def checkPostURL(flow, results):
if (flow.url.find('https://slack.com/api') == 0):
flow.source = 'Slack'
if (len(AppDefault.findFormEntry(flow.requestContent, 'token')) > 25):
type = 'Slack Token'
info = AppDefault.findFormEntry(flow.requestContent, 'token')
results.append(Result.Result(flow, type, info))
if (len(AppDefault.findFormEntry(flow.requestContent, 'push_token')) > 25):
type = 'Slack Push Token'
info = AppDefault.findFormEntry(flow.requestContent, 'push_token')
results.append(Result.Result(flow, type, info))
if (flow.url == 'https://slack.com/api/experiments.getByVisitor'):
type = 'System Info: Slack Experiments'
info = flow.responseContent
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://sessions.bugsnag.com/'):
if ('Bugsnag-Api-Key' in flow.requestHeaders.keys()):
type = 'Bugsnag API Key'
info = flow.requestHeaders['Bugsnag-Api-Key']
results.append(Result.Result(flow, type, info))
if (AppDefault.findJSONItem(flow.requestContent, 'packageName') == 'com.Slack'):
flow.source = 'Slack Bugsnag'
type = 'Current Slack Screen'
info = AppDefault.findJSONItem(flow.requestContent, 'activeScreen')
results.append(Result.Result(flow, type, info))
type = 'Slack Foreground Status'
info = AppDefault.findJSONItem(flow.requestContent, 'inForeground')
results.append(Result.Result(flow, type, info))
type = 'Slack Session ID'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'id')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'user'), 'id')
results.append(Result.Result(flow, type, info))
type = 'Session Start Time'
info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'startedAt') + ' UTC'
results.append(Result.Result(flow, type, info))
type = 'System Info: Model'
make = AppDefault.findJSONItem(flow.requestContent, 'manufacturer')
model = AppDefault.findJSONItem(flow.requestContent, 'model')
info = make + ' ' + model
results.append(Result.Result(flow, type, info))
type = 'System Info: OS Version'
info = AppDefault.findJSONItem(flow.requestContent, 'osName') + ' ' + AppDefault.findJSONItem(flow.requestContent, 'osVersion')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.findTeam'):
type = 'User Action: Domain Lookup'
info = AppDefault.findFormEntry(flow.requestContent, 'domain')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.findUser'):
type = 'User Action: Login'
info = AppDefault.findFormEntry(flow.requestContent, 'email')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(flow.responseContent, 'user_id')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/auth.signin'):
type = 'User Info: Password'
info = AppDefault.findFormEntry(flow.requestContent, 'password')
results.append(Result.Result(flow, type, info))
type = 'User Info: Slack User ID'
info = AppDefault.findJSONItem(flow.responseContent, 'user')
results.append(Result.Result(flow, type, info))
type = 'User Info: Team ID'
info = AppDefault.findFormEntry(flow.requestContent, 'team')
results.append(Result.Result(flow, type, info))
type = 'Slack Token'
info = AppDefault.findJSONItem(flow.responseContent, 'token')
results.append(Result.Result(flow, type, info))
type = 'User Info: Email'
info = AppDefault.findJSONItem(flow.responseContent, 'user_email')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/users.counts'):
channels = AppDefault.findJSONListNonSpaced(flow.responseContent, 'channels')
channels = channels[2:]
for channel in channels.split('},'):
type = 'Slack Channel Info'
info = channel
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/conversations.history'):
type = 'Channel Messages Sync Channel'
info = AppDefault.findFormEntry(flow.requestContent, 'channel')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/beacon/track/'):
type = 'System Info: Performance Tracking'
info = AppDefault.findFormEntry(flow.requestContent, 'data')
info = base64.b64decode(info)
info = info.decode("UTF-8")
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/chat.postMessage'):
type = 'User Action: Send Message'
info = 'Message "' + AppDefault.findFormEntry(flow.requestContent, 'text') + '" sent to channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel')
results.append(Result.Result(flow, type, info))
elif (flow.url == 'https://slack.com/api/conversations.mark'):
type = 'User Action: Viewed Channel'
info = 'Viewed channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel') + ' at ' + AppDefault.findFormEntry(flow.requestContent, 'ts')
results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
if (flow.url.find('https://youtubei.googleapis.com/youtubei') == 0
and flow.url.find('key=') > -1):
type = 'User Info: Google API Key'
info = flow.url[flow.url.find('key=') + 4:]
if (info.find('&') > -1):
info = info[:info.find('&')]
results.append(Result.Result(flow, type, info))
if (flow.url.find('https://youtubei.googleapis.com/youtubei/v1/search') ==
0):
type = 'User Action: Youtube Search'
info = AppDefault.findJSONGroup(flow.requestContent, '16')
info = info[info.find('4: ') + 3:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://www.youtube.com/error_204') == 0):
source = 'Youtube Error'
type = 'Youtube Error Message'
info = AppDefault.findFormEntry(requestContent, 'exception.message')
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/browse/edit_playlist')
== 0):
flow.source = 'Youtube Playlist Edit'
type = 'Youtube Video ID'
if (flow.requestContent.find('2 {\n 2: ') > -1):
info = flow.requestContent[flow.requestContent.
find('2 {\n 2: '):]
info = info[info.find('2: ') + 3:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.requestContent.find('2 {\n 6: ') > -1):
info = flow.requestContent[flow.requestContent.
find('2 {\n 6: '):]
info = info[info.find('17: ') + 4:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
if (flow.requestContent.find(' }\n }\n }\n 2 {') >
-1):
type = 'Youtube Playlist'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2 {') + 40:]
info = info[info.find('3: ') + 3:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find('https://youtubei.googleapis.com/youtubei/v1/browse')
== 0):
if (flow.requestContent.find(' }\n }\n }\n 2: ') >
-1):
type = 'User Action: Youtube Browsing'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2: ') + 31:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/share/get_share_panel'
) == 0):
type = 'User Action: Youtube'
info = 'Opened share panel'
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/playlist/get_add_to_playlist'
) == 0):
if (flow.requestContent.find(' }\n }\n }\n 2: ') >
-1):
type = 'User Action: Add Video to Playlist'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2: ') + 31:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/playlist/create') == 0
):
if (flow.requestContent.find(' }\n }\n }\n 2: ') >
-1):
type = 'User Action: Create Playlist'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2: ') + 31:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))
elif (flow.url.find(
'https://youtubei.googleapis.com/youtubei/v1/playlist/delete') == 0
):
if (flow.requestContent.find(' }\n }\n }\n 2: ') >
-1):
type = 'User Action: Delete Playlist'
info = flow.requestContent[flow.requestContent.find(
' }\n }\n }\n 2: ') + 31:]
info = info[:info.find('\n')]
results.append(Result.Result(flow, type, info))