def checkGetURL(flow, results): if (flow.url.find('https://api.venmo.com/v1/stories/target-or-actor') == 0 ): flow.source = 'Venmo Stories Sync' elif (flow.url.find('https://api.venmo.com/v1/stories') == 0 and flow.url.find('target-or-actor') == -1): type = 'User Action: Viewed Story' info = flow.url[flow.url.find('stories/') + 8:] results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://api.venmo.com/v1/account/two-factor/token'): flow.source = 'Venmo Login' type = 'User Info: 2FA Device' info = AppDefault.findJSONListNonSpaced(flow.responseContent, 'devices') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://api.venmo.com/v1/account'): flow.source = 'Venmo Account Sync' type = 'User Info: Venmo ID' info = flow.responseContent[flow.responseContent.find('"id":') + 7:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'User Info: Venmo Account Creation Time' info = flow.responseContent[flow.responseContent.find('"date_joined":' ) + 16:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'System Info: Phone Number' info = flow.responseContent[flow.responseContent.find('"phone":') + 10:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'User Info: Email Address' info = flow.responseContent[flow.responseContent.find('"email":') + 10:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'User Info: Venmo Zendesk ID' info = flow.responseContent[flow.responseContent. find('"zendesk_identifier":') + 23:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://api.venmo.com/v1/notifications') == 0): type = 'User Action: Venmo' info = 'Checked Notifications' results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://api.venmo.com/v1/users?query=') == 0): type = 'User Action: Venmo Search' info = AppDefault.findFormEntry(flow.requestContent, 'query') results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://api.venmo.com/v1/users') == 0 and flow.url.find('/friends') == -1): type = 'User Action: Viewed Profile' info = flow.responseContent[flow.responseContent.find('"display_name":' ) + 17:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://api.venmo.com/v1/users') == 0 and flow.url.find('/friends') > -1): type = 'User Action: Viewed Friends of Profile' info = flow.url[flow.url.find('/users/') + 7:] info = info[:info.find('/')] results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results): if (flow.url.find('https://www.linkedin.com') == 0): flow.source = 'LinkedIn' if (flow.requestContent.find('"trackingToken":') > -1): type = 'LinkedIn Tracking Token' info = flow.requestContent[flow.requestContent. find('"trackingToken":') + 18:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) if (flow.url.find('https://www.linkedin.com/li/track') == 0): flow.source = 'LinkedIn Tracker' if (flow.requestContent.find('"advertiserId":') > -1): type = 'Ad ID' info = flow.requestContent[flow.requestContent. find('"advertiserId":') + 17:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) if (flow.requestContent.find('"appState":') > -1): type = 'System Info: LinkedIn App State' info = flow.requestContent[flow.requestContent.find('"appState":' ) + 13:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) if (flow.requestContent.find('"connectionType":') > -1): type = 'System Info: Connection Type' info = flow.requestContent[flow.requestContent. find('"connectionType":') + 19:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) if (flow.requestContent.find('"deviceModel":') > -1): type = 'System Info: Model' info = flow.requestContent[flow.requestContent. find('"deviceModel":') + 16:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) if (flow.requestContent.find('"osVersion":') > -1): type = 'System Info: OS Version' info = flow.requestContent[flow.requestContent.find('"osVersion":' ) + 14:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) if (flow.requestContent.find('clientEventStats') > -1): type = 'LinkedIn Client Event Stats' for info in AppDefault.findJSONListNonSpaced( flow.requestContent, 'clientEventStats').split( ' },\n {'): results.append(Result.Result(flow, type, info)) body = flow.requestContent type = 'LinkedIn Client Event' while body.find('"eventBody":') > -1: body = body[body.find('"eventBody":'):] #info = AppDefault.findJSONSection(body, 'eventBody') info = body[:body.find(' {\n "eventBody":')] results.append(Result.Result(flow, type, info)) body = body[20:] elif (flow.url.find('https://www.linkedin.com/uas/authenticate') == 0): flow.source = 'LinkedIn Login' type = 'User Info: Username' info = AppDefault.findFormEntry(flow.requestContent, 'session_key') results.append(Result.Result(flow, type, info)) type = 'User Info: Password' info = AppDefault.findFormEntry(flow.requestContent, 'session_password') results.append(Result.Result(flow, type, info)) type = 'LinkedIn Session ID' info = AppDefault.findFormEntry(flow.requestContent, 'JSESSIONID') results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.linkedin.com/voyager/api/pushRegistration') == 0): if (flow.requestContent.find('"pushNotificationTokens":') > -1): type = 'LinkedIn Push Notification Token' if (AppDefault.findJSONListNonSpaced( flow.requestContent, 'pushNotificationTokens').find(',') > -1): for info in AppDefault.findJSONListNonSpaced( flow.requestContent, 'pushNotificationTokens').split(','): info = info.strip() info = info[1:len(info) - 1] else: info = AppDefault.findJSONListNonSpaced( flow.requestContent, 'pushNotificationTokens') info = info[1:len(info) - 1] info = info.strip() info = info[1:len(info) - 1] results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.linkedin.com/voyager/api/growth/contacts?action=uploadContacts' ) == 0): flow.source = 'LinkedIn Contacts Upload' type = 'User Info: Contact' for info in flow.requestContent.split(' },\n {'): if (info.find('"fullName":') > -1): results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://www.linkedin.com/voyager/api/mux') == 0): type = 'User Action: Update Profile' info = flow.requestContent[flow.requestContent.find('"requests":'):] info = info[:info.find('"dependentRequests":')] results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.linkedin.com/voyager/api/feed/follows?action=unfollow' ) == 0): type = 'User Action: LinkedIn Unfollow' info = flow.requestContent[flow.requestContent.find('"urn":') + 8:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.linkedin.com/voyager/api/identity/profiles') == 0 and flow.url.find('normSkills') > -1): type = 'User Action: Add Skill' info = AppDefault.findJSONListNonSpaced(flow.requestContent, 'elements') results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.linkedin.com/voyager/api/messaging/conversations') == 0): if (flow.url.find('conversations?') > -1): type = 'User Action: LinkedIn' info = 'Viewed Conversations' else: type = 'User Action: Viewed LinkedIn Conversation' info = flow.url[flow.url.find('conversations/') + 14:] if (info.find('/') > -1 and info.find('/') < info.find('?')): info = info[:info.find('/')] elif (info.find('?') > -1): info = info[:info.find('?')] results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://www.linkedin.com/voyager/api/contentcreation') == 0): type = 'User Action: LinkedIn Post' info = flow.requestContent[flow.requestContent.find('"text":') + 9:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.linkedin.com/voyager/api/relationships/invitations') == 0): type = 'User Action: Invitation Response' inviterid = flow.url[flow.url.find('invitations/') + 12:] inviterid = inviterid[:inviterid.find('?')] action = flow.url[flow.url.find('?action=') + 8:] action = action[:action.find('&')] info = inviterid + ': ' + action results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results): if (flow.url.find('https://api.venmo.com') == 0): flow.source = 'Venmo' if (flow.url == 'https://api.venmo.com/v1/oauth/access_token'): flow.source = 'Venmo Login' if (flow.requestContent.find('phone_email_or_username:'******'Venmo Username' info = AppDefault.findFormEntry(flow.requestContent, 'phone_email_or_username') results.append(Result.Result(flow, type, info)) if (flow.requestContent.find('password:'******'Venmo Password' info = AppDefault.findFormEntry(flow.requestContent, 'password') results.append(Result.Result(flow, type, info)) if (flow.responseContent.find('"access_token":') > -1): type = 'Venmo Access Token' info = flow.responseContent[flow.responseContent. find('"access_token":') + 17:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) if (flow.responseContent.find('"id":') > -1): type = 'Venmo Access Token' info = flow.responseContent[flow.responseContent.find('"id":') + 7:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://api.venmo.com/v1/account/two-factor/token'): flow.source = 'Venmo Login' type = 'User Action: 2FA Sent' info = AppDefault.findFormEntry(flow.requestContent, 'via') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://api.venmo.com/v1/users/devices'): type = 'User Info: Location' info = flow.responseContent[flow.responseContent.find('"location":') + 13:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'User Info: Venmo Client' info = flow.responseContent[flow.responseContent.find('"browser":') + 12:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'System Info: Venmo ID' info = flow.responseContent[flow.responseContent.find('"id":') + 7:] info = info[:info.find(',')] results.append(Result.Result(flow, type, info)) type = 'User Action: Venmo Device Login Time' info = flow.responseContent[flow.responseContent.find('"created_at":' ) + 15:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://api.venmo.com/v1/device-tokens/android'): type = 'System Info: Venmo Token' info = AppDefault.findFormEntry(flow.requestContent, 'device_token') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://api.venmo.com/v1/contacts'): type = 'User Info: Contact' contacts = AppDefault.findJSONListNonSpaced(flow.requestContent, 'contacts') for info in contacts.split(' },\n {'): results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://api.venmo.com/v1/payments'): type = 'User Action: Venmo Payment' info = flow.requestContent results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://api.venmo.com/v1/stories') == 0 and flow.url.find('/likes') > -1): type = 'User Action: Liked Story' info = flow.url[flow.url.find('stories/') + 8:] info = info[:info.find('/')] results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://api.venmo.com/v1/stories') == 0 and flow.url.find('/comments') > -1): type = 'User Action: Commented on Story' info = flow.url[flow.url.find('stories/') + 8:] info = info[:info.find('/')] info = info + ': ' + AppDefault.findFormEntry(flow.requestContent, 'message') results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results): if (flow.url == 'https://android.clients.google.com/c2dm/register3'): if (flow.requestHeaders['app'] == 'com.google.android.apps.tachyon'): flow.source = 'Google Duo Login' elif (flow.requestHeaders['app'] == 'com.google.android.apps.maps'): flow.source = 'Google Maps Login' type = 'System Info: Device ID' info = flow.requestContent info = info[info.find('device:') + 7:] info = info[:info.find('\n')] info = info.strip() results.append(Result.Result(flow, type, info)) type = 'Token' info = flow.responseContent info = info[info.find('token=') + 6:] info = info.strip() results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://inbox.google.com/sync') == 0): flow.source = 'Gmail Inbox Sync' elif (flow.url.find('https://mail.google.com/mail/ads') == 0): flow.source = 'Gmail Ads' elif (flow.url == 'https://www.googleapis.com/plusdatamixer/v1/mutate'): flow.source = 'Google Drive' elif (flow.url.find('https://www.googleapis.com/discussions/v1/targets') == 0): flow.source = 'Google Drive Comments' elif (flow.url.find('https://docs.google.com/document/create') == 0): flow.source = 'Google Docs' type = "User Action" info = 'Create New Document: ' + AppDefault.findFormEntry( flow.requestContent, 'title') results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://docs.google.com/document/d') == 0): flow.source = 'Google Docs' if (flow.url.find('/save?') > -1): type = 'User Action: Edit Document' temp = AppDefault.findFormEntry(flow.requestContent, 'bundles') temp = AppDefault.findJSONListNonSpaced(flow.requestContent, 'commands') temp = temp[2:len(temp) - 2] commands = [] print(flow.requestContent) for item in temp.split('},{'): commands.append(item) for item in commands: entries = {} print(item) for i in item.split(','): #print(i.split(':')) temp = i.split(':')[0] temp2 = i.split(':')[1] entries[temp] = temp2 print(entries) if ('"s"' in entries.keys()): type = 'User Action' info = 'Inserted ' + entries['"s"'] results.append(Result.Result(flow, type, info)) if ('"si"' in entries.keys()): type = 'User Action' info = 'Deleted Index: ' + entries['"si"'] results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://www.googleapis.com/batch/drive/v2internal'): if (flow.requestContent.find('{"additionalRoles":') > -1): flow.source = 'Google Drive' type = 'User Action' info = flow.requestContent[flow.requestContent. find('{"additionalRoles":'):] info = info[:info.find('}') + 1] info = 'File Role Change: ' + info results.append(Result.Result(flow, type, info)) elif (flow.requestContent.find( 'GET https://www.googleapis.com/drive/v2internal/files') > -1): flow.source = 'Google Drive File Lookup' elif (flow.url.find('https://photosdata-pa.googleapis.com') == 0): flow.source = 'Google Photos' if (len(flow.requestContent.split('\n')) == 4): lines = flow.requestContent.split('\n') if (lines[0].strip() == '1 {' and lines[1].strip()[:2] == '1:' and lines[2].strip() == '}' and lines[3].strip()[:2] == '2:'): type = 'User Action' info = 'Create New Share: ' + lines[3].strip()[3:] results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://photos.googleapis.com/data/upload') == 0): flow.source = 'Google Photos Upload' type = 'User Action' info = 'Photo Uploaded: ' + flow.requestHeaders[ 'x-goog-upload-file-name'] results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://www.googleapis.com/datamixer/v1/batchfetch'): if (len(flow.requestContent.split('\n')) == 22 and len(flow.requestContent.split('\n')[12].strip()[3:]) > 0): type = 'User Action' info = 'Contact Search: ' + flow.requestContent.split( '\n')[12].strip()[3:] results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://www.googleapis.com/calendar') == 0): flow.source = 'Google Calendar' if (flow.url.find('/events') > -1): type = 'User Action: Event Creation/Update' info = flow.requestContent results.append(Result.Result(flow, type, info)) elif (flow.url.find('/habits') > -1): type = 'User Action: Habit Creation/Update' info = flow.requestContent results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/chat/v1android/conversations/sync') == 0): type = 'User Action' info = 'Synced Hangouts' results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/chat/v1android/clients/setactiveclient' ) == 0): type = 'User Action' info = 'Opened Google Hangouts' results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/chat/v1android/presence/setpresence') == 0): if (flow.requestContent.find('8 {') > -1): type = 'User Action' info = flow.requestContent[flow.requestContent.find('8 {'):] info = info[info.find('2: ') + 3:] info = info[:info.find('\n')] info = 'Set Hangouts Status: ' + info results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/chat/v1android/conversations/getconversation' ) == 0): type = 'User Action' info = 'Opened Conversation' results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/chat/v1android/devices/sendoffnetworkinvitation' ) == 0): type = 'User Action' info = flow.requestContent[flow.requestContent.find('2 {'):] while (info[info.find('1: ') + 3:info.find('1: ') + 4] != '1'): info = info[3:] info = info[info.find('2 {'):] info = info[info.find('3: ') + 3:] info = info[:info.find('\n')] info = 'Sent Hangouts Invitation: ' + info results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/chat/v1android/conversations/setfocus') == 0): type = 'User Action' info = 'Opened Conversation' results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/chat/v1android/conversations/settyping' ) == 0): type = 'User Action' info = 'Changed Typing Status' results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/chat/v1android/conversations/sendchatmessage' ) == 0): type = 'User Action' info = 'Sent Message' results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/hangouts/v1android/media_sessions/query' ) == 0): type = 'User Action' info = 'Opened Call' results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/hangouts/v1android/hangout_participants/remove' ) == 0): type = 'User Action' info = 'Left Call' results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://android.googleapis.com/auth'): flow.source = AppDefault.findFormEntry(flow.requestContent, 'app')
