormEntry(flow.requestContent,
'phone_email_or_username')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('password:'******'Venmo Password'
info = AppDefault.findFormEntry(flow.requestContent, 'password')
results.append(Result.Result(flow, type, info))
if (flow.responseContent.find('"access_token":') > -1):
type = 'Venmo Access Token'
info = flow.responseContent[flow.responseContent.
find('"access_token":') + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.responseContent.find('"id":') > -1):
type = 'Venmo Access Token'
info = flow.responseContent[flow.responseContent.find('"id":') +
7:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/account/two-factor/token'):
flow.source = 'Venmo Login'
type = 'User Action: 2FA Sent'
info = AppDefault.findFormEntry(flow.requestContent, 'via')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/users/devices'):
type = 'User Info: Location'
info = flow.responseContent[flow.responseContent.find('"location":') +
13:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Venmo Client'
info = flow.responseContent[flow.responseContent.find('"browser":') +
12:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Venmo ID'
info = flow.responseContent[flow.responseContent.find('"id":') + 7:]
info = info[:info.find(',')]
results.append(Result.Result(flow, type, info))
type = 'User Action: Venmo Device Login Time'
info = flow.responseContent[flow.responseContent.find('"created_at":'
) + 15:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/device-tokens/android'):
type = 'System Info: Venmo Token'
info = AppDefault.findFormEntry(flow.requestContent, 'device_token')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/contacts'):
type = 'User Info: Contact'
contacts = AppDefault.findJSONListNonSpaced(flow.requestContent,
'contacts')
for info in contacts.split(' },\n {'):
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/payments'):
type = 'User Action: Venmo Payment'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
and flow.url.find('/likes') > -1):
type = 'User Action: Liked Story'
info = flow.url[flow.url.find('stories/') + 8:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
and flow.url.find('/comments') > -1):
type = 'User Action: Commented on Story'
info = flow.url[flow.url.find('stories/') + 8:]
info = info[:info.find('/')]
info = info + ': ' + AppDefault.findFormEntry(flow.requestContent,
'message')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://spclient.wg.spotify.com/remote-config-resolver')
== 0):
type = 'System Info: Spotify Installation ID'
info = AppDefault.findFormEntry(flow.requestContent, 'installation_id')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url == 'https://www.reddit.com/api/v1/access_token'):
type = 'System Info: Access Token'
info = flow.responseContent[flow.responseContent.find('"access_token":'
) + 15:]
info = info[info.find('"') + 1:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.branch.io/') == 0):
flow.source = 'Branch.io'
content = flow.requestContent
if (flow.url[len(flow.url) - 4:len(flow.url)] == 'open'):
type = 'User Action: App Opened'
info = 'Reddit Opened'
results.append(Result.Result(flow, type, info))
elif (flow.url[len(flow.url) - 5:len(flow.url)] == 'close'):
type = 'User Action: App Closed'
info = 'Reddit Closed'
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
brand = content[content.find('"brand":') + 10:]
brand = brand[:brand.find('"')]
model = content[content.find('"model":') + 10:]
model = model[:model.find('"')]
info = brand + ' ' + model
results.append(Result.Result(flow, type, info))
type = 'User Info: Ad ID'
info = content[content.find('"google_advertising_id":') + 26:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Hardware ID'
info = content[content.find('"hardware_id":') + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Local IP Address'
info = content[content.find('"local_ip":') + 13:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Screen Size'
width = content[content.find('"screen_width":') + 16:]
width = width[:width.find(',')]
height = content[content.find('"screen_height":') + 17:]
height = height[:height.find(',')]
info = width + ' x ' + height
results.append(Result.Result(flow, type, info))
type = 'System Info: WiFi Connection Status'
info = content[content.find('"wifi":') + 8:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'Branch.io Key'
info = content[content.find('"branch_key":') + 15:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: First Install Time'
info = content[content.find('"first_install_time":') + 22:]
info = info[:info.find(',')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Latest Install Time'
info = content[content.find('"latest_install_time":') + 23:]
info = info[:info.find(',')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Latest Update Time'
info = content[content.find('"latest_update_time":') + 22:]
info = info[:info.find(',')]
results.append(Result.Result(flow, type, info))
if (flow.url[len(flow.url) - 4:] == 'open'):
type = 'User Action: Opened App'
info = 'Reddit'
results.append(Result.Result(flow, type, info))
type = 'User info: Branch ID'
info = content[content.find('"identity_id":') + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Device Fingerprint ID'
info = content[content.find('"device_fingerprint_id":') + 26:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url[len(flow.url) - 7:] == 'install'):
type = 'User Action: Installed App'
info = 'Reddit'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://gql.reddit.com/'):
if (flow.responseContent.find('experimentVariants') > -1):
type = 'Experimental Features Config'
info = AppDefault.findJSONListNonSpaced(flow.responseContent,
'experimentVariants')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://gateway.reddit.com/redditmobile/1/android/config') == 0):
type = 'Experimental Features Config'
info = AppDefault.findFormEntry(flow.requestContent, 'experiments')
results.append(Result.Result(flow, type, info))
info = AppDefault.findJSONListNonSpaced(flow.responseContent,
'buckets')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://gateway.reddit.com/redditmobile') == 0):
type = 'Reddit Client ID'
info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
results.append(Result.Result(flow, type, info))
type = 'System Info: Timezone'
info = AppDefault.findFormEntry(flow.requestContent, 'tz_name')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://events.redditmedia.com/v1'):
event = flow.requestContent[flow.requestContent.find('"event_type":') +
14:]
event = event[:event.find('"')]
time = flow.requestContent[flow.requestContent.find('"event_ts":') +
11:]
time = time[:time.find(',')]
if (event == 'cs.app_launch_android'):
type = 'User Action: Reddit Opened'
info = 'Reddit Opened @ ' + time
results.append(Result.Result(flow, type, info))
else:
type = 'Reddit Activity & Info Dump'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://www.reddit.com/api/v1/login'):
if (flow.requestContent.find('passwd:') > -1):
type = 'User Action: Reddit Login'
info = 'Logged in as ' + AppDefault.findFormEntry(
flow.requestContent, 'user')
results.append(Result.Result(flow, type, info))
type = 'User Info: Password'
info = AppDefault.findFormEntry(flow.requestContent, 'passwd')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
flow.source = 'RocketChat'
if (flow.url == 'https://open.rocket.chat/api/v1/users.register'):
type = 'User Info: Email Address'
info = AppDefault.findJSONItem(flow.requestContent, 'email')
results.append(Result.Result(flow, type, info))
type = 'User Info: RocketChat Name'
info = AppDefault.findJSONItem(flow.requestContent, 'name')
