Exemplo n.º 1
0
def analyzeHeadRequest(flow, results):
    checkHeadURL(flow, results)
    checkRequestHeaders(flow, flow.requestHeaders, results)
    AppDefault.checkRequestHeadersDefault(flow, flow.requestHeaders, results)
    checkResponseHeaders(flow, flow.responseHeaders, results)
    AppDefault.checkResponseHeadersDefault(flow, flow.responseHeaders, results)
    AppDefault.analyzeHeadRequestDefault(flow, results)
def checkResponseHeaders(flow, headers, results):
    if ('Content-Type' in headers.keys()
            and headers['Content-Type'][:5] == 'image'):
        if ('User-Agent' in flow.requestHeaders.keys()
                and flow.requestHeaders['User-Agent'][:30]
                == 'com.google.android.apps.photos'):
            flow.source = 'Google Photos'
            if (flow.url.find('https://ap2.googleusercontent.com') == 0 or \
             flow.url.find('https://lh3.googleusercontent.com/a') == 0):
                if (AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '246 x 328 px' or \
                 AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '38 x 50 px' or \
                 AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '50 x 38 px' or \
                 AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '28 x 50 px' or \
                 AppDefault.findFormEntry(flow.responseContent, 'Size').strip() == '328 x 328 px'):
                    flow.source = 'Google Photos Thumbnail'
                type = 'User Action'
                picName = flow.responseHeaders['content-disposition'][
                    flow.responseHeaders['content-disposition'].
                    find('filename=') + 10:]
                picName = picName[:picName.find('"')]
                info = 'Image Viewed: ' + picName
                results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
    flow.source = 'RocketChat'

    if (flow.url.find('https://certify.alexametrics.com/atrk') == 0):
        type = 'RocketChat AlexaMetrics Session Cookie'
        info = AppDefault.findFormEntry(flow.requestContent, 'sess_cookie')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://q.stripe.com/?event') == 0):
        type = 'Stripe Key'
        info = AppDefault.findFormEntry(flow.requestContent, 'key')
        results.append(Result.Result(flow, type, info))

        type = 'Stripe JS ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'stripe_js_id')
        results.append(Result.Result(flow, type, info))

        type = 'Stripe Event'
        info = AppDefault.findFormEntry(flow.requestContent, 'event')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://open.rocket.chat/api/v1/settings.public') == 0
          and flow.url.find('RegistrationForm') > -1):
        type = 'User Action: RocketChat Screen View'
        info = 'Viewed Registration Form'
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://open.rocket.chat/api/v1/me'):
        type = 'User Action: Viewed Profile'
        info = 'Viewed own profile'
        results.append(Result.Result(flow, type, info))

        type = 'RocketChat ID'
        info = flow.responseContent[flow.responseContent.find('id":') + 6:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://open.rocket.chat/api/v1/spotlight') == 0):
        type = 'User Action: RocketChat Search'
        info = AppDefault.findFormEntry(flow.requestContent, 'query')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://open.rocket.chat/api/v1/channels.getAllUserMentionsByChannel'
    ) == 0):
        type = 'User Action: Viewed Channel Mentions'
        info = AppDefault.findFormEntry(flow.requestContent, 'roomId')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://open.rocket.chat/api/v1/channels.files') == 0
          ):
        type = 'User Action: Viewed Channel Files'
        info = AppDefault.findFormEntry(flow.requestContent, 'roomId')
        results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
    if (flow.url == 'https://android.clients.google.com/c2dm/register3'):
        if (flow.requestHeaders['app'] == 'com.google.android.apps.tachyon'):
            flow.source = 'Google Duo Login'
        elif (flow.requestHeaders['app'] == 'com.google.android.apps.maps'):
            flow.source = 'Google Maps Login'
        type = 'System Info: Device ID'
        info = flow.requestContent
        info = info[info.find('device:') + 7:]
        info = info[:info.find('\n')]
        info = info.strip()
        results.append(Result.Result(flow, type, info))

        type = 'Token'
        info = flow.responseContent
        info = info[info.find('token=') + 6:]
        info = info.strip()
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://inbox.google.com/sync') == 0):
        flow.source = 'Gmail Inbox Sync'

    elif (flow.url.find('https://mail.google.com/mail/ads') == 0):
        flow.source = 'Gmail Ads'

    elif (flow.url == 'https://www.googleapis.com/plusdatamixer/v1/mutate'):
        flow.source = 'Google Drive'

    elif (flow.url.find('https://www.googleapis.com/discussions/v1/targets') ==
          0):
        flow.source = 'Google Drive Comments'

    elif (flow.url.find('https://docs.google.com/document/create') == 0):
        flow.source = 'Google Docs'
        type = "User Action"
        info = 'Create New Document: ' + AppDefault.findFormEntry(
            flow.requestContent, 'title')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://docs.google.com/document/d') == 0):
        flow.source = 'Google Docs'
        if (flow.url.find('/save?') > -1):
            type = 'User Action: Edit Document'
            temp = AppDefault.findFormEntry(flow.requestContent, 'bundles')
            temp = AppDefault.findJSONListNonSpaced(flow.requestContent,
                                                    'commands')
            temp = temp[2:len(temp) - 2]
            commands = []
            print(flow.requestContent)
            for item in temp.split('},{'):
                commands.append(item)
            for item in commands:
                entries = {}
                print(item)
                for i in item.split(','):
                    #print(i.split(':'))
                    temp = i.split(':')[0]
                    temp2 = i.split(':')[1]
                    entries[temp] = temp2
                print(entries)
                if ('"s"' in entries.keys()):
                    type = 'User Action'
                    info = 'Inserted ' + entries['"s"']
                    results.append(Result.Result(flow, type, info))
                if ('"si"' in entries.keys()):
                    type = 'User Action'
                    info = 'Deleted Index: ' + entries['"si"']
                    results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://www.googleapis.com/batch/drive/v2internal'):
        if (flow.requestContent.find('{"additionalRoles":') > -1):
            flow.source = 'Google Drive'
            type = 'User Action'
            info = flow.requestContent[flow.requestContent.
                                       find('{"additionalRoles":'):]
            info = info[:info.find('}') + 1]
            info = 'File Role Change: ' + info
            results.append(Result.Result(flow, type, info))
        elif (flow.requestContent.find(
                'GET https://www.googleapis.com/drive/v2internal/files') > -1):
            flow.source = 'Google Drive File Lookup'

    elif (flow.url.find('https://photosdata-pa.googleapis.com') == 0):
        flow.source = 'Google Photos'
        if (len(flow.requestContent.split('\n')) == 4):
            lines = flow.requestContent.split('\n')
            if (lines[0].strip() == '1 {' and lines[1].strip()[:2] == '1:'
                    and lines[2].strip() == '}'
                    and lines[3].strip()[:2] == '2:'):
                type = 'User Action'
                info = 'Create New Share: ' + lines[3].strip()[3:]
                results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://photos.googleapis.com/data/upload') == 0):
        flow.source = 'Google Photos Upload'
        type = 'User Action'
        info = 'Photo Uploaded: ' + flow.requestHeaders[
            'x-goog-upload-file-name']
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://www.googleapis.com/datamixer/v1/batchfetch'):
        if (len(flow.requestContent.split('\n')) == 22
                and len(flow.requestContent.split('\n')[12].strip()[3:]) > 0):
            type = 'User Action'
            info = 'Contact Search: ' + flow.requestContent.split(
                '\n')[12].strip()[3:]
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.googleapis.com/calendar') == 0):
        flow.source = 'Google Calendar'
        if (flow.url.find('/events') > -1):
            type = 'User Action: Event Creation/Update'
            info = flow.requestContent
            results.append(Result.Result(flow, type, info))
        elif (flow.url.find('/habits') > -1):
            type = 'User Action: Habit Creation/Update'
            info = flow.requestContent
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/chat/v1android/conversations/sync') ==
          0):
        type = 'User Action'
        info = 'Synced Hangouts'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/chat/v1android/clients/setactiveclient'
    ) == 0):
        type = 'User Action'
        info = 'Opened Google Hangouts'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/chat/v1android/presence/setpresence')
          == 0):
        if (flow.requestContent.find('8 {') > -1):
            type = 'User Action'
            info = flow.requestContent[flow.requestContent.find('8 {'):]
            info = info[info.find('2: ') + 3:]
            info = info[:info.find('\n')]
            info = 'Set Hangouts Status: ' + info
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/chat/v1android/conversations/getconversation'
    ) == 0):
        type = 'User Action'
        info = 'Opened Conversation'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/chat/v1android/devices/sendoffnetworkinvitation'
    ) == 0):
        type = 'User Action'
        info = flow.requestContent[flow.requestContent.find('2 {'):]
        while (info[info.find('1: ') + 3:info.find('1: ') + 4] != '1'):
            info = info[3:]
            info = info[info.find('2 {'):]
        info = info[info.find('3: ') + 3:]
        info = info[:info.find('\n')]
        info = 'Sent Hangouts Invitation: ' + info
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/chat/v1android/conversations/setfocus')
          == 0):
        type = 'User Action'
        info = 'Opened Conversation'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/chat/v1android/conversations/settyping'
    ) == 0):
        type = 'User Action'
        info = 'Changed Typing Status'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/chat/v1android/conversations/sendchatmessage'
    ) == 0):
        type = 'User Action'
        info = 'Sent Message'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/hangouts/v1android/media_sessions/query'
    ) == 0):
        type = 'User Action'
        info = 'Opened Call'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/hangouts/v1android/hangout_participants/remove'
    ) == 0):
        type = 'User Action'
        info = 'Left Call'
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://android.googleapis.com/auth'):
        flow.source = AppDefault.findFormEntry(flow.requestContent, 'app')
def checkGetURL(flow, results):
    if (flow.url.find('https://www.googleapis.com/drive/v2internal/files') == 0
        ):
        flow.source = 'Google Drive File Lookup'
    elif (flow.url.find('https://www.googleapis.com/drive/v2internal/changes')
          == 0):
        flow.source = 'Google Drive File Sync'
    elif (flow.url.find('https://www.googleapis.com/discussions/v1/authors') ==
          0):
        flow.source = 'Google Drive Comments'
    elif (flow.url.find('https://docs.google.com/document/d') == 0):
        flow.source = 'Google Docs'
        if (flow.url.find('leave') > -1):
            type = 'User Action'
            info = 'Document Deleted: '
            docID = flow.url[35:]
            docID = docID[:docID.find('/')]
            info = info + docID
            results.append(Result.Result(flow, type, info))
        else:
            type = 'User Action'
            info = 'Document Opened: '
            docID = flow.url[35:]
            docID = docID[:docID.find('/')]
            info = info + docID
            if (flow.responseContent.find('":"') > -1
                    and flow.url.find('edit') > -1):
                name = flow.responseContent[flow.responseContent.find('"t":"'
                                                                      ) + 5:]
                name = name[:name.find('"')]
                info = info + ' (' + name + ')'
            results.append(Result.Result(flow, type, info))
    elif (flow.url.find('https://docs.google.com/spreadsheets/d') == 0):
        flow.source = 'Google Sheets'
        if (flow.url.find('leave') > -1):
            type = 'User Action'
            info = 'Document Deleted: '
            docID = flow.url[39:]
            docID = docID[:docID.find('/')]
            info = info + docID
            results.append(Result.Result(flow, type, info))
        else:
            type = 'User Action'
            info = 'Spreadsheet Opened: '
            docID = flow.url[39:]
            docID = docID[:docID.find('/')]
            info = info + docID
            if (flow.responseContent.find('":"') > -1 and
                (flow.url.find('edit') > -1 or flow.url.find('model') > -1)):
                name = flow.responseContent[flow.responseContent.find('"t":"'
                                                                      ) + 5:]
                name = name[:name.find('"')]
                info = info + ' (' + name + ')'
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.googleapis.com/calendar') == 0):
        flow.source = 'Google Calendar'