def checkGetURL(flow, results): if (flow.url.find('https://www.googleapis.com/drive/v2internal/files') == 0 ): flow.source = 'Google Drive File Lookup' elif (flow.url.find('https://www.googleapis.com/drive/v2internal/changes') == 0): flow.source = 'Google Drive File Sync' elif (flow.url.find('https://www.googleapis.com/discussions/v1/authors') == 0): flow.source = 'Google Drive Comments' elif (flow.url.find('https://docs.google.com/document/d') == 0): flow.source = 'Google Docs' if (flow.url.find('leave') > -1): type = 'User Action' info = 'Document Deleted: ' docID = flow.url[35:] docID = docID[:docID.find('/')] info = info + docID results.append(Result.Result(flow, type, info)) else: type = 'User Action' info = 'Document Opened: ' docID = flow.url[35:] docID = docID[:docID.find('/')] info = info + docID if (flow.responseContent.find('":"') > -1 and flow.url.find('edit') > -1): name = flow.responseContent[flow.responseContent.find('"t":"' ) + 5:] name = name[:name.find('"')] info = info + ' (' + name + ')' results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://docs.google.com/spreadsheets/d') == 0): flow.source = 'Google Sheets' if (flow.url.find('leave') > -1): type = 'User Action' info = 'Document Deleted: ' docID = flow.url[39:] docID = docID[:docID.find('/')] info = info + docID results.append(Result.Result(flow, type, info)) else: type = 'User Action' info = 'Spreadsheet Opened: ' docID = flow.url[39:] docID = docID[:docID.find('/')] info = info + docID if (flow.responseContent.find('":"') > -1 and (flow.url.find('edit') > -1 or flow.url.find('model') > -1)): name = flow.responseContent[flow.responseContent.find('"t":"' ) + 5:] name = name[:name.find('"')] info = info + ' (' + name + ')' results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://www.googleapis.com/calendar') == 0): flow.source = 'Google Calendar' if (flow.responseContent.find('notificationSettings') > -1): type = 'User Info: Notification Settings' info = AppDefault.findJSONSection(flow.responseContent, 'notificationSettings') results.append(Result.Result(flow, type, info)) elif (flow.responseContent.find('"kind": "calendar#events"') > -1 or flow.url.find('/events') > -1): type = 'User Info: Calendar Events' info = AppDefault.findJSONListNonSpaced(flow.responseContent, 'items') if (len(info) > 2): results.append(Result.Result(flow, type, info)) elif (flow.url.find('/habits') > -1): type = 'User Info: Habits' info = flow.responseContent results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://www.googleapis.com/voice/v1/users/@me/account?key=') == 0 ): type = 'User Info: Account ID' info = AppDefault.findFormEntry(flow.requestContent, 'key') results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results): if (flow.url.find('https://slack.com/api') == 0): flow.source = 'Slack' if (len(AppDefault.findFormEntry(flow.requestContent, 'token')) > 25): type = 'Slack Token' info = AppDefault.findFormEntry(flow.requestContent, 'token') results.append(Result.Result(flow, type, info)) if (len(AppDefault.findFormEntry(flow.requestContent, 'push_token')) > 25): type = 'Slack Push Token' info = AppDefault.findFormEntry(flow.requestContent, 'push_token') results.append(Result.Result(flow, type, info)) if (flow.url == 'https://slack.com/api/experiments.getByVisitor'): type = 'System Info: Slack Experiments' info = flow.responseContent results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://sessions.bugsnag.com/'): if ('Bugsnag-Api-Key' in flow.requestHeaders.keys()): type = 'Bugsnag API Key' info = flow.requestHeaders['Bugsnag-Api-Key'] results.append(Result.Result(flow, type, info)) if (AppDefault.findJSONItem(flow.requestContent, 'packageName') == 'com.Slack'): flow.source = 'Slack Bugsnag' type = 'Current Slack Screen' info = AppDefault.findJSONItem(flow.requestContent, 'activeScreen') results.append(Result.Result(flow, type, info)) type = 'Slack Foreground Status' info = AppDefault.findJSONItem(flow.requestContent, 'inForeground') results.append(Result.Result(flow, type, info)) type = 'Slack Session ID' info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'id') results.append(Result.Result(flow, type, info)) type = 'User Info: Slack User ID' info = AppDefault.findJSONItem(AppDefault.findJSONGroup(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'user'), 'id') results.append(Result.Result(flow, type, info)) type = 'Session Start Time' info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'startedAt') + ' UTC' results.append(Result.Result(flow, type, info)) type = 'System Info: Model' make = AppDefault.findJSONItem(flow.requestContent, 'manufacturer') model = AppDefault.findJSONItem(flow.requestContent, 'model') info = make + ' ' + model results.append(Result.Result(flow, type, info)) type = 'System Info: OS Version' info = AppDefault.findJSONItem(flow.requestContent, 'osName') + ' ' + AppDefault.findJSONItem(flow.requestContent, 'osVersion') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://slack.com/api/auth.findTeam'): type = 'User Action: Domain Lookup' info = AppDefault.findFormEntry(flow.requestContent, 'domain') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://slack.com/api/auth.findUser'): type = 'User Action: Login' info = AppDefault.findFormEntry(flow.requestContent, 'email') results.append(Result.Result(flow, type, info)) type = 'User Info: Slack User ID' info = AppDefault.findJSONItem(flow.responseContent, 'user_id') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://slack.com/api/auth.signin'): type = 'User Info: Password' info = AppDefault.findFormEntry(flow.requestContent, 'password') results.append(Result.Result(flow, type, info)) type = 'User Info: Slack User ID' info = AppDefault.findJSONItem(flow.responseContent, 'user') results.append(Result.Result(flow, type, info)) type = 'User Info: Team ID' info = AppDefault.findFormEntry(flow.requestContent, 'team') results.append(Result.Result(flow, type, info)) type = 'Slack Token' info = AppDefault.findJSONItem(flow.responseContent, 'token') results.append(Result.Result(flow, type, info)) type = 'User Info: Email' info = AppDefault.findJSONItem(flow.responseContent, 'user_email') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://slack.com/api/users.counts'): channels = AppDefault.findJSONListNonSpaced(flow.responseContent, 'channels') channels = channels[2:] for channel in channels.split('},'): type = 'Slack Channel Info' info = channel results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://slack.com/api/conversations.history'): type = 'Channel Messages Sync Channel' info = AppDefault.findFormEntry(flow.requestContent, 'channel') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://slack.com/beacon/track/'): type = 'System Info: Performance Tracking' info = AppDefault.findFormEntry(flow.requestContent, 'data') info = base64.b64decode(info) info = info.decode("UTF-8") results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://slack.com/api/chat.postMessage'): type = 'User Action: Send Message' info = 'Message "' + AppDefault.findFormEntry(flow.requestContent, 'text') + '" sent to channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://slack.com/api/conversations.mark'): type = 'User Action: Viewed Channel' info = 'Viewed channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel') + ' at ' + AppDefault.findFormEntry(flow.requestContent, 'ts') results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results): if (flow.url == 'https://www.reddit.com/api/v1/access_token'): type = 'System Info: Access Token' info = flow.responseContent[flow.responseContent.find('"access_token":' ) + 15:] info = info[info.find('"') + 1:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://api.branch.io/') == 0): flow.source = 'Branch.io' content = flow.requestContent if (flow.url[len(flow.url) - 4:len(flow.url)] == 'open'): type = 'User Action: App Opened' info = 'Reddit Opened' results.append(Result.Result(flow, type, info)) elif (flow.url[len(flow.url) - 5:len(flow.url)] == 'close'): type = 'User Action: App Closed' info = 'Reddit Closed' results.append(Result.Result(flow, type, info)) type = 'System Info: Model' brand = content[content.find('"brand":') + 10:] brand = brand[:brand.find('"')] model = content[content.find('"model":') + 10:] model = model[:model.find('"')] info = brand + ' ' + model results.append(Result.Result(flow, type, info)) type = 'User Info: Ad ID' info = content[content.find('"google_advertising_id":') + 26:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'System Info: Hardware ID' info = content[content.find('"hardware_id":') + 16:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'System Info: Local IP Address' info = content[content.find('"local_ip":') + 13:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'System Info: Screen Size' width = content[content.find('"screen_width":') + 16:] width = width[:width.find(',')] height = content[content.find('"screen_height":') + 17:] height = height[:height.find(',')] info = width + ' x ' + height results.append(Result.Result(flow, type, info)) type = 'System Info: WiFi Connection Status' info = content[content.find('"wifi":') + 8:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'Branch.io Key' info = content[content.find('"branch_key":') + 15:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'System Info: First Install Time' info = content[content.find('"first_install_time":') + 22:] info = info[:info.find(',')] results.append(Result.Result(flow, type, info)) type = 'System Info: Latest Install Time' info = content[content.find('"latest_install_time":') + 23:] info = info[:info.find(',')] results.append(Result.Result(flow, type, info)) type = 'System Info: Latest Update Time' info = content[content.find('"latest_update_time":') + 22:] info = info[:info.find(',')] results.append(Result.Result(flow, type, info)) if (flow.url[len(flow.url) - 4:] == 'open'): type = 'User Action: Opened App' info = 'Reddit' results.append(Result.Result(flow, type, info)) type = 'User info: Branch ID' info = content[content.find('"identity_id":') + 16:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) type = 'System Info: Device Fingerprint ID' info = content[content.find('"device_fingerprint_id":') + 26:] info = info[:info.find('"')] results.append(Result.Result(flow, type, info)) elif (flow.url[len(flow.url) - 7:] == 'install'): type = 'User Action: Installed App' info = 'Reddit' results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://gql.reddit.com/'): if (flow.responseContent.find('experimentVariants') > -1): type = 'Experimental Features Config' info = AppDefault.findJSONListNonSpaced(flow.responseContent, 'experimentVariants') results.append(Result.Result(flow, type, info)) elif (flow.url.find( 'https://gateway.reddit.com/redditmobile/1/android/config') == 0): type = 'Experimental Features Config' info = AppDefault.findFormEntry(flow.requestContent, 'experiments') results.append(Result.Result(flow, type, info)) info = AppDefault.findJSONListNonSpaced(flow.responseContent, 'buckets') results.append(Result.Result(flow, type, info)) elif (flow.url.find('https://gateway.reddit.com/redditmobile') == 0): type = 'Reddit Client ID' info = AppDefault.findFormEntry(flow.requestContent, 'client_id') results.append(Result.Result(flow, type, info)) type = 'System Info: Timezone' info = AppDefault.findFormEntry(flow.requestContent, 'tz_name') results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://events.redditmedia.com/v1'): event = flow.requestContent[flow.requestContent.find('"event_type":') + 14:] event = event[:event.find('"')] time = flow.requestContent[flow.requestContent.find('"event_ts":') + 11:] time = time[:time.find(',')] if (event == 'cs.app_launch_android'): type = 'User Action: Reddit Opened' info = 'Reddit Opened @ ' + time results.append(Result.Result(flow, type, info)) else: type = 'Reddit Activity & Info Dump' info = flow.requestContent results.append(Result.Result(flow, type, info)) elif (flow.url == 'https://www.reddit.com/api/v1/login'): if (flow.requestContent.find('passwd:') > -1): type = 'User Action: Reddit Login' info = 'Logged in as ' + AppDefault.findFormEntry( flow.requestContent, 'user') results.append(Result.Result(flow, type, info)) type = 'User Info: Password' info = AppDefault.findFormEntry(flow.requestContent, 'passwd') results.append(Result.Result(flow, type, info))