results.append(Result.Result(flow, type, info))
type = 'User Info: RocketChat Password'
info = AppDefault.findJSONItem(flow.requestContent, 'pass')
results.append(Result.Result(flow, type, info))
type = 'User Info: RocketChat Username'
info = AppDefault.findJSONItem(flow.requestContent, 'username')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://open.rocket.chat/api/v1/login'):
type = 'User Info: RocketChat Password'
info = AppDefault.findJSONItem(flow.requestContent, 'pass')
results.append(Result.Result(flow, type, info))
type = 'User Info: RocketChat Username'
info = AppDefault.findJSONItem(flow.requestContent, 'username')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://open.rocket.chat/api/v1/push.token'):
type = 'RocketChat GCM Token'
info = AppDefault.findJSONItem(flow.requestContent, 'value')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://open.rocket.chat/api/v1/channels.create'):
type = 'User Action: Create Channel'
info = flow.requestContent[flow.requestContent.find('"name":') + 9:]
info = info[:info]
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://open.rocket.chat/api/v1/chat.sendMessage'):
type = 'User Action: Send Message'
info = flow.requestContent[flow.requestContent.find('"msg":') + 8:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://open.rocket.chat/api/v1/chat.search') == 0):
type = 'User Action: Chat Search'
info = AppDefault.findFormEntry(flow.requestContent, 'searchText')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://open.rocket.chat/api/v1/users.deleteOwnAccount'
):
type = 'User Action: Delete Account'
info = 'Deleted RocketChat Account'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://open.rocket.chat/api/v1/logout'):
type = 'User Action: Logout'
info = 'Logged Out'
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
flow.source = 'Canvas'
if (flow.url.find('https://canvas.instructure.com//api/v1/accounts/search') == 0):
type = 'User Action: School Search'
info = AppDefault.findFormEntry(flow.requestContent, 'search_term')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://canvas.instructure.com/api/v1/mobile_verify.json') == 0):
type = 'System Info: Canvas API Key'
info = AppDefault.findJSONItem(flow.responseContent, 'api_key')
results.append(Result.Result(flow, type, info))
type = 'System Info: Canvas Client ID'
info = AppDefault.findJSONItem(flow.responseContent, 'client_id')
results.append(Result.Result(flow, type, info))
type = 'System Info: Canvas Client Secret'
info = AppDefault.findJSONItem(flow.responseContent, 'client_secret')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/login/oauth2/auth') == 0):
type = 'System Info: Canvas Client ID'
info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/courses') == 0):
if (flow.url.find('front_page') > -1):
type = 'User Action: View Course Front Page'
info = flow.url[flow.url.find('courses/')+8:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('announcements') > -1):
type = 'User Action: View Course Announcements'
info = flow.url[flow.url.find('courses/')+8:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('discussion_topics') > -1 and flow.url.find('view') > -1):
type = 'User Action: View Discussion Topic'
info = flow.url[flow.url.find('discussion_topics/')+18:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('modules') > -1):
type = 'User Action: View Course Modules'
info = flow.url[flow.url.find('courses/')+8:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
if (flow.url.find('/items') > -1):
type = 'User Action: View Module'
info = flow.url[flow.url.find('modules/')+8:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('pages/') > -1):
type = 'User Action: View Course Page'
info = flow.url[flow.url.find('pages/')+6:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('assignments') > -1):
if (flow.url.find('submissions') > -1):
type = 'User Action: View Assignment Submission'
info = flow.url[flow.url.find('submissions/')+12:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
else:
type = 'User Action: View Assignment'
info = flow.url[flow.url.find('assignments/')+12:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('users') > -1):
if (flow.url.find('users/') > -1):
type = 'User Action: View Canvas User'
info = flow.url[flow.url.find('users/')+6:]
info = info[:info.find('?')]
name = flow.responseContent[flow.responseContent.find('"name":')+9:]
name = name[:name.find('"')]
info = info + ': ' + name
results.append(Result.Result(flow, type, info))
else:
type = 'User Action: View Course People'
info = flow.url[flow.url.find('courses/')+8:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/calendar_events') == 0):
type = 'User Action: View Calendar'
info = AppDefault.findFormEntry(flow.requestContent, 'start_date') + ' - ' + AppDefault.findFormEntry(flow.requestContent, 'end_date')
results.append(Result.Result(flow, type, info))
if (flow.url.find('context_codes[]=course_') > -1):
type = 'User Action: Course Calendar Viewed'
info = AppDefault.findFormEntry(flow.requestContent, 'context_codes[]')
info = info[7:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/users/self/todo') == 0):
type = 'User Action: View To-Do\'s'
info = 'Viewed To Do\'s'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/users/self/activity_stream') == 0):
type = 'User Action: View Notifications'
info = 'Viewed Notifications'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/conversations') == 0):
if (flow.url.find('conversations/?') == -1 and flow.url.find('unread_count') == -1):
type = 'User Action: Viewed Message'
info = flow.url[flow.url.find('conversations/')+14:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
else:
type = 'User Action: Viewed Inbox'
info = 'Viewed Inbox'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/users/self/folders') == 0):
type = 'User Action: Viewed Files'
info = flow.url[flow.url.find('folders/')+8:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/folders') == 0):
type = 'User Action: Viewed Folder'
info = flow.url[flow.url.find('folders/')+8:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/files') == 0):
type = 'User Action: Viewed File'
info = flow.url[flow.url.find('files/')+6:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://champlain.instructure.com/api/v1/users') == 0 and flow.url.find('files?search_term=') > -1):
type = 'User Action: Search Files'
info = AppDefault.findFormEntry(flow.requestContent, 'search_term')
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://www.googleapis.com/drive/v2internal/files') == 0
):
flow.source = 'Google Drive File Lookup'
elif (flow.url.find('https://www.googleapis.com/drive/v2internal/changes')
== 0):
flow.source = 'Google Drive File Sync'
elif (flow.url.find('https://www.googleapis.com/discussions/v1/authors') ==
0):
flow.source = 'Google Drive Comments'
elif (flow.url.find('https://docs.google.com/document/d') == 0):
flow.source = 'Google Docs'
if (flow.url.find('leave') > -1):
type = 'User Action'
info = 'Document Deleted: '
docID = flow.url[35:]
docID = docID[:docID.find('/')]
info = info + docID
results.append(Result.Result(flow, type, info))
else:
type = 'User Action'
info = 'Document Opened: '
docID = flow.url[35:]
docID = docID[:docID.find('/')]
info = info + docID
if (flow.responseContent.find('":"') > -1
and flow.url.find('edit') > -1):
name = flow.responseContent[flow.responseContent.find('"t":"'
) + 5:]
name = name[:name.find('"')]
info = info + ' (' + name + ')'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://docs.google.com/spreadsheets/d') == 0):
flow.source = 'Google Sheets'
if (flow.url.find('leave') > -1):
type = 'User Action'