        if (flow.responseContent.find('notificationSettings') > -1):
            type = 'User Info: Notification Settings'
            info = AppDefault.findJSONSection(flow.responseContent,
                                              'notificationSettings')
            results.append(Result.Result(flow, type, info))

        elif (flow.responseContent.find('"kind": "calendar#events"') > -1
              or flow.url.find('/events') > -1):
            type = 'User Info: Calendar Events'
            info = AppDefault.findJSONListNonSpaced(flow.responseContent,
                                                    'items')
            if (len(info) > 2):
                results.append(Result.Result(flow, type, info))

        elif (flow.url.find('/habits') > -1):
            type = 'User Info: Habits'
            info = flow.responseContent
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/voice/v1/users/@me/account?key=') == 0
          ):
        type = 'User Info: Account ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'key')
        results.append(Result.Result(flow, type, info))
Exemplo n.º 6
0
def checkPostURL(flow, results):
    #Weather lookup
    if (flow.url.find('www.google.com/tg/fe/request?rqt=58') > -1):
        flow.source = 'Weather/News Update'
        #type = 'Location'
        #info = ''
        #results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/androidantiabuse/v1/x/create?') > -1):
        flow.source = 'DroidGuard'
        type = 'System Info: Bootloader'
        info = flow.requestContent[flow.requestContent.find('BOOTLOADER'):]
        info = info[:info.find('\n')]
        info = AppDefault.cleanEncoding(info)
        info = info.strip()
        info = info[10:]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Brand'
        info = flow.requestContent[flow.requestContent.find('BRAND'):]
        info = info[:info.find('\n')]
        info = AppDefault.cleanEncoding(info)
        info = info[5:]
        info = info.strip()
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Model'
        info = flow.requestContent[flow.requestContent.find('MODEL'):]
        info = info[:info.find('\n')]
        info = AppDefault.cleanEncoding(info)
        info = info[5:]
        info = info.strip()
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Serial Number'
        info = flow.requestContent[flow.requestContent.find('SERIAL'):]
        info = info[:info.find('\n')]
        info = AppDefault.cleanEncoding(info)
        info = info[6:]
        info = info.strip()
        results.append(Result.Result(flow, type, info))

    elif (flow.url[:27] == 'https://play.googleapis.com'):
        flow.source = 'Google Play Store'

    #Android Check-in
    elif (flow.url == 'https://android.googleapis.com/checkin'
          or flow.url == 'https://android.clients.google.com/checkin'):
        flow.source = 'Android Check-in'

        if (flow.responseContent.find(
                'adwords:enable_primes_memory_monitoring') > -1):
            temp = flow.responseContent[flow.responseContent.find(
                '1: adwords:enable_primes_memory_monitoring'):]
            temp = temp[temp.find('2:') + 3:]
            temp = temp[:temp.find('\n')]
            if (temp == 'true'):
                type = 'System Status: Memory Monitoring'
                info = 'Android memory is being monitored'
                results.append(Result.Result(flow, type, info))
        if (flow.responseContent.find(
                'adwords:enable_primes_network_monitoring') > -1):
            temp = flow.responseContent[flow.responseContent.find(
                '1: adwords:enable_primes_network_monitoring'):]
            temp = temp[temp.find('2:') + 3:]
            temp = temp[:temp.find('\n')]
            if (temp == 'true'):
                type = 'System Status: Network Monitoring'
                info = 'Android network activity is being monitored'
                results.append(Result.Result(flow, type, info))
        if (flow.responseContent.find(
                'adwords:enable_primes_timing_monitoring') > -1):
            temp = flow.responseContent[flow.responseContent.find(
                '1: adwords:enable_primes_timing_monitoring'):]
            temp = temp[temp.find('2:') + 3:]
            temp = temp[:temp.find('\n')]
            if (temp == 'true'):
                type = 'System Status: Timing Monitoring'
                info = 'Android timing is being monitored'
                results.append(Result.Result(flow, type, info))
        if (flow.responseContent.find('adwords:enable_silent_feedback') > -1):
            temp = flow.responseContent[flow.responseContent.find(
                '1: adwords:enable_silent_feedback'):]
            temp = temp[temp.find('2:') + 3:]
            temp = temp[:temp.find('\n')]
            if (temp == 'true'):
                type = 'System Status: Silent Feedback'
                info = 'Silent feedback is enabled'
                results.append(Result.Result(flow, type, info))

    #Location pull
    elif (flow.url.find('https://www.googleapis.com/geolocation') > -1):
        flow.source = 'Google APIs'
        type = 'Location: Cell Towers'
        info = flow.requestContent
        info = info[info.find('"cellTowers": ['):]
        info = info[:info.find(']') + 1]
        results.append(Result.Result(flow, type, info))

        type = 'Location: WiFi Access Points'
        info = flow.requestContent
        info = info[info.find('"wifiAccessPoints": ['):]
        info = info[:info.find(']') + 1]
        results.append(Result.Result(flow, type, info))

        type = 'Location: Request Key'
        info = flow.url[flow.url.find('key=') + 4:]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://app-measurement.com') == 0):
        flow.source = 'App Measurement'

        if (flow.url == 'https://app-measurement.com/a'):
            cleaned = AppDefault.cleanEncoding(flow.requestContent)
            if (cleaned.find('app_launched') > -1):
                type = 'User Action: App Launched'
                info = cleaned[cleaned.find('(1:') + 1:]
                info = info[:40]
                if (info in appIds.keys()):
                    info = appIds[info]
                results.append(Result.Result(flow, type, info))
            if (cleaned.find('app_open') > -1):
                type = 'System Info: App Open'
                info = cleaned[cleaned.find(':android:') - 14:]
                info = info[:39]
                if (info in appIds.keys()):
                    info = appIds[info]
                results.append(Result.Result(flow, type, info))

            if (flow.requestContent.find('com.instructure.candroid') > -1):
                if (flow.requestContent.find('FindSchoolActivity') > -1):
                    type = 'User Action: Canvas'
                    info = 'School Search'
                    results.append(Result.Result(flow, type, info))

                if (flow.requestContent.find('SignInActivity') > -1):
                    type = 'User Action: Canvas'
                    info = 'Sign In'
                    results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://android.googleapis.com/auth'):
        flow.source = 'Google Login'
        if (AppDefault.findFormEntry(flow.requestContent,
                                     'app') == 'com.google.android.gms'):
            flow.source = 'Google Mobile Services Login'
        if (AppDefault.findFormEntry(flow.requestContent,
                                     'app') == 'com.google.android.gm'):
            flow.source = 'GMail Login'
        elif (AppDefault.findFormEntry(
                flow.requestContent,
                'app') == 'com.google.android.googlequicksearchbox'):
            flow.source = 'Google Quick Search Login'
        elif (AppDefault.findFormEntry(
                flow.requestContent, 'app') == 'com.google.android.calendar'):
            flow.source = 'Google Calendar Login'
        elif (AppDefault.findFormEntry(flow.requestContent,
                                       'app') == 'com.android.vending'):
            flow.source = 'Google Play Store Login'
        elif (AppDefault.findFormEntry(
                flow.requestContent, 'app') == 'com.google.android.contacts'):
            flow.source = 'Google Contacts Login'
        elif (AppDefault.findFormEntry(
                flow.requestContent,
                'app') == 'com.google.android.apps.tachyon'):
            flow.source = 'Google Duo Login'

        type = 'System Info: Android ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'androidId')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Country'
        info = AppDefault.findFormEntry(flow.requestContent, 'device_country')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Language'
        info = AppDefault.findFormEntry(flow.requestContent, 'lang')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Email Address'
        info = AppDefault.findFormEntry(flow.requestContent, 'Email')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Android Client Signature'
        info = AppDefault.findFormEntry(flow.requestContent, 'client_sig')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Google Mobile Services Token'
        info = AppDefault.findFormEntry(flow.requestContent, 'Token')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.googleapis.com/experimentsandconfigs/v1/getExperimentsAndConfigs'
    ) == 0):
        flow.source = 'Experimental Features Config Sync'

    elif (flow.url.find('https://ssl.google-analytics.com') == 0):
        flow.source = 'Google Analytics'

        if (AppDefault.findFormEntry(flow.requestContent, 'cd').find('com.google.android.apps.contacts') > -1 \
         and AppDefault.findFormEntry(flow.requestContent, 't') == 'screenview'):
            type = 'User Action'
            info = 'Viewing Contacts'
            results.append(Result.Result(flow, type, info))

        elif (AppDefault.findFormEntry(flow.requestContent,
                                       'utc') == 'Create reminder'):
            type = 'User Action'
            info = 'Google Calendar Reminder Created'
            results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://android.googleapis.com/auth/devicekey'):
        flow.source = 'Google Mobile Services'
        type = 'System Info: Device Key'
        info = flow.requestContent
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://accounts.google.com/oauth/multilogin'):
        flow.source == 'Google Account Login'
        temp = flow.responseContent[flow.responseContent.find('"accounts":[') +
                                    11:]
        temp = temp[:temp.find('}]+2')]
        print(temp)
        for account in temp.split('},{'):
            print(account)
            type = 'User Info: Name'
            info = account[account.find('"display_name":') + 16:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

            type = 'User Info: Email Address'
            info = account[account.find('"display_email":') + 17:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

            type = 'User Info: Account ID'
            info = account[account.find('"obfuscated_id":') + 17:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

    elif (flow.url ==
          'https://www.googleapis.com/cryptauth/v1/deviceSync/getmydevices'):
        flow.source = 'Google Account Device Lookup'

    elif (flow.url.find('https://www.google.com/m/voice-search/down?pair=') == 0 \
     or flow.url.find('https://www.google.com/m/voice-search/up?pair=') == 0):
        flow.source = 'Google Assistant'
        type = 'System Info: Assistant Pair ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'pair')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://www.google.com/tg/fe/request?rqt=98&bq=0'):
        flow.source = 'Assistant Weather Card'
        type = 'Location'
        info = AppDefault.cleanEncoding(flow.responseContent)
        info = info[info.find(' in ') + 4:]
        info = info[:info.find('\\') - 1]
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://www.google.com/loc/m/api'):
        flow.source = 'Google Location API'
        type = 'Location'
        info = 'Location'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://mobilenetworkscoring-pa.googleapis.com/v1/GetWifiQuality')
          == 0):
        flow.source = 'WiFi Strength Query'
        type = 'System Info: WiFi Strength'
        info = 'Key: ' + flow.url[flow.url.find('key=') + 4:]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://firebaseremoteconfig.googleapis.com') == 0):
        flow.source = 'Firebase'
        if (flow.requestContent.find('"packageName":') > -1):
            appName = flow.requestContent[flow.requestContent.
                                          find('"packageName":') + 16:]
            appName = appName[:appName.find('"')]
            flow.source = flow.source + ' ' + appName

            type = 'Firebase ' + appName + ' Instance ID'
            info = flow.requestContent[flow.requestContent.
                                       find('"appInstanceId":') + 18:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))
Exemplo n.º 7
0
def checkGetURL(flow, results):
    if (flow.url.find('youtube.com') > -1):
        if (flow.requestContent.find('plid:') > -1):
            type = 'Youtube PLID'
            info = AppDefault.findFormEntry(flow.requestContent, 'plid')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('cos:') > -1):
            type = 'System Info: OS'
            info = AppDefault.findFormEntry(flow.requestContent, 'cos')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('docid:') > -1):
            type = 'Youtube Video ID'
            info = AppDefault.findFormEntry(flow.requestContent, 'docid')
            results.append(Result.Result(flow, type, info))
        elif (flow.requestContent.find('video_id:') > -1):
            type = 'Youtube Video ID'
            info = AppDefault.findFormEntry(flow.requestContent, 'video_id')
            results.append(Result.Result(flow, type, info))
        elif (flow.requestContent.find('content_v:') > -1):
            type = 'Youtube Video ID'
            info = AppDefault.findFormEntry(flow.requestContent, 'content_v')
            results.append(Result.Result(flow, type, info))

    if (flow.url.find('https://www.googleadservices.com/pagead/conversion') ==
            0):
        type = 'System Info: Youtube App Version'
        info = AppDefault.findFormEntry(flow.requestContent, 'appversion')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Android Version'
        info = AppDefault.findFormEntry(flow.requestContent, 'osversion')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Youtube Screen Opened'
        info = AppDefault.findFormEntry(flow.requestContent,
                                        'data.screen_name')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Ad ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'rdid')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('upnphost/udhisapi.dll?content=uuid:') > -1):
        type = 'User Info: Youtube UUID'
        info = flow.requestContent[flow.requestContent.find('uuid:') + 5:]
        info = info[:info.find('\n')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.youtube.com/csi_204') == 0):
        type = 'User Action: Youtube'
        info = AppDefault.findFormEntry(flow.requestContent, 'action')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Brand'
        info = AppDefault.findFormEntry(flow.requestContent, 'cbrand')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Model'
        info = AppDefault.findFormEntry(flow.requestContent, 'cmodel')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://s.youtube.com/api/stats') == 0):
        if (flow.requestContent.find('state:') > -1):
            type = 'Youtube Video Status'
            info = AppDefault.findFormEntry(flow.requestContent, 'state')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('referrer:') > -1):
            type = 'Youtube Video Referrer'
            info = AppDefault.findFormEntry(flow.requestContent, 'referrer')
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.youtube.com/api/stats/ads') == 0):
        type = 'Youtube Ad Video'
        info = AppDefault.findFormEntry(flow.requestContent, 'ad_v')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.youtube.com/gen_204') == 0):
        type = 'Youtube Ad Video'
        info = AppDefault.findFormEntry(flow.requestContent, 'ad_vid')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://suggestqueries.google.com/complete/search') ==
          0):
        type = 'User Action: Search Query'
        info = AppDefault.findFormEntry(flow.requestContent, 'q')
        results.append(Result.Result(flow, type, info))

        type = 'Youtube Search Suggestion'
        query = info
        if (len(info) > 0):
            for item in flow.responseContent.split('],['):
                info = item[item.find('\\\\u003e') + 7:]
                info = info[:info.find('\\\\')]
                if (len(info) > 0):
                    info = query + info
                    results.append(Result.Result(flow, type, info))
        else:
            for item in flow.responseContent.split('}],['):
                info = item[item.find('youtube-android'):]
                info = info[info.find('\\\\u003d') + 7:]
                info = info[:info.find('\\\\')]
                if (len(info) > 0):
                    info = query + info
                    results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.youtube.com/player_204') == 0):
        if (flow.requestContent.find('event:') > -1
                and AppDefault.findFormEntry(flow.requestContent,
                                             'event') == 'iv'):
            type = 'User Action: Youtube'
            info = 'Opened Video Info'
            results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
    if (flow.url.find('https://www.linkedin.com') == 0
            or flow.url.find('https://platform.linkedin.com') == 0
            or flow.url.find('https://dms.licdn.com') == 0):
        flow.source = 'LinkedIn'

    if (flow.url.find('https://www.linkedin.com/voyager/api/feed/updates') == 0
        ):
        flow.source = 'LinkedIn Feed Update'
        type = 'System Info: Battery Level'
        info = AppDefault.findFormEntry(flow.requestContent, 'battery')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Connection Type'
        info = AppDefault.findFormEntry(flow.requestContent, 'connectionType')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/identity/profiles') == 0
          and flow.url.find('profileView') > -1):
        flow.source = 'LinkedIn View Profile'
        type = 'User Action: Viewed Profile ID'
        info = flow.url[flow.url.find('profiles/') + 9:]
        info = info[:info.find('/')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.linkedin.com/voyager/api/typeahead/hits')
          == 0):
        flow.source = 'LinkedIn Search'
        type = 'User Action: LinkedIn Search'
        info = AppDefault.findFormEntry(flow.requestContent, 'query')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/messaging/typeahead/hits') ==
          0):
        flow.source = 'LinkedIn Messages Search'
        type = 'User Action: LinkedIn Messages Search'
        info = AppDefault.findFormEntry(flow.requestContent, 'keyword')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.linkedin.com/voyager/api/search') == 0):
        flow.source = 'LinkedIn Search'
        type = 'User Action: Job Search Filter'
        info = AppDefault.findFormEntry(flow.requestContent, 'filters')
        results.append(Result.Result(flow, type, info))