info = 'Document Deleted: '
docID = flow.url[39:]
docID = docID[:docID.find('/')]
info = info + docID
results.append(Result.Result(flow, type, info))
else:
type = 'User Action'
info = 'Spreadsheet Opened: '
docID = flow.url[39:]
docID = docID[:docID.find('/')]
info = info + docID
if (flow.responseContent.find('":"') > -1 and
(flow.url.find('edit') > -1 or flow.url.find('model') > -1)):
name = flow.responseContent[flow.responseContent.find('"t":"'
) + 5:]
name = name[:name.find('"')]
info = info + ' (' + name + ')'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.googleapis.com/calendar') == 0):
flow.source = 'Google Calendar'
if (flow.responseContent.find('notificationSettings') > -1):
type = 'User Info: Notification Settings'
info = AppDefault.findJSONSection(flow.responseContent,
'notificationSettings')
results.append(Result.Result(flow, type, info))
elif (flow.responseContent.find('"kind": "calendar#events"') > -1
or flow.url.find('/events') > -1):
type = 'User Info: Calendar Events'
info = AppDefault.findJSONListNonSpaced(flow.responseContent,
'items')
if (len(info) > 2):
results.append(Result.Result(flow, type, info))
elif (flow.url.find('/habits') > -1):
type = 'User Info: Habits'
info = flow.responseContent
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/voice/v1/users/@me/account?key=') == 0
):
type = 'User Info: Account ID'
info = AppDefault.findFormEntry(flow.requestContent, 'key')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
flow.source = 'Hulu'
if (flow.url == 'https://play.hulu.com/config'):
type = 'System Info: Hulu Device ID'
info = AppDefault.findFormEntry(flow.requestContent, 'device_id')
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
info = AppDefault.findFormEntry(flow.requestContent, 'device_model')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://vortex.hulu.com/api/v3/event'):
if (flow.requestContent.find('app_session_id') > -1):
type = 'Hulu Session ID'
info = AppDefault.findJSONItem(flow.requestContent,
'app_session_id')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('app_visit_count') > -1):
type = 'User Action: Hulu Visit Count'
info = AppDefault.findJSONItem(flow.requestContent,
'app_visit_count')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('application_instance_id') > -1):
type = 'System Info: Hulu App ID'
info = AppDefault.findJSONItem(flow.requestContent,
'application_instance_id')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('device_ad_id') > -1):
type = 'Ad ID'
info = AppDefault.findJSONItem(flow.requestContent, 'device_ad_id')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('device_manufacturer') > -1):
type = 'System Info: Brand'
info = AppDefault.findJSONItem(flow.requestContent,
'device_manufacturer')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('device_model') > -1):
type = 'System Info: Model'
info = AppDefault.findJSONItem(flow.requestContent, 'device_model')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('device_os') > -1):
type = 'System Info: OS Version'
info = AppDefault.findJSONItem(flow.requestContent, 'device_os')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('manufacturer_device_id') > -1):
type = 'System Info: Serial Number'
info = AppDefault.findJSONItem(flow.requestContent,
'manufacturer_device_id')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('network_mode') > -1):
type = 'System Info: Connection Type'
info = AppDefault.findJSONItem(flow.requestContent, 'network_mode')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('screen_resolution') > -1):
type = 'System Info: Screen Size'
info = AppDefault.findJSONItem(flow.requestContent,
'screen_resolution')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('screen_orientation') > -1):
type = 'System Info: Screen Orientation'
info = AppDefault.findJSONItem(flow.requestContent,
'screen_orientation')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('event') > -1):
type = 'Hulu Event'
info = AppDefault.findJSONItem(flow.requestContent, 'event')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://auth.hulu.com/v1/device/code/register'):
type = 'System Info: Serial Number'
info = AppDefault.findFormEntry(flow.requestContent, 'serial_number')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://auth.hulu.com/v1/device/password/authenticate'):
type = 'User Info: Email Address'
info = AppDefault.findFormEntry(flow.requestContent, 'user_email')
results.append(Result.Result(flow, type, info))
type = 'User Info: Hulu Password'
info = AppDefault.findFormEntry(flow.requestContent, 'password')
results.append(Result.Result(flow, type, info))
type = 'System Info: Serial Number'
info = AppDefault.findFormEntry(flow.requestContent, 'serial_number')
results.append(Result.Result(flow, type, info))
type = 'System Info: Timezone'
info = AppDefault.findFormEntry(flow.requestContent, 'time_zone')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://auth.hulu.com/v1/device/profiles/switch'):
type = 'User Action: Profile Switch'
info = AppDefault.findFormEntry(flow.requestContent, 'profile_id')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://home.hulu.com/v1/users/self/profiles/self/asset_view_progress'
) == 0):
type = 'User Action: Video Progress'
info = AppDefault.findJSONItem(flow.requestContent, 'position')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url == 'https://android.clients.google.com/c2dm/register3'):
if (flow.requestHeaders['app'] == 'com.google.android.apps.tachyon'):
flow.source = 'Google Duo Login'
elif (flow.requestHeaders['app'] == 'com.google.android.apps.maps'):
flow.source = 'Google Maps Login'
type = 'System Info: Device ID'
info = flow.requestContent
info = info[info.find('device:') + 7:]
info = info[:info.find('\n')]
info = info.strip()
results.append(Result.Result(flow, type, info))
type = 'Token'
info = flow.responseContent
info = info[info.find('token=') + 6:]
info = info.strip()
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://inbox.google.com/sync') == 0):
flow.source = 'Gmail Inbox Sync'
elif (flow.url.find('https://mail.google.com/mail/ads') == 0):
flow.source = 'Gmail Ads'
elif (flow.url == 'https://www.googleapis.com/plusdatamixer/v1/mutate'):
flow.source = 'Google Drive'
elif (flow.url.find('https://www.googleapis.com/discussions/v1/targets') ==
0):
flow.source = 'Google Drive Comments'
elif (flow.url.find('https://docs.google.com/document/create') == 0):
flow.source = 'Google Docs'
type = "User Action"
info = 'Create New Document: ' + AppDefault.findFormEntry(
flow.requestContent, 'title')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://docs.google.com/document/d') == 0):
flow.source = 'Google Docs'
if (flow.url.find('/save?') > -1):
type = 'User Action: Edit Document'
temp = AppDefault.findFormEntry(flow.requestContent, 'bundles')
temp = AppDefault.findJSONListNonSpaced(flow.requestContent,
'commands')
temp = temp[2:len(temp) - 2]
commands = []
print(flow.requestContent)
for item in temp.split('},{'):
commands.append(item)
for item in commands:
entries = {}
print(item)
for i in item.split(','):
#print(i.split(':'))
temp = i.split(':')[0]
temp2 = i.split(':')[1]
entries[temp] = temp2
print(entries)
if ('"s"' in entries.keys()):
type = 'User Action'
info = 'Inserted ' + entries['"s"']
results.append(Result.Result(flow, type, info))
if ('"si"' in entries.keys()):
type = 'User Action'
info = 'Deleted Index: ' + entries['"si"']
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://www.googleapis.com/batch/drive/v2internal'):
if (flow.requestContent.find('{"additionalRoles":') > -1):
flow.source = 'Google Drive'
type = 'User Action'
info = flow.requestContent[flow.requestContent.