        type = 'User Action: Job Search'
        info = AppDefault.findFormEntry(flow.requestContent, 'keywords')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/psettings/policy/notices?types=EDIT_FEED_ACTIVITY'
    ) == 0):
        type = 'User Action: LinkedIn'
        info = AppDefault.findFormEntry(flow.requestContent, 'types')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/feed/contentTopicData') == 0
          ):
        type = 'User Action: Search Hashtag'
        info = flow.url[flow.url.find('contentTopicData/urn:li:hashtag:') +
                        32:]
        info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.linkedin.com/voyager/api/groups/groups')
          == 0):
        type = 'User Action: View Group'
        info = flow.url[flow.url.find('groups/groups/') + 14:]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/messaging/mailboxUnreadCounts'
    ) == 0):
        type = 'User Action: LinkedIn'
        info = 'Opened Messages'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.linkedin.com/csp/simt') == 0):
        type = 'LinkedIn Ad Tracker ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'adTrk')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/messaging/conversations') ==
          0):
        if (flow.url.find('conversations?') > -1):
            type = 'User Action: LinkedIn'
            info = 'Viewed Conversations'
        else:
            type = 'User Action: Viewed LinkedIn Conversation'
            info = flow.url[flow.url.find('conversations/') + 14:]
            if (info.find('/') > -1 and info.find('/') < info.find('?')):
                info = info[:info.find('/')]
            elif (info.find('?') > -1):
                info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/contentcreation/updateTargetings'
    ) == 0):
        type = 'User Action: Typed Post'
        info = AppDefault.findFormEntry(flow.requestContent, 'commentary')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/identity/notificationSegments'
    ) == 0):
        type = 'User Action: LinkedIn'
        info = 'Viewed Notification'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.linkedin.com/voyager/api/jobs') == 0):
        if (flow.url.find(
                'https://www.linkedin.com/voyager/api/jobs/jobPostings') == 0):
            type = 'User Action: Viewed Job'
            info = flow.url[flow.url.find('jobPostings/') + 12:]
            info = info[:info.find('?')]
        else:
            type = 'User Action: LinkedIn'
            info = 'Viewed Jobs'
        results.append(Result.Result(flow, type, info))
Exemplo n.º 9
0
def checkPostURL(flow, results):
    if (flow.url.find('https://api.venmo.com') == 0):
        flow.source = 'Venmo'

    if (flow.url == 'https://api.venmo.com/v1/oauth/access_token'):
        flow.source = 'Venmo Login'

        if (flow.requestContent.find('phone_email_or_username:'******'Venmo Username'
            info = AppDefault.findFormEntry(flow.requestContent,
                                            'phone_email_or_username')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('password:'******'Venmo Password'
            info = AppDefault.findFormEntry(flow.requestContent, 'password')
            results.append(Result.Result(flow, type, info))

        if (flow.responseContent.find('"access_token":') > -1):
            type = 'Venmo Access Token'
            info = flow.responseContent[flow.responseContent.
                                        find('"access_token":') + 17:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

        if (flow.responseContent.find('"id":') > -1):
            type = 'Venmo Access Token'
            info = flow.responseContent[flow.responseContent.find('"id":') +
                                        7:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://api.venmo.com/v1/account/two-factor/token'):
        flow.source = 'Venmo Login'
        type = 'User Action: 2FA Sent'
        info = AppDefault.findFormEntry(flow.requestContent, 'via')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://api.venmo.com/v1/users/devices'):
        type = 'User Info: Location'
        info = flow.responseContent[flow.responseContent.find('"location":') +
                                    13:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Venmo Client'
        info = flow.responseContent[flow.responseContent.find('"browser":') +
                                    12:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Venmo ID'
        info = flow.responseContent[flow.responseContent.find('"id":') + 7:]
        info = info[:info.find(',')]
        results.append(Result.Result(flow, type, info))

        type = 'User Action: Venmo Device Login Time'
        info = flow.responseContent[flow.responseContent.find('"created_at":'
                                                              ) + 15:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://api.venmo.com/v1/device-tokens/android'):
        type = 'System Info: Venmo Token'
        info = AppDefault.findFormEntry(flow.requestContent, 'device_token')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://api.venmo.com/v1/contacts'):
        type = 'User Info: Contact'
        contacts = AppDefault.findJSONListNonSpaced(flow.requestContent,
                                                    'contacts')

        for info in contacts.split('            },\n            {'):
            results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://api.venmo.com/v1/payments'):
        type = 'User Action: Venmo Payment'
        info = flow.requestContent
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
          and flow.url.find('/likes') > -1):
        type = 'User Action: Liked Story'
        info = flow.url[flow.url.find('stories/') + 8:]
        info = info[:info.find('/')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
          and flow.url.find('/comments') > -1):
        type = 'User Action: Commented on Story'
        info = flow.url[flow.url.find('stories/') + 8:]
        info = info[:info.find('/')]
        info = info + ': ' + AppDefault.findFormEntry(flow.requestContent,
                                                      'message')
        results.append(Result.Result(flow, type, info))
Exemplo n.º 10
0
def checkPostURL(flow, results):
    flow.source = 'Hulu'

    if (flow.url == 'https://play.hulu.com/config'):
        type = 'System Info: Hulu Device ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'device_id')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Model'
        info = AppDefault.findFormEntry(flow.requestContent, 'device_model')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://vortex.hulu.com/api/v3/event'):
        if (flow.requestContent.find('app_session_id') > -1):
            type = 'Hulu Session ID'
            info = AppDefault.findJSONItem(flow.requestContent,
                                           'app_session_id')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('app_visit_count') > -1):
            type = 'User Action: Hulu Visit Count'
            info = AppDefault.findJSONItem(flow.requestContent,
                                           'app_visit_count')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('application_instance_id') > -1):
            type = 'System Info: Hulu App ID'
            info = AppDefault.findJSONItem(flow.requestContent,
                                           'application_instance_id')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('device_ad_id') > -1):
            type = 'Ad ID'
            info = AppDefault.findJSONItem(flow.requestContent, 'device_ad_id')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('device_manufacturer') > -1):
            type = 'System Info: Brand'
            info = AppDefault.findJSONItem(flow.requestContent,
                                           'device_manufacturer')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('device_model') > -1):
            type = 'System Info: Model'
            info = AppDefault.findJSONItem(flow.requestContent, 'device_model')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('device_os') > -1):
            type = 'System Info: OS Version'
            info = AppDefault.findJSONItem(flow.requestContent, 'device_os')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('manufacturer_device_id') > -1):
            type = 'System Info: Serial Number'
            info = AppDefault.findJSONItem(flow.requestContent,
                                           'manufacturer_device_id')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('network_mode') > -1):
            type = 'System Info: Connection Type'
            info = AppDefault.findJSONItem(flow.requestContent, 'network_mode')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('screen_resolution') > -1):
            type = 'System Info: Screen Size'
            info = AppDefault.findJSONItem(flow.requestContent,
                                           'screen_resolution')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('screen_orientation') > -1):
            type = 'System Info: Screen Orientation'
            info = AppDefault.findJSONItem(flow.requestContent,
                                           'screen_orientation')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('event') > -1):
            type = 'Hulu Event'
            info = AppDefault.findJSONItem(flow.requestContent, 'event')
            results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://auth.hulu.com/v1/device/code/register'):
        type = 'System Info: Serial Number'
        info = AppDefault.findFormEntry(flow.requestContent, 'serial_number')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://auth.hulu.com/v1/device/password/authenticate'):
        type = 'User Info: Email Address'
        info = AppDefault.findFormEntry(flow.requestContent, 'user_email')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Hulu Password'
        info = AppDefault.findFormEntry(flow.requestContent, 'password')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Serial Number'
        info = AppDefault.findFormEntry(flow.requestContent, 'serial_number')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Timezone'
        info = AppDefault.findFormEntry(flow.requestContent, 'time_zone')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://auth.hulu.com/v1/device/profiles/switch'):
        type = 'User Action: Profile Switch'
        info = AppDefault.findFormEntry(flow.requestContent, 'profile_id')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://home.hulu.com/v1/users/self/profiles/self/asset_view_progress'
    ) == 0):
        type = 'User Action: Video Progress'
        info = AppDefault.findJSONItem(flow.requestContent, 'position')
        results.append(Result.Result(flow, type, info))
Exemplo n.º 11
0
def checkPostURL(flow, results):
    if (flow.url == 'https://www.reddit.com/api/v1/access_token'):
        type = 'System Info: Access Token'
        info = flow.responseContent[flow.responseContent.find('"access_token":'
                                                              ) + 15:]
        info = info[info.find('"') + 1:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://api.branch.io/') == 0):
        flow.source = 'Branch.io'
        content = flow.requestContent

        if (flow.url[len(flow.url) - 4:len(flow.url)] == 'open'):
            type = 'User Action: App Opened'
            info = 'Reddit Opened'
            results.append(Result.Result(flow, type, info))

        elif (flow.url[len(flow.url) - 5:len(flow.url)] == 'close'):
            type = 'User Action: App Closed'
            info = 'Reddit Closed'
            results.append(Result.Result(flow, type, info))

        type = 'System Info: Model'
        brand = content[content.find('"brand":') + 10:]
        brand = brand[:brand.find('"')]
        model = content[content.find('"model":') + 10:]
        model = model[:model.find('"')]
        info = brand + ' ' + model
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Ad ID'
        info = content[content.find('"google_advertising_id":') + 26:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Hardware ID'
        info = content[content.find('"hardware_id":') + 16:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Local IP Address'
        info = content[content.find('"local_ip":') + 13:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Screen Size'
        width = content[content.find('"screen_width":') + 16:]
        width = width[:width.find(',')]
        height = content[content.find('"screen_height":') + 17:]
        height = height[:height.find(',')]
        info = width + ' x ' + height
        results.append(Result.Result(flow, type, info))