find('{"additionalRoles":'):]
info = info[:info.find('}') + 1]
info = 'File Role Change: ' + info
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find(
'GET https://www.googleapis.com/drive/v2internal/files') > -1):
flow.source = 'Google Drive File Lookup'
elif (flow.url.find('https://photosdata-pa.googleapis.com') == 0):
flow.source = 'Google Photos'
if (len(flow.requestContent.split('\n')) == 4):
lines = flow.requestContent.split('\n')
if (lines[0].strip() == '1 {' and lines[1].strip()[:2] == '1:'
and lines[2].strip() == '}'
and lines[3].strip()[:2] == '2:'):
type = 'User Action'
info = 'Create New Share: ' + lines[3].strip()[3:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://photos.googleapis.com/data/upload') == 0):
flow.source = 'Google Photos Upload'
type = 'User Action'
info = 'Photo Uploaded: ' + flow.requestHeaders[
'x-goog-upload-file-name']
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://www.googleapis.com/datamixer/v1/batchfetch'):
if (len(flow.requestContent.split('\n')) == 22
and len(flow.requestContent.split('\n')[12].strip()[3:]) > 0):
type = 'User Action'
info = 'Contact Search: ' + flow.requestContent.split(
'\n')[12].strip()[3:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.googleapis.com/calendar') == 0):
flow.source = 'Google Calendar'
if (flow.url.find('/events') > -1):
type = 'User Action: Event Creation/Update'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url.find('/habits') > -1):
type = 'User Action: Habit Creation/Update'
info = flow.requestContent
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/sync') ==
0):
type = 'User Action'
info = 'Synced Hangouts'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/clients/setactiveclient'
) == 0):
type = 'User Action'
info = 'Opened Google Hangouts'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/presence/setpresence')
== 0):
if (flow.requestContent.find('8 {') > -1):
type = 'User Action'
info = flow.requestContent[flow.requestContent.find('8 {'):]
info = info[info.find('2: ') + 3:]
info = info[:info.find('\n')]
info = 'Set Hangouts Status: ' + info
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/getconversation'
) == 0):
type = 'User Action'
info = 'Opened Conversation'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/devices/sendoffnetworkinvitation'
) == 0):
type = 'User Action'
info = flow.requestContent[flow.requestContent.find('2 {'):]
while (info[info.find('1: ') + 3:info.find('1: ') + 4] != '1'):
info = info[3:]
info = info[info.find('2 {'):]
info = info[info.find('3: ') + 3:]
info = info[:info.find('\n')]
info = 'Sent Hangouts Invitation: ' + info
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/setfocus')
== 0):
type = 'User Action'
info = 'Opened Conversation'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/settyping'
) == 0):
type = 'User Action'
info = 'Changed Typing Status'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/chat/v1android/conversations/sendchatmessage'
) == 0):
type = 'User Action'
info = 'Sent Message'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/hangouts/v1android/media_sessions/query'
) == 0):
type = 'User Action'
info = 'Opened Call'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.googleapis.com/hangouts/v1android/hangout_participants/remove'
) == 0):
type = 'User Action'
info = 'Left Call'
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://android.googleapis.com/auth'):
flow.source = AppDefault.findFormEntry(flow.requestContent, 'app')
def checkGetURL(flow, results):
if (flow.url.find('https://www.linkedin.com') == 0
or flow.url.find('https://platform.linkedin.com') == 0
or flow.url.find('https://dms.licdn.com') == 0):
flow.source = 'LinkedIn'
if (flow.url.find('https://www.linkedin.com/voyager/api/feed/updates') == 0
):
flow.source = 'LinkedIn Feed Update'
type = 'System Info: Battery Level'
info = AppDefault.findFormEntry(flow.requestContent, 'battery')
results.append(Result.Result(flow, type, info))
type = 'System Info: Connection Type'
info = AppDefault.findFormEntry(flow.requestContent, 'connectionType')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/identity/profiles') == 0
and flow.url.find('profileView') > -1):
flow.source = 'LinkedIn View Profile'
type = 'User Action: Viewed Profile ID'
info = flow.url[flow.url.find('profiles/') + 9:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/voyager/api/typeahead/hits')
== 0):
flow.source = 'LinkedIn Search'
type = 'User Action: LinkedIn Search'
info = AppDefault.findFormEntry(flow.requestContent, 'query')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/messaging/typeahead/hits') ==
0):
flow.source = 'LinkedIn Messages Search'
type = 'User Action: LinkedIn Messages Search'
info = AppDefault.findFormEntry(flow.requestContent, 'keyword')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/voyager/api/search') == 0):
flow.source = 'LinkedIn Search'
type = 'User Action: Job Search Filter'
info = AppDefault.findFormEntry(flow.requestContent, 'filters')
results.append(Result.Result(flow, type, info))
type = 'User Action: Job Search'
info = AppDefault.findFormEntry(flow.requestContent, 'keywords')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/psettings/policy/notices?types=EDIT_FEED_ACTIVITY'
) == 0):
type = 'User Action: LinkedIn'
info = AppDefault.findFormEntry(flow.requestContent, 'types')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/feed/contentTopicData') == 0
):
type = 'User Action: Search Hashtag'
info = flow.url[flow.url.find('contentTopicData/urn:li:hashtag:') +
32:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/voyager/api/groups/groups')
== 0):
type = 'User Action: View Group'
info = flow.url[flow.url.find('groups/groups/') + 14:]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/messaging/mailboxUnreadCounts'
) == 0):
type = 'User Action: LinkedIn'
info = 'Opened Messages'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/csp/simt') == 0):
type = 'LinkedIn Ad Tracker ID'
info = AppDefault.findFormEntry(flow.requestContent, 'adTrk')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/messaging/conversations') ==
0):
if (flow.url.find('conversations?') > -1):
type = 'User Action: LinkedIn'
info = 'Viewed Conversations'
else:
type = 'User Action: Viewed LinkedIn Conversation'
info = flow.url[flow.url.find('conversations/') + 14:]
if (info.find('/') > -1 and info.find('/') < info.find('?')):