        type = 'System Info: WiFi Connection Status'
        info = content[content.find('"wifi":') + 8:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'Branch.io Key'
        info = content[content.find('"branch_key":') + 15:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: First Install Time'
        info = content[content.find('"first_install_time":') + 22:]
        info = info[:info.find(',')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Latest Install Time'
        info = content[content.find('"latest_install_time":') + 23:]
        info = info[:info.find(',')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Latest Update Time'
        info = content[content.find('"latest_update_time":') + 22:]
        info = info[:info.find(',')]
        results.append(Result.Result(flow, type, info))

        if (flow.url[len(flow.url) - 4:] == 'open'):
            type = 'User Action: Opened App'
            info = 'Reddit'
            results.append(Result.Result(flow, type, info))

            type = 'User info: Branch ID'
            info = content[content.find('"identity_id":') + 16:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

            type = 'System Info: Device Fingerprint ID'
            info = content[content.find('"device_fingerprint_id":') + 26:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

        elif (flow.url[len(flow.url) - 7:] == 'install'):
            type = 'User Action: Installed App'
            info = 'Reddit'
            results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://gql.reddit.com/'):
        if (flow.responseContent.find('experimentVariants') > -1):
            type = 'Experimental Features Config'
            info = AppDefault.findJSONListNonSpaced(flow.responseContent,
                                                    'experimentVariants')
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://gateway.reddit.com/redditmobile/1/android/config') == 0):
        type = 'Experimental Features Config'
        info = AppDefault.findFormEntry(flow.requestContent, 'experiments')
        results.append(Result.Result(flow, type, info))
        info = AppDefault.findJSONListNonSpaced(flow.responseContent,
                                                'buckets')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://gateway.reddit.com/redditmobile') == 0):
        type = 'Reddit Client ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Timezone'
        info = AppDefault.findFormEntry(flow.requestContent, 'tz_name')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://events.redditmedia.com/v1'):
        event = flow.requestContent[flow.requestContent.find('"event_type":') +
                                    14:]
        event = event[:event.find('"')]
        time = flow.requestContent[flow.requestContent.find('"event_ts":') +
                                   11:]
        time = time[:time.find(',')]
        if (event == 'cs.app_launch_android'):
            type = 'User Action: Reddit Opened'
            info = 'Reddit Opened @ ' + time
            results.append(Result.Result(flow, type, info))
        else:
            type = 'Reddit Activity & Info Dump'
            info = flow.requestContent
            results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://www.reddit.com/api/v1/login'):
        if (flow.requestContent.find('passwd:') > -1):
            type = 'User Action: Reddit Login'
            info = 'Logged in as ' + AppDefault.findFormEntry(
                flow.requestContent, 'user')
            results.append(Result.Result(flow, type, info))
            type = 'User Info: Password'
            info = AppDefault.findFormEntry(flow.requestContent, 'passwd')
            results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
    flow.source = 'RocketChat'

    if (flow.url == 'https://open.rocket.chat/api/v1/users.register'):
        type = 'User Info: Email Address'
        info = AppDefault.findJSONItem(flow.requestContent, 'email')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: RocketChat Name'
        info = AppDefault.findJSONItem(flow.requestContent, 'name')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: RocketChat Password'
        info = AppDefault.findJSONItem(flow.requestContent, 'pass')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: RocketChat Username'
        info = AppDefault.findJSONItem(flow.requestContent, 'username')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://open.rocket.chat/api/v1/login'):
        type = 'User Info: RocketChat Password'
        info = AppDefault.findJSONItem(flow.requestContent, 'pass')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: RocketChat Username'
        info = AppDefault.findJSONItem(flow.requestContent, 'username')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://open.rocket.chat/api/v1/push.token'):
        type = 'RocketChat GCM Token'
        info = AppDefault.findJSONItem(flow.requestContent, 'value')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://open.rocket.chat/api/v1/channels.create'):
        type = 'User Action: Create Channel'
        info = flow.requestContent[flow.requestContent.find('"name":') + 9:]
        info = info[:info]
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://open.rocket.chat/api/v1/chat.sendMessage'):
        type = 'User Action: Send Message'
        info = flow.requestContent[flow.requestContent.find('"msg":') + 8:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://open.rocket.chat/api/v1/chat.search') == 0):
        type = 'User Action: Chat Search'
        info = AppDefault.findFormEntry(flow.requestContent, 'searchText')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://open.rocket.chat/api/v1/users.deleteOwnAccount'
          ):
        type = 'User Action: Delete Account'
        info = 'Deleted RocketChat Account'
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://open.rocket.chat/api/v1/logout'):
        type = 'User Action: Logout'
        info = 'Logged Out'
        results.append(Result.Result(flow, type, info))
Exemplo n.º 13
0
def checkGetURL(flow, results):
	flow.source = 'Canvas'

	if (flow.url.find('https://canvas.instructure.com//api/v1/accounts/search') == 0):
		type = 'User Action: School Search'
		info = AppDefault.findFormEntry(flow.requestContent, 'search_term')
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://canvas.instructure.com/api/v1/mobile_verify.json') == 0):
		type = 'System Info: Canvas API Key'
		info = AppDefault.findJSONItem(flow.responseContent, 'api_key')
		results.append(Result.Result(flow, type, info))

		type = 'System Info: Canvas Client ID'
		info = AppDefault.findJSONItem(flow.responseContent, 'client_id')
		results.append(Result.Result(flow, type, info))

		type = 'System Info: Canvas Client Secret'
		info = AppDefault.findJSONItem(flow.responseContent, 'client_secret')
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/login/oauth2/auth') == 0):
		type = 'System Info: Canvas Client ID'
		info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/courses') == 0):
		if (flow.url.find('front_page') > -1):
			type = 'User Action: View Course Front Page'
			info = flow.url[flow.url.find('courses/')+8:]
			info = info[:info.find('/')]
			results.append(Result.Result(flow, type, info))

		elif (flow.url.find('announcements') > -1):
			type = 'User Action: View Course Announcements'
			info = flow.url[flow.url.find('courses/')+8:]
			info = info[:info.find('/')]
			results.append(Result.Result(flow, type, info))

		elif (flow.url.find('discussion_topics') > -1 and flow.url.find('view') > -1):
			type = 'User Action: View Discussion Topic'
			info = flow.url[flow.url.find('discussion_topics/')+18:]
			info = info[:info.find('/')]
			results.append(Result.Result(flow, type, info))

		elif (flow.url.find('modules') > -1):
			type = 'User Action: View Course Modules'
			info = flow.url[flow.url.find('courses/')+8:]
			info = info[:info.find('/')]
			results.append(Result.Result(flow, type, info))

			if (flow.url.find('/items') > -1):
				type = 'User Action: View Module'
				info = flow.url[flow.url.find('modules/')+8:]
				info = info[:info.find('/')]
				results.append(Result.Result(flow, type, info))

		elif (flow.url.find('pages/') > -1):
			type = 'User Action: View Course Page'
			info = flow.url[flow.url.find('pages/')+6:]
			results.append(Result.Result(flow, type, info))

		elif (flow.url.find('assignments') > -1):
			if (flow.url.find('submissions') > -1):
				type = 'User Action: View Assignment Submission'
				info = flow.url[flow.url.find('submissions/')+12:]
				info = info[:info.find('?')]
				results.append(Result.Result(flow, type, info))
			else:
				type = 'User Action: View Assignment'
				info = flow.url[flow.url.find('assignments/')+12:]
				info = info[:info.find('?')]
				results.append(Result.Result(flow, type, info))

		elif (flow.url.find('users') > -1):
			if (flow.url.find('users/') > -1):
				type = 'User Action: View Canvas User'
				info = flow.url[flow.url.find('users/')+6:]
				info = info[:info.find('?')]
				name = flow.responseContent[flow.responseContent.find('"name":')+9:]
				name = name[:name.find('"')]
				info = info + ': ' + name
				results.append(Result.Result(flow, type, info))
			else:
				type = 'User Action: View Course People'
				info = flow.url[flow.url.find('courses/')+8:]
				info = info[:info.find('/')]
				results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/calendar_events') == 0):
		type = 'User Action: View Calendar'
		info = AppDefault.findFormEntry(flow.requestContent, 'start_date') + ' - ' + AppDefault.findFormEntry(flow.requestContent, 'end_date')
		results.append(Result.Result(flow, type, info))

		if (flow.url.find('context_codes[]=course_') > -1):
			type = 'User Action: Course Calendar Viewed'
			info = AppDefault.findFormEntry(flow.requestContent, 'context_codes[]')
			info = info[7:]
			results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/users/self/todo') == 0):
		type = 'User Action: View To-Do\'s'
		info = 'Viewed To Do\'s'
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/users/self/activity_stream') == 0):
		type = 'User Action: View Notifications'
		info = 'Viewed Notifications'
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/conversations') == 0):
		if (flow.url.find('conversations/?') == -1 and flow.url.find('unread_count') == -1):
			type = 'User Action: Viewed Message'
			info = flow.url[flow.url.find('conversations/')+14:]
			info = info[:info.find('?')]
			results.append(Result.Result(flow, type, info))
		else:
			type = 'User Action: Viewed Inbox'
			info = 'Viewed Inbox'
			results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/users/self/folders') == 0):
		type = 'User Action: Viewed Files'
		info = flow.url[flow.url.find('folders/')+8:]
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/folders') == 0):
		type = 'User Action: Viewed Folder'
		info = flow.url[flow.url.find('folders/')+8:]
		info = info[:info.find('/')]
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/files') == 0):
		type = 'User Action: Viewed File'
		info = flow.url[flow.url.find('files/')+6:]
		info = info[:info.find('/')]
		results.append(Result.Result(flow, type, info))