info = info[:info.find('/')]
elif (info.find('?') > -1):
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/contentcreation/updateTargetings'
) == 0):
type = 'User Action: Typed Post'
info = AppDefault.findFormEntry(flow.requestContent, 'commentary')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/identity/notificationSegments'
) == 0):
type = 'User Action: LinkedIn'
info = 'Viewed Notification'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/voyager/api/jobs') == 0):
if (flow.url.find(
'https://www.linkedin.com/voyager/api/jobs/jobPostings') == 0):
type = 'User Action: Viewed Job'
info = flow.url[flow.url.find('jobPostings/') + 12:]
info = info[:info.find('?')]
else:
type = 'User Action: LinkedIn'
info = 'Viewed Jobs'
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://spclient.wg.spotify.com/v1/pses/featureflags')
== 0):
flow.source = 'Spotify Features Sync'
elif (flow.url.find(
'https://spclient.wg.spotify.com/abba-service/v1/resolve') == 0):
flow.source = 'Spotify Features Sync'
elif (flow.url.find('https://spclient.wg.spotify.com/ads/v2/config') == 0):
type = 'Spotify Session ID'
info = flow.requestHeaders['vnd.spotify.ads-payload']
info = info[info.find('"session_id":') + 14:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://spclient.wg.spotify.com/storage-resolve/files/audio/interactive/'
) == 0):
type = 'User Action: Song Opened'
info = flow.url[flow.url.find('audio/interactive/') + 18:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://spclient.wg.spotify.com/storage-resolve/files/audio/interactive_prefetch'
) == 0):
type = 'User Action: Song Opened'
info = flow.url[flow.url.find('interactive_prefetch/') + 21:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://audio-sp-dca.pscdn.co/audio') == 0):
type = 'User Action: Song Opened'
info = flow.url[flow.url.find('audio/') + 6:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://audio4-ak-spotify-com.akamaized.net/audio') ==
0):
type = 'User Action: Song Opened'
info = flow.url[flow.url.find('audio/') + 6:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://spclient.wg.spotify.com/searchview/android/v4/assisted-curation'
) == 0):
type = 'User Info: Spotify Username'
info = AppDefault.findFormEntry(flow.requestContent, 'username')
results.append(Result.Result(flow, type, info))
type = 'User Action: Spotify Search'
info = flow.url[flow.url.find('assisted-curation/') + 18:]
info = info[:info.find('?')]
info = AppDefault.fixUrlEncoding(info)
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://spclient.wg.spotify.com/searchview/android/v4/search') ==
0):
type = 'User Info: Spotify Username'
info = AppDefault.findFormEntry(flow.requestContent, 'username')
results.append(Result.Result(flow, type, info))
type = 'User Action: Spotify Search'
info = flow.url[flow.url.find('search/') + 7:]
info = info[:info.find('?')]
info = AppDefault.fixUrlEncoding(info)
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://spclient.wg.spotify.com/quicksilver/v2/cards')
== 0):
if (flow.requestContent.find('trigger:') > -1):
type = 'User Action: Click'
info = AppDefault.findFormEntry(flow.requestContent, 'trigger')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('megaphone.fm') > -1):
type = 'User Action: Podcast Opened'
info = flow.url[flow.url.find('megaphone.fm/') + 13:]
info = info[:info.find('.mp3')]
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('youtube.com') > -1):
if (flow.requestContent.find('plid:') > -1):
type = 'Youtube PLID'
info = AppDefault.findFormEntry(flow.requestContent, 'plid')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('cos:') > -1):
type = 'System Info: OS'
info = AppDefault.findFormEntry(flow.requestContent, 'cos')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('docid:') > -1):
type = 'Youtube Video ID'
info = AppDefault.findFormEntry(flow.requestContent, 'docid')
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find('video_id:') > -1):
type = 'Youtube Video ID'
info = AppDefault.findFormEntry(flow.requestContent, 'video_id')
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find('content_v:') > -1):
type = 'Youtube Video ID'
info = AppDefault.findFormEntry(flow.requestContent, 'content_v')
results.append(Result.Result(flow, type, info))
if (flow.url.find('https://www.googleadservices.com/pagead/conversion') ==
0):
type = 'System Info: Youtube App Version'
info = AppDefault.findFormEntry(flow.requestContent, 'appversion')
results.append(Result.Result(flow, type, info))
type = 'System Info: Android Version'
info = AppDefault.findFormEntry(flow.requestContent, 'osversion')
results.append(Result.Result(flow, type, info))
type = 'User Info: Youtube Screen Opened'
info = AppDefault.findFormEntry(flow.requestContent,
'data.screen_name')
results.append(Result.Result(flow, type, info))
type = 'User Info: Ad ID'
info = AppDefault.findFormEntry(flow.requestContent, 'rdid')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('upnphost/udhisapi.dll?content=uuid:') > -1):
type = 'User Info: Youtube UUID'
info = flow.requestContent[flow.requestContent.find('uuid:') + 5:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.youtube.com/csi_204') == 0):
type = 'User Action: Youtube'
info = AppDefault.findFormEntry(flow.requestContent, 'action')
results.append(Result.Result(flow, type, info))
type = 'System Info: Brand'
info = AppDefault.findFormEntry(flow.requestContent, 'cbrand')
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
info = AppDefault.findFormEntry(flow.requestContent, 'cmodel')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://s.youtube.com/api/stats') == 0):
if (flow.requestContent.find('state:') > -1):
type = 'Youtube Video Status'
info = AppDefault.findFormEntry(flow.requestContent, 'state')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('referrer:') > -1):
type = 'Youtube Video Referrer'
info = AppDefault.findFormEntry(flow.requestContent, 'referrer')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.youtube.com/api/stats/ads') == 0):
type = 'Youtube Ad Video'
info = AppDefault.findFormEntry(flow.requestContent, 'ad_v')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.youtube.com/gen_204') == 0):
type = 'Youtube Ad Video'
info = AppDefault.findFormEntry(flow.requestContent, 'ad_vid')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://suggestqueries.google.com/complete/search') ==
0):
type = 'User Action: Search Query'
info = AppDefault.findFormEntry(flow.requestContent, 'q')
results.append(Result.Result(flow, type, info))
type = 'Youtube Search Suggestion'
query = info
if (len(info) > 0):
for item in flow.responseContent.split('],['):
info = item[item.find('\\\\u003e') + 7:]
info = info[:info.find('\\\\')]
if (len(info) > 0):
info = query + info
results.append(Result.Result(flow, type, info))
else:
for item in flow.responseContent.split('}],['):
info = item[item.find('youtube-android'):]
info = info[info.find('\\\\u003d') + 7:]
info = info[:info.find('\\\\')]
if (len(info) > 0):
info = query + info
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.youtube.com/player_204') == 0):
if (flow.requestContent.find('event:') > -1
and AppDefault.findFormEntry(flow.requestContent,
'event') == 'iv'):
type = 'User Action: Youtube'
info = 'Opened Video Info'
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
if (flow.url.find('https://api.venmo.com/v1/stories/target-or-actor') == 0
):
flow.source = 'Venmo Stories Sync'
elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
and flow.url.find('target-or-actor') == -1):
type = 'User Action: Viewed Story'
info = flow.url[flow.url.find('stories/') + 8:]
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/account/two-factor/token'):
flow.source = 'Venmo Login'
type = 'User Info: 2FA Device'
info = AppDefault.findJSONListNonSpaced(flow.responseContent,
'devices')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://api.venmo.com/v1/account'):
flow.source = 'Venmo Account Sync'
type = 'User Info: Venmo ID'
info = flow.responseContent[flow.responseContent.find('"id":') + 7:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Venmo Account Creation Time'
info = flow.responseContent[flow.responseContent.find('"date_joined":'
) + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'System Info: Phone Number'
info = flow.responseContent[flow.responseContent.find('"phone":') +
10:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Email Address'
info = flow.responseContent[flow.responseContent.find('"email":') +
10:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
type = 'User Info: Venmo Zendesk ID'
info = flow.responseContent[flow.responseContent.
find('"zendesk_identifier":') + 23:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/notifications') == 0):
type = 'User Action: Venmo'
info = 'Checked Notifications'
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/users?query=') == 0):
type = 'User Action: Venmo Search'
info = AppDefault.findFormEntry(flow.requestContent, 'query')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/users') == 0
and flow.url.find('/friends') == -1):
type = 'User Action: Viewed Profile'
info = flow.responseContent[flow.responseContent.find('"display_name":'
) + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://api.venmo.com/v1/users') == 0
and flow.url.find('/friends') > -1):
type = 'User Action: Viewed Friends of Profile'
info = flow.url[flow.url.find('/users/') + 7:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://slack.com/api') == 0):
flow.source = 'Slack'
if (len(AppDefault.findFormEntry(flow.requestContent, 'token')) > 25):
type = 'Slack Token'
info = AppDefault.findFormEntry(flow.requestContent, 'token')
results.append(Result.Result(flow, type, info))
if (len(AppDefault.findFormEntry(flow.requestContent, 'push_token')) > 25):
type = 'Slack Push Token'
info = AppDefault.findFormEntry(flow.requestContent, 'push_token')
results.append(Result.Result(flow, type, info))
if (flow.url == 'https://slack.com/api/experiments.getByVisitor'):
type = 'System Info: Slack Experiments'
info = flow.responseContent
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://sessions.bugsnag.com/'):
if ('Bugsnag-Api-Key' in flow.requestHeaders.keys()):
type = 'Bugsnag API Key'
info = flow.requestHeaders['Bugsnag-Api-Key']
results.append(Result.Result(flow, type, info))
if (AppDefault.findJSONItem(flow.requestContent, 'packageName') == 'com.Slack'):
flow.source = 'Slack Bugsnag'
type = 'Current Slack Screen'
info = AppDefault.findJSONItem(flow.requestContent, 'activeScreen')
results.append(Result.Result(flow, type, info))
type = 'Slack Foreground Status'
info = AppDefault.findJSONItem(flow.requestContent, 'inForeground')
results.append(Result.Result(flow, type, info))
type = 'Slack Session ID'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'id')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'user'), 'id')
results.append(Result.Result(flow, type, info))
type = 'Session Start Time'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'startedAt') + ' UTC'
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
make = AppDefault.findJSONItem(flow.requestContent, 'manufacturer')
model = AppDefault.findJSONItem(flow.requestContent, 'model')
info = make + ' ' + model
results.append(Result.Result(flow, type, info))
type = 'System Info: OS Version'
info = AppDefault.findJSONItem(flow.requestContent, 'osName') + ' ' + AppDefault.findJSONItem(flow.requestContent, 'osVersion')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.findTeam'):
type = 'User Action: Domain Lookup'
info = AppDefault.findFormEntry(flow.requestContent, 'domain')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.findUser'):
type = 'User Action: Login'
info = AppDefault.findFormEntry(flow.requestContent, 'email')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(flow.responseContent, 'user_id')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.signin'):
type = 'User Info: Password'
info = AppDefault.findFormEntry(flow.requestContent, 'password')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(flow.responseContent, 'user')
results.append(Result.Result(flow, type, info))
type = 'User Info: Team ID'
info = AppDefault.findFormEntry(flow.requestContent, 'team')
results.append(Result.Result(flow, type, info))
type = 'Slack Token'
info = AppDefault.findJSONItem(flow.responseContent, 'token')
results.append(Result.Result(flow, type, info))
type = 'User Info: Email'
info = AppDefault.findJSONItem(flow.responseContent, 'user_email')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/users.counts'):
channels = AppDefault.findJSONListNonSpaced(flow.responseContent, 'channels')
channels = channels[2:]
for channel in channels.split('},'):
type = 'Slack Channel Info'
info = channel