	elif (flow.url.find('https://champlain.instructure.com/api/v1/users') == 0 and flow.url.find('files?search_term=') > -1):
		type = 'User Action: Search Files'
		info = AppDefault.findFormEntry(flow.requestContent, 'search_term')
		results.append(Result.Result(flow, type, info))
Exemplo n.º 14
0
def checkPostURL(flow, results):
    if (flow.url == 'https://discordapp.com/api/v6/track'):
        type = 'User Action: Discord'
        temp = flow.requestContent[flow.requestContent.find('"events": [') +
                                   11:]
        for info in temp.split('},\n            {'):
            results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://discordapp.com/api/v6/auth/login'):
        type = 'User Info: Discord Username'
        info = AppDefault.findJSONItem(flow.requestContent, '"email"')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Discord Password'
        info = AppDefault.findJSONItem(flow.requestContent, '"password"')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://discordapp.com/api/v6/users/@me/relationships'):
        type = 'User Action: Discord User Search'
        info = AppDefault.findJSONItem(
            flow.requestContent, '"username"') + '#' + AppDefault.findJSONItem(
                flow.requestContent, '"discriminator"')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://discordapp.com/api/v6/guilds'):
        type = 'User Action: Create Discord Channel'
        info = AppDefault.findJSONItem(flow.requestContent, '"name"')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discordapp.com/api/v6/guilds') == 0
          and flow.url.find('delete') > -1):
        flow.source = 'Discord Server Delete'
        type = 'Discord Channel'
        info = flow.url[flow.url.find('guilds/') + 7:]
        info = info[:info.find('/delete')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discordapp.com/api/v6/channels') == 0
          and flow.url.find('typing') > -1):
        flow.source = 'Discord Message Typing'
        type = 'Discord Channel'
        info = flow.url[flow.url.find('channels/') + 9:]
        info = info[:info.find('/typing')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discordapp.com/api/v6/channels') == 0
          and flow.url.find('messages') > -1):
        flow.source = 'Discord Message Sent'
        type = 'Discord Channel'
        info = flow.url[flow.url.find('channels/') + 9:]
        info = info[:info.find('/messages')]
        results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('content:') > -1):
            type = 'Message'
            info = AppDefault.findFormEntry(flow.requestContent, 'content')
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discordapp.com/api/v6/invite') == 0):
        flow.source = 'Discord Server Invite'
        type = 'Discord Channel'
        info = flow.responseContent[flow.responseContent.find('"guild"'):]
        info = info[info.find('"id":') + 7:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))
def checkPostURL(flow, results):
    if (flow.url.find('https://spclient.wg.spotify.com/remote-config-resolver')
            == 0):
        type = 'System Info: Spotify Installation ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'installation_id')
        results.append(Result.Result(flow, type, info))
Exemplo n.º 16
0
def checkGetURL(flow, results):
    flow.source = 'Hulu'

    if (flow.url.find('https://home.hulu.com/v1/users/self') == 0):
        type = 'User Action: Hulu'
        info = AppDefault.findFormEntry(flow.requestContent, 'action')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Hulu Token'
        info = AppDefault.findFormEntry(flow.requestContent, 'user_token')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discover.hulu.com/content/v4/hubs/series') ==
          0):
        type = 'User Action: Viewed Series'
        info = flow.url[flow.url.find('series/') + 7:]
        info = info[:info.find('/')]
        results.append(Result.Result(flow, type, info))

        if (flow.url.find('season/') > -1):
            type = 'User Action: Viewed Season'
            info = flow.url[flow.url.find('season/') + 7:]
            info = info[:info.find('?')]
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discover.hulu.com/content/v4/search') == 0):
        type = 'User Action: Hulu Search'
        info = AppDefault.findFormEntry(flow.requestContent, 'search_query')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://discover.hulu.com/content/v4/hubs') == 0):
        type = 'User Action: Viewed Hub'
        info = flow.url[flow.url.find('hubs/') + 5:]
        info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://hulu.hb.omtrdc.net') == 0):
        if (flow.requestContent.find('s:event:type') > -1):
            type = 'Hulu Event'
            info = AppDefault.findFormEntry(flow.requestContent,
                                            's:event:type')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('s:asset:name') > -1):
            type = 'User Action: Hulu Asset Name'
            info = AppDefault.findFormEntry(flow.requestContent,
                                            's:asset:name')
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('s:meta:a.media.show') > -1):
            type = 'User Action: Hulu Show'
            info = AppDefault.findFormEntry(flow.requestContent,
                                            's:meta:a.media.show')
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://manifest.hulustream.com/dash') == 0):
        if (flow.requestContent.find('user_id') > -1):
            type = 'User Info: Hulu User ID'
            info = AppDefault.findFormEntry(flow.requestContent, 'user_id')
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://ag.innovid.com') == 0
          or flow.url.find('https://s.innovid.com') == 0):
        type = 'Innovid Client ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'client_id')
        results.append(Result.Result(flow, type, info))

        type = 'Innovid Video ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'video_id')
        results.append(Result.Result(flow, type, info))
def checkGetURL(flow, results):
    if (flow.url.find('https://spclient.wg.spotify.com/v1/pses/featureflags')
            == 0):
        flow.source = 'Spotify Features Sync'

    elif (flow.url.find(
            'https://spclient.wg.spotify.com/abba-service/v1/resolve') == 0):
        flow.source = 'Spotify Features Sync'

    elif (flow.url.find('https://spclient.wg.spotify.com/ads/v2/config') == 0):
        type = 'Spotify Session ID'
        info = flow.requestHeaders['vnd.spotify.ads-payload']
        info = info[info.find('"session_id":') + 14:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://spclient.wg.spotify.com/storage-resolve/files/audio/interactive/'
    ) == 0):
        type = 'User Action: Song Opened'
        info = flow.url[flow.url.find('audio/interactive/') + 18:]
        info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://spclient.wg.spotify.com/storage-resolve/files/audio/interactive_prefetch'
    ) == 0):
        type = 'User Action: Song Opened'
        info = flow.url[flow.url.find('interactive_prefetch/') + 21:]
        info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://audio-sp-dca.pscdn.co/audio') == 0):
        type = 'User Action: Song Opened'
        info = flow.url[flow.url.find('audio/') + 6:]
        info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://audio4-ak-spotify-com.akamaized.net/audio') ==
          0):
        type = 'User Action: Song Opened'
        info = flow.url[flow.url.find('audio/') + 6:]
        info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://spclient.wg.spotify.com/searchview/android/v4/assisted-curation'
    ) == 0):
        type = 'User Info: Spotify Username'
        info = AppDefault.findFormEntry(flow.requestContent, 'username')
        results.append(Result.Result(flow, type, info))

        type = 'User Action: Spotify Search'
        info = flow.url[flow.url.find('assisted-curation/') + 18:]
        info = info[:info.find('?')]
        info = AppDefault.fixUrlEncoding(info)
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://spclient.wg.spotify.com/searchview/android/v4/search') ==
          0):
        type = 'User Info: Spotify Username'
        info = AppDefault.findFormEntry(flow.requestContent, 'username')
        results.append(Result.Result(flow, type, info))

        type = 'User Action: Spotify Search'
        info = flow.url[flow.url.find('search/') + 7:]
        info = info[:info.find('?')]
        info = AppDefault.fixUrlEncoding(info)
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://spclient.wg.spotify.com/quicksilver/v2/cards')
          == 0):
        if (flow.requestContent.find('trigger:') > -1):
            type = 'User Action: Click'
            info = AppDefault.findFormEntry(flow.requestContent, 'trigger')
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('megaphone.fm') > -1):
        type = 'User Action: Podcast Opened'
        info = flow.url[flow.url.find('megaphone.fm/') + 13:]
        info = info[:info.find('.mp3')]
        results.append(Result.Result(flow, type, info))
Exemplo n.º 18
0
def checkPostURL(flow, results):
	if (flow.url.find('https://slack.com/api') == 0):
		flow.source = 'Slack'

		if (len(AppDefault.findFormEntry(flow.requestContent, 'token')) > 25):
			type = 'Slack Token'
			info = AppDefault.findFormEntry(flow.requestContent, 'token')
			results.append(Result.Result(flow, type, info))

		if (len(AppDefault.findFormEntry(flow.requestContent, 'push_token')) > 25):
			type = 'Slack Push Token'
			info = AppDefault.findFormEntry(flow.requestContent, 'push_token')
			results.append(Result.Result(flow, type, info))

	if (flow.url == 'https://slack.com/api/experiments.getByVisitor'):
		type = 'System Info: Slack Experiments'
		info = flow.responseContent
		results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://sessions.bugsnag.com/'):
		if ('Bugsnag-Api-Key' in flow.requestHeaders.keys()):
			type = 'Bugsnag API Key'
			info = flow.requestHeaders['Bugsnag-Api-Key']
			results.append(Result.Result(flow, type, info))

		if (AppDefault.findJSONItem(flow.requestContent, 'packageName') == 'com.Slack'):
			flow.source = 'Slack Bugsnag'

			type = 'Current Slack Screen'
			info = AppDefault.findJSONItem(flow.requestContent, 'activeScreen')
			results.append(Result.Result(flow, type, info))

			type = 'Slack Foreground Status'
			info = AppDefault.findJSONItem(flow.requestContent, 'inForeground')
			results.append(Result.Result(flow, type, info))

			type = 'Slack Session ID'
			info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'id')
			results.append(Result.Result(flow, type, info))

			type = 'User Info: Slack User ID'
			info = AppDefault.findJSONItem(AppDefault.findJSONGroup(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'user'), 'id')
			results.append(Result.Result(flow, type, info))

			type = 'Session Start Time'
			info = AppDefault.findJSONItem(AppDefault.findJSONGroup(flow.requestContent, 'sessions'), 'startedAt') + ' UTC'
			results.append(Result.Result(flow, type, info))

			type = 'System Info: Model'
			make = AppDefault.findJSONItem(flow.requestContent, 'manufacturer')
			model = AppDefault.findJSONItem(flow.requestContent, 'model')
			info = make + ' ' + model
			results.append(Result.Result(flow, type, info))

			type = 'System Info: OS Version'
			info = AppDefault.findJSONItem(flow.requestContent, 'osName') + ' ' + AppDefault.findJSONItem(flow.requestContent, 'osVersion')
			results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://slack.com/api/auth.findTeam'):
		type = 'User Action: Domain Lookup'
		info = AppDefault.findFormEntry(flow.requestContent, 'domain')
		results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://slack.com/api/auth.findUser'):
		type = 'User Action: Login'
		info = AppDefault.findFormEntry(flow.requestContent, 'email')
		results.append(Result.Result(flow, type, info))

		type = 'User Info: Slack User ID'
		info = AppDefault.findJSONItem(flow.responseContent, 'user_id')
		results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://slack.com/api/auth.signin'):
		type = 'User Info: Password'
		info = AppDefault.findFormEntry(flow.requestContent, 'password')
		results.append(Result.Result(flow, type, info))

		type = 'User Info: Slack User ID'
		info = AppDefault.findJSONItem(flow.responseContent, 'user')
		results.append(Result.Result(flow, type, info))

		type = 'User Info: Team ID'
		info =  AppDefault.findFormEntry(flow.requestContent, 'team')
		results.append(Result.Result(flow, type, info))

		type = 'Slack Token'
		info = AppDefault.findJSONItem(flow.responseContent, 'token')
		results.append(Result.Result(flow, type, info))

		type = 'User Info: Email'
		info = AppDefault.findJSONItem(flow.responseContent, 'user_email')
		results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://slack.com/api/users.counts'):
		channels = AppDefault.findJSONListNonSpaced(flow.responseContent, 'channels')
		channels = channels[2:]
		for channel in channels.split('},'):
			type = 'Slack Channel Info'
			info = channel
			results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://slack.com/api/conversations.history'):
		type = 'Channel Messages Sync Channel'
		info = AppDefault.findFormEntry(flow.requestContent, 'channel')
		results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://slack.com/beacon/track/'):
		type = 'System Info: Performance Tracking'
		info = AppDefault.findFormEntry(flow.requestContent, 'data')
		info = base64.b64decode(info)
		info = info.decode("UTF-8")
		results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://slack.com/api/chat.postMessage'):
		type = 'User Action: Send Message'
		info = 'Message "' + AppDefault.findFormEntry(flow.requestContent, 'text') + '" sent to channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel')
		results.append(Result.Result(flow, type, info))

	elif (flow.url == 'https://slack.com/api/conversations.mark'):
		type = 'User Action: Viewed Channel'
		info = 'Viewed channel ' + AppDefault.findFormEntry(flow.requestContent, 'channel') + ' at ' + AppDefault.findFormEntry(flow.requestContent, 'ts')
		results.append(Result.Result(flow, type, info))
Exemplo n.º 19
0
def checkGetURL(flow, results):
    if (flow.url.find('https://api.venmo.com/v1/stories/target-or-actor') == 0
        ):
        flow.source = 'Venmo Stories Sync'

    elif (flow.url.find('https://api.venmo.com/v1/stories') == 0
          and flow.url.find('target-or-actor') == -1):
        type = 'User Action: Viewed Story'
        info = flow.url[flow.url.find('stories/') + 8:]
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://api.venmo.com/v1/account/two-factor/token'):
        flow.source = 'Venmo Login'

        type = 'User Info: 2FA Device'
        info = AppDefault.findJSONListNonSpaced(flow.responseContent,
                                                'devices')
        results.append(Result.Result(flow, type, info))

    elif (flow.url == 'https://api.venmo.com/v1/account'):
        flow.source = 'Venmo Account Sync'

        type = 'User Info: Venmo ID'
        info = flow.responseContent[flow.responseContent.find('"id":') + 7:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Venmo Account Creation Time'
        info = flow.responseContent[flow.responseContent.find('"date_joined":'
                                                              ) + 16:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Phone Number'
        info = flow.responseContent[flow.responseContent.find('"phone":') +
                                    10:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Email Address'
        info = flow.responseContent[flow.responseContent.find('"email":') +
                                    10:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Venmo Zendesk ID'
        info = flow.responseContent[flow.responseContent.
                                    find('"zendesk_identifier":') + 23:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://api.venmo.com/v1/notifications') == 0):
        type = 'User Action: Venmo'
        info = 'Checked Notifications'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://api.venmo.com/v1/users?query=') == 0):
        type = 'User Action: Venmo Search'
        info = AppDefault.findFormEntry(flow.requestContent, 'query')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://api.venmo.com/v1/users') == 0
          and flow.url.find('/friends') == -1):
        type = 'User Action: Viewed Profile'
        info = flow.responseContent[flow.responseContent.find('"display_name":'
                                                              ) + 17:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://api.venmo.com/v1/users') == 0
          and flow.url.find('/friends') > -1):
        type = 'User Action: Viewed Friends of Profile'
        info = flow.url[flow.url.find('/users/') + 7:]
        info = info[:info.find('/')]
        results.append(Result.Result(flow, type, info))
Exemplo n.º 20
0
def checkGetURL(flow, results):
    #WiFi connectivity check
    if (flow.url == 'http://connectivitycheck.gstatic.com/generate_204' or
            flow.url == 'https://connectivitycheck.gstatic.com/generate_204'):
        flow.source = 'WiFi Connection'
        type = 'System Status'
        info = 'WiFi connection active'
        results.append(Result.Result(flow, type, info))

    #Google Ping
    elif (flow.url == 'https://www.google.com/generate_204'):
        flow.source = 'Google service ping'
    elif (flow.url == 'http://www.google.com/gen_204'):
        flow.source = 'Google service ping'

    elif (flow.url.find('https://android.clients.google.com/gsync') > -1):
        flow.source = 'Google Account Data Sync'
        type = 'System Info: GCM ID'
        info = flow.requestContent[flow.requestContent.find('gcm://?regId=') +
                                   13:flow.requestContent.find('&androidId=')]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Android ID'
        info = flow.requestContent[flow.requestContent.find('&androidId=') +
                                   11:flow.requestContent.find('\n')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('preloads?doc=android.autoinstalls.config.') > -1):
        flow.source = 'App Preloader'
        type = 'System Info: Build'
        info = flow.requestContent
        info = info[info.find('build_fingerprint:') + 19:]
        info = info[:info.find('\n')]
        info = info.strip()
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.google.com/complete/search') > -1):
        flow.source = 'Google Search History Sync'

    elif (flow.url.find('https://app-measurement.com') == 0):
        flow.source = 'App Measurement'
        type = 'System Info: Application'
        info = flow.url[flow.url.find('app/') + 4:flow.url.find('?')]
        info = AppDefault.fixUrlEncoding(info)
        if (info in appIds.keys()):
            info = appIds[info]
        results.append(Result.Result(flow, type, info))

        type = 'System Info: App Instance ID'
        info = flow.requestContent
        info = info[info.find('app_instance_id:') + 17:]
        info = info[:info.find('\n')].strip()
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.googleapis.com/userlocation/v1/settings')
          == 0):
        flow.source = 'Android Location Settings Sync'
        type = 'System Info: Model'
        info = AppDefault.findFormEntry(
            flow.requestContent, 'brand') + ' ' + AppDefault.findFormEntry(
                flow.requestContent, 'model')
        results.append(Result.Result(flow, type, info))

        type = 'System Info: Build'
        info = AppDefault.findFormEntry(flow.requestContent, 'platform')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.googleapis.com/userlocation/v1/reports')
          == 0):
        flow.source = 'Location Report'
        type = 'Location Info'
        info = flow.requestContent
        results.append(Result.Result(flow, type, info))

    elif (flow.url[:27] == 'https://play.googleapis.com'):
        flow.source = 'Google Play Store'

    elif (flow.url[:38] == 'https://g.tenor.com/v1/categories?key='):
        flow.source = 'Tenor GIF Keyboard'

    elif (flow.url.find(
            'https://playatoms-pa.googleapis.com/v1/archiveDownload') == 0):
        flow.source = 'Google Play Store Download'

    elif (flow.url.find('https://www.google.com/complete/search') == 0):
        flow.source = 'Google Search History Sync'

    elif (flow.url == 'https://clients3.google.com/generate_204'):
        flow.source = 'Google Connectivity Check'