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/conversations.history'):
type = 'Channel Messages Sync Channel'
info = AppDefault.findFormEntry(flow.requestContent, 'channel')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/beacon/track/'):
type = 'System Info: Performance Tracking'
info = AppDefault.findFormEntry(flow.requestContent, 'data')
info = base64.b64decode(info)
info = info.decode("UTF-8")
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/chat.postMessage'):
type = 'User Action: Send Message'
info = 'Message "' + AppDefault.findFormEntry(flow.requestContent, 'text') + '" sent to channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/conversations.mark'):
type = 'User Action: Viewed Channel'
info = 'Viewed channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel') + ' at ' + AppDefault.findFormEntry(flow.requestContent, 'ts')
results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
flow.source = 'Hulu'
if (flow.url.find('https://home.hulu.com/v1/users/self') == 0):
type = 'User Action: Hulu'
info = AppDefault.findFormEntry(flow.requestContent, 'action')
results.append(Result.Result(flow, type, info))
type = 'User Info: Hulu Token'
info = AppDefault.findFormEntry(flow.requestContent, 'user_token')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discover.hulu.com/content/v4/hubs/series') ==
0):
type = 'User Action: Viewed Series'
info = flow.url[flow.url.find('series/') + 7:]
info = info[:info.find('/')]
results.append(Result.Result(flow, type, info))
if (flow.url.find('season/') > -1):
type = 'User Action: Viewed Season'
info = flow.url[flow.url.find('season/') + 7:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discover.hulu.com/content/v4/search') == 0):
type = 'User Action: Hulu Search'
info = AppDefault.findFormEntry(flow.requestContent, 'search_query')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discover.hulu.com/content/v4/hubs') == 0):
type = 'User Action: Viewed Hub'
info = flow.url[flow.url.find('hubs/') + 5:]
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://hulu.hb.omtrdc.net') == 0):
if (flow.requestContent.find('s:event:type') > -1):
type = 'Hulu Event'
info = AppDefault.findFormEntry(flow.requestContent,
's:event:type')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('s:asset:name') > -1):
type = 'User Action: Hulu Asset Name'
info = AppDefault.findFormEntry(flow.requestContent,
's:asset:name')
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('s:meta:a.media.show') > -1):
type = 'User Action: Hulu Show'
info = AppDefault.findFormEntry(flow.requestContent,
's:meta:a.media.show')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://manifest.hulustream.com/dash') == 0):
if (flow.requestContent.find('user_id') > -1):
type = 'User Info: Hulu User ID'
info = AppDefault.findFormEntry(flow.requestContent, 'user_id')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://ag.innovid.com') == 0
or flow.url.find('https://s.innovid.com') == 0):
type = 'Innovid Client ID'
info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
results.append(Result.Result(flow, type, info))
type = 'Innovid Video ID'
info = AppDefault.findFormEntry(flow.requestContent, 'video_id')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url == 'https://discordapp.com/api/v6/track'):
type = 'User Action: Discord'
temp = flow.requestContent[flow.requestContent.find('"events": [') +
11:]
for info in temp.split('},\n {'):
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://discordapp.com/api/v6/auth/login'):
type = 'User Info: Discord Username'
info = AppDefault.findJSONItem(flow.requestContent, '"email"')
results.append(Result.Result(flow, type, info))
type = 'User Info: Discord Password'
info = AppDefault.findJSONItem(flow.requestContent, '"password"')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://discordapp.com/api/v6/users/@me/relationships'):
type = 'User Action: Discord User Search'
info = AppDefault.findJSONItem(
flow.requestContent, '"username"') + '#' + AppDefault.findJSONItem(
flow.requestContent, '"discriminator"')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://discordapp.com/api/v6/guilds'):
type = 'User Action: Create Discord Channel'
info = AppDefault.findJSONItem(flow.requestContent, '"name"')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discordapp.com/api/v6/guilds') == 0
and flow.url.find('delete') > -1):
flow.source = 'Discord Server Delete'
type = 'Discord Channel'
info = flow.url[flow.url.find('guilds/') + 7:]
info = info[:info.find('/delete')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discordapp.com/api/v6/channels') == 0
and flow.url.find('typing') > -1):
flow.source = 'Discord Message Typing'
type = 'Discord Channel'
info = flow.url[flow.url.find('channels/') + 9:]
info = info[:info.find('/typing')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discordapp.com/api/v6/channels') == 0
and flow.url.find('messages') > -1):
flow.source = 'Discord Message Sent'
type = 'Discord Channel'
info = flow.url[flow.url.find('channels/') + 9:]
info = info[:info.find('/messages')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('content:') > -1):
type = 'Message'
info = AppDefault.findFormEntry(flow.requestContent, 'content')
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://discordapp.com/api/v6/invite') == 0):
flow.source = 'Discord Server Invite'
type = 'Discord Channel'
info = flow.responseContent[flow.responseContent.find('"guild"'):]
info = info[info.find('"id":') + 7:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://www.linkedin.com') == 0):
flow.source = 'LinkedIn'
if (flow.requestContent.find('"trackingToken":') > -1):
type = 'LinkedIn Tracking Token'
info = flow.requestContent[flow.requestContent.
find('"trackingToken":') + 18:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.url.find('https://www.linkedin.com/li/track') == 0):
flow.source = 'LinkedIn Tracker'
if (flow.requestContent.find('"advertiserId":') > -1):
type = 'Ad ID'
info = flow.requestContent[flow.requestContent.
find('"advertiserId":') + 17:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('"appState":') > -1):
type = 'System Info: LinkedIn App State'
info = flow.requestContent[flow.requestContent.find('"appState":'
) + 13:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('"connectionType":') > -1):
type = 'System Info: Connection Type'
info = flow.requestContent[flow.requestContent.