    elif (flow.url.find(
            'https://www.googleapis.com/plus/v2whitelisted/people/me') == 0):
        flow.source = 'Google Friends Lookup'

    elif (flow.url.find('https://www.gstatic.com/android/keyboard') == 0):
        flow.source = 'Android Keyboard'
def checkPostURL(flow, results):
    if (flow.url.find('https://www.linkedin.com') == 0):
        flow.source = 'LinkedIn'

        if (flow.requestContent.find('"trackingToken":') > -1):
            type = 'LinkedIn Tracking Token'
            info = flow.requestContent[flow.requestContent.
                                       find('"trackingToken":') + 18:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

    if (flow.url.find('https://www.linkedin.com/li/track') == 0):
        flow.source = 'LinkedIn Tracker'

        if (flow.requestContent.find('"advertiserId":') > -1):
            type = 'Ad ID'
            info = flow.requestContent[flow.requestContent.
                                       find('"advertiserId":') + 17:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('"appState":') > -1):
            type = 'System Info: LinkedIn App State'
            info = flow.requestContent[flow.requestContent.find('"appState":'
                                                                ) + 13:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('"connectionType":') > -1):
            type = 'System Info: Connection Type'
            info = flow.requestContent[flow.requestContent.
                                       find('"connectionType":') + 19:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('"deviceModel":') > -1):
            type = 'System Info: Model'
            info = flow.requestContent[flow.requestContent.
                                       find('"deviceModel":') + 16:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('"osVersion":') > -1):
            type = 'System Info: OS Version'
            info = flow.requestContent[flow.requestContent.find('"osVersion":'
                                                                ) + 14:]
            info = info[:info.find('"')]
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('clientEventStats') > -1):
            type = 'LinkedIn Client Event Stats'
            for info in AppDefault.findJSONListNonSpaced(
                    flow.requestContent, 'clientEventStats').split(
                        '                    },\n                    {'):
                results.append(Result.Result(flow, type, info))

        body = flow.requestContent
        type = 'LinkedIn Client Event'
        while body.find('"eventBody":') > -1:
            body = body[body.find('"eventBody":'):]
            #info = AppDefault.findJSONSection(body, 'eventBody')
            info = body[:body.find('        {\n            "eventBody":')]
            results.append(Result.Result(flow, type, info))
            body = body[20:]

    elif (flow.url.find('https://www.linkedin.com/uas/authenticate') == 0):
        flow.source = 'LinkedIn Login'

        type = 'User Info: Username'
        info = AppDefault.findFormEntry(flow.requestContent, 'session_key')
        results.append(Result.Result(flow, type, info))

        type = 'User Info: Password'
        info = AppDefault.findFormEntry(flow.requestContent,
                                        'session_password')
        results.append(Result.Result(flow, type, info))

        type = 'LinkedIn Session ID'
        info = AppDefault.findFormEntry(flow.requestContent, 'JSESSIONID')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/pushRegistration') == 0):
        if (flow.requestContent.find('"pushNotificationTokens":') > -1):
            type = 'LinkedIn Push Notification Token'
            if (AppDefault.findJSONListNonSpaced(
                    flow.requestContent, 'pushNotificationTokens').find(',') >
                    -1):
                for info in AppDefault.findJSONListNonSpaced(
                        flow.requestContent,
                        'pushNotificationTokens').split(','):
                    info = info.strip()
                    info = info[1:len(info) - 1]
            else:
                info = AppDefault.findJSONListNonSpaced(
                    flow.requestContent, 'pushNotificationTokens')
                info = info[1:len(info) - 1]
                info = info.strip()
                info = info[1:len(info) - 1]
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/growth/contacts?action=uploadContacts'
    ) == 0):
        flow.source = 'LinkedIn Contacts Upload'

        type = 'User Info: Contact'
        for info in flow.requestContent.split('            },\n            {'):
            if (info.find('"fullName":') > -1):
                results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.linkedin.com/voyager/api/mux') == 0):
        type = 'User Action: Update Profile'
        info = flow.requestContent[flow.requestContent.find('"requests":'):]
        info = info[:info.find('"dependentRequests":')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/feed/follows?action=unfollow'
    ) == 0):
        type = 'User Action: LinkedIn Unfollow'
        info = flow.requestContent[flow.requestContent.find('"urn":') + 8:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/identity/profiles') == 0
          and flow.url.find('normSkills') > -1):
        type = 'User Action: Add Skill'
        info = AppDefault.findJSONListNonSpaced(flow.requestContent,
                                                'elements')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/messaging/conversations') ==
          0):
        if (flow.url.find('conversations?') > -1):
            type = 'User Action: LinkedIn'
            info = 'Viewed Conversations'
        else:
            type = 'User Action: Viewed LinkedIn Conversation'
            info = flow.url[flow.url.find('conversations/') + 14:]
            if (info.find('/') > -1 and info.find('/') < info.find('?')):
                info = info[:info.find('/')]
            elif (info.find('?') > -1):
                info = info[:info.find('?')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.linkedin.com/voyager/api/contentcreation')
          == 0):
        type = 'User Action: LinkedIn Post'
        info = flow.requestContent[flow.requestContent.find('"text":') + 9:]
        info = info[:info.find('"')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://www.linkedin.com/voyager/api/relationships/invitations')
          == 0):
        type = 'User Action: Invitation Response'
        inviterid = flow.url[flow.url.find('invitations/') + 12:]
        inviterid = inviterid[:inviterid.find('?')]
        action = flow.url[flow.url.find('?action=') + 8:]
        action = action[:action.find('&')]
        info = inviterid + ': ' + action
        results.append(Result.Result(flow, type, info))
Exemplo n.º 22
0
def checkPostURL(flow, results):
    if (flow.url.find('https://youtubei.googleapis.com/youtubei') == 0
            and flow.url.find('key=') > -1):
        type = 'User Info: Google API Key'
        info = flow.url[flow.url.find('key=') + 4:]
        if (info.find('&') > -1):
            info = info[:info.find('&')]
        results.append(Result.Result(flow, type, info))

    if (flow.url.find('https://youtubei.googleapis.com/youtubei/v1/search') ==
            0):
        type = 'User Action: Youtube Search'
        info = AppDefault.findJSONGroup(flow.requestContent, '16')
        info = info[info.find('4: ') + 3:]
        info = info[:info.find('\n')]
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://www.youtube.com/error_204') == 0):
        source = 'Youtube Error'
        type = 'Youtube Error Message'
        info = AppDefault.findFormEntry(requestContent, 'exception.message')
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://youtubei.googleapis.com/youtubei/v1/browse/edit_playlist')
          == 0):
        flow.source = 'Youtube Playlist Edit'
        type = 'Youtube Video ID'
        if (flow.requestContent.find('2 {\n      2: ') > -1):
            info = flow.requestContent[flow.requestContent.
                                       find('2 {\n      2: '):]
            info = info[info.find('2: ') + 3:]
            info = info[:info.find('\n')]
            results.append(Result.Result(flow, type, info))
        elif (flow.requestContent.find('2 {\n      6: ') > -1):
            info = flow.requestContent[flow.requestContent.
                                       find('2 {\n      6: '):]
            info = info[info.find('17: ') + 4:]
            info = info[:info.find('\n')]
            results.append(Result.Result(flow, type, info))

        if (flow.requestContent.find('        }\n      }\n    }\n    2 {') >
                -1):
            type = 'Youtube Playlist'
            info = flow.requestContent[flow.requestContent.find(
                '        }\n      }\n    }\n    2 {') + 40:]
            info = info[info.find('3: ') + 3:]
            info = info[:info.find('\n')]
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find('https://youtubei.googleapis.com/youtubei/v1/browse')
          == 0):
        if (flow.requestContent.find('        }\n      }\n    }\n    2: ') >
                -1):
            type = 'User Action: Youtube Browsing'
            info = flow.requestContent[flow.requestContent.find(
                '        }\n      }\n    }\n    2: ') + 31:]
            info = info[:info.find('\n')]
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://youtubei.googleapis.com/youtubei/v1/share/get_share_panel'
    ) == 0):
        type = 'User Action: Youtube'
        info = 'Opened share panel'
        results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://youtubei.googleapis.com/youtubei/v1/playlist/get_add_to_playlist'
    ) == 0):
        if (flow.requestContent.find('        }\n      }\n    }\n    2: ') >
                -1):
            type = 'User Action: Add Video to Playlist'
            info = flow.requestContent[flow.requestContent.find(
                '        }\n      }\n    }\n    2: ') + 31:]
            info = info[:info.find('\n')]
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://youtubei.googleapis.com/youtubei/v1/playlist/create') == 0
          ):
        if (flow.requestContent.find('        }\n      }\n    }\n    2: ') >
                -1):
            type = 'User Action: Create Playlist'
            info = flow.requestContent[flow.requestContent.find(
                '        }\n      }\n    }\n    2: ') + 31:]
            info = info[:info.find('\n')]
            results.append(Result.Result(flow, type, info))

    elif (flow.url.find(
            'https://youtubei.googleapis.com/youtubei/v1/playlist/delete') == 0
          ):
        if (flow.requestContent.find('        }\n      }\n    }\n    2: ') >
                -1):
            type = 'User Action: Delete Playlist'
            info = flow.requestContent[flow.requestContent.find(
                '        }\n      }\n    }\n    2: ') + 31:]
            info = info[:info.find('\n')]
            results.append(Result.Result(flow, type, info))