find('"connectionType":') + 19:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('"deviceModel":') > -1):
type = 'System Info: Model'
info = flow.requestContent[flow.requestContent.
find('"deviceModel":') + 16:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('"osVersion":') > -1):
type = 'System Info: OS Version'
info = flow.requestContent[flow.requestContent.find('"osVersion":'
) + 14:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find('clientEventStats') > -1):
type = 'LinkedIn Client Event Stats'
for info in AppDefault.findJSONListNonSpaced(
flow.requestContent, 'clientEventStats').split(
' },\n {'):
results.append(Result.Result(flow, type, info))
body = flow.requestContent
type = 'LinkedIn Client Event'
while body.find('"eventBody":') > -1:
body = body[body.find('"eventBody":'):]
#info = AppDefault.findJSONSection(body, 'eventBody')
info = body[:body.find(' {\n "eventBody":')]
results.append(Result.Result(flow, type, info))
body = body[20:]
elif (flow.url.find('https://www.linkedin.com/uas/authenticate') == 0):
flow.source = 'LinkedIn Login'
type = 'User Info: Username'
info = AppDefault.findFormEntry(flow.requestContent, 'session_key')
results.append(Result.Result(flow, type, info))
type = 'User Info: Password'
info = AppDefault.findFormEntry(flow.requestContent,
'session_password')
results.append(Result.Result(flow, type, info))
type = 'LinkedIn Session ID'
info = AppDefault.findFormEntry(flow.requestContent, 'JSESSIONID')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/pushRegistration') == 0):
if (flow.requestContent.find('"pushNotificationTokens":') > -1):
type = 'LinkedIn Push Notification Token'
if (AppDefault.findJSONListNonSpaced(
flow.requestContent, 'pushNotificationTokens').find(',') >
-1):
for info in AppDefault.findJSONListNonSpaced(
flow.requestContent,
'pushNotificationTokens').split(','):
info = info.strip()
info = info[1:len(info) - 1]
else:
info = AppDefault.findJSONListNonSpaced(
flow.requestContent, 'pushNotificationTokens')
info = info[1:len(info) - 1]
info = info.strip()
info = info[1:len(info) - 1]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/growth/contacts?action=uploadContacts'
) == 0):
flow.source = 'LinkedIn Contacts Upload'
type = 'User Info: Contact'
for info in flow.requestContent.split(' },\n {'):
if (info.find('"fullName":') > -1):
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/voyager/api/mux') == 0):
type = 'User Action: Update Profile'
info = flow.requestContent[flow.requestContent.find('"requests":'):]
info = info[:info.find('"dependentRequests":')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/feed/follows?action=unfollow'
) == 0):
type = 'User Action: LinkedIn Unfollow'
info = flow.requestContent[flow.requestContent.find('"urn":') + 8:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/identity/profiles') == 0
and flow.url.find('normSkills') > -1):
type = 'User Action: Add Skill'
info = AppDefault.findJSONListNonSpaced(flow.requestContent,
'elements')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/messaging/conversations') ==
0):
if (flow.url.find('conversations?') > -1):
type = 'User Action: LinkedIn'
info = 'Viewed Conversations'
else:
type = 'User Action: Viewed LinkedIn Conversation'
info = flow.url[flow.url.find('conversations/') + 14:]
if (info.find('/') > -1 and info.find('/') < info.find('?')):
info = info[:info.find('/')]
elif (info.find('?') > -1):
info = info[:info.find('?')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.linkedin.com/voyager/api/contentcreation')
== 0):
type = 'User Action: LinkedIn Post'
info = flow.requestContent[flow.requestContent.find('"text":') + 9:]
info = info[:info.find('"')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://www.linkedin.com/voyager/api/relationships/invitations')
== 0):
type = 'User Action: Invitation Response'
inviterid = flow.url[flow.url.find('invitations/') + 12:]
inviterid = inviterid[:inviterid.find('?')]
action = flow.url[flow.url.find('?action=') + 8:]
action = action[:action.find('&')]
info = inviterid + ': ' + action
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://youtubei.googleapis.com/youtubei') == 0
and flow.url.find('key=') > -1):
type = 'User Info: Google API Key'
info = flow.url[flow.url.find('key=') + 4:]
if (info.find('&') > -1):
info = info[:info.find('&')]
results.append(Result.Result(flow, type, info))
if (flow.url.find('https://youtubei.googleapis.com/youtubei/v1/search') ==
0):
type = 'User Action: Youtube Search'
info = AppDefault.findJSONGroup(flow.requestContent, '16')
info = info[info.find('4: ') + 3:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.youtube.com/error_204') == 0):
source = 'Youtube Error'
type = 'Youtube Error Message'
info = AppDefault.findFormEntry(requestContent, 'exception.message')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/browse/edit_playlist')
== 0):
flow.source = 'Youtube Playlist Edit'
type = 'Youtube Video ID'
if (flow.requestContent.find('2 {\n 2: ') > -1):
info = flow.requestContent[flow.requestContent.
find('2 {\n 2: '):]
info = info[info.find('2: ') + 3:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find('2 {\n 6: ') > -1):
info = flow.requestContent[flow.requestContent.
find('2 {\n 6: '):]
info = info[info.find('17: ') + 4:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find(' }\n }\n }\n 2 {') >
-1):
type = 'Youtube Playlist'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2 {') + 40:]
info = info[info.find('3: ') + 3:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://youtubei.googleapis.com/youtubei/v1/browse')
== 0):
if (flow.requestContent.find(' }\n }\n }\n 2: ') >
-1):
type = 'User Action: Youtube Browsing'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2: ') + 31:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/share/get_share_panel'
) == 0):
type = 'User Action: Youtube'
info = 'Opened share panel'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/playlist/get_add_to_playlist'
) == 0):
if (flow.requestContent.find(' }\n }\n }\n 2: ') >
-1):
type = 'User Action: Add Video to Playlist'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2: ') + 31:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/playlist/create') == 0
):
if (flow.requestContent.find(' }\n }\n }\n 2: ') >
-1):
type = 'User Action: Create Playlist'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2: ') + 31:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/playlist/delete') == 0
):
if (flow.requestContent.find(' }\n }\n }\n 2: ') >
-1):
type = 'User Action: Delete Playlist'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2: ') + 31:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))