Mirror
/
CyberChef
mirror of https://github.com/gchq/CyberChef.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added various options to the 'Defang URL' operation.

This commit is contained in:
n1474335 2018-11-07 13:23:05 +00:00
parent 253346a201
commit 53c500eb1b
6 changed files with 100 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGELOG.md
View File

@ -1,6 +1,9 @@
# Changelog # Changelog
All notable changes to CyberChef will be documented in this file. All notable changes to CyberChef will be documented in this file.
### [8.9.0] - 2018-11-07
- 'Defang URL' operation added [@arnydo] | [#394]
### [8.8.0] - 2018-10-10 ### [8.8.0] - 2018-10-10
- 'Parse TLV' operation added [@GCHQ77703] | [#351] - 'Parse TLV' operation added [@GCHQ77703] | [#351]
@ -76,6 +79,7 @@ All notable changes to CyberChef will be documented in this file.
[@JustAnotherMark]: https://github.com/JustAnotherMark [@JustAnotherMark]: https://github.com/JustAnotherMark
[@sevzero]: https://github.com/sevzero [@sevzero]: https://github.com/sevzero
[@PenguinGeorge]: https://github.com/PenguinGeorge [@PenguinGeorge]: https://github.com/PenguinGeorge
[@arnydo]: https://github.com/arnydo
[#95]: https://github.com/gchq/CyberChef/pull/299 [#95]: https://github.com/gchq/CyberChef/pull/299
[#173]: https://github.com/gchq/CyberChef/pull/173 [#173]: https://github.com/gchq/CyberChef/pull/173
@ -95,3 +99,4 @@ All notable changes to CyberChef will be documented in this file.
[#344]: https://github.com/gchq/CyberChef/pull/344 [#344]: https://github.com/gchq/CyberChef/pull/344
[#348]: https://github.com/gchq/CyberChef/pull/348 [#348]: https://github.com/gchq/CyberChef/pull/348
[#351]: https://github.com/gchq/CyberChef/pull/351 [#351]: https://github.com/gchq/CyberChef/pull/351
[#394]: https://github.com/gchq/CyberChef/pull/394

6
src/core/config/Categories.json
View File

@ -159,7 +159,8 @@
"Change IP format", "Change IP format",
"Group IP addresses", "Group IP addresses",
"Encode NetBIOS Name", "Encode NetBIOS Name",
"Decode NetBIOS Name" "Decode NetBIOS Name",
"Defang URL"
] ]
}, },
{ {
@ -208,8 +209,7 @@
"Escape string", "Escape string",
"Unescape string", "Unescape string",
"Pseudo-Random Number Generator", "Pseudo-Random Number Generator",
"Sleep", "Sleep"
"Defang URL"
] ]
}, },
{ {

18
src/core/lib/Extract.mjs
View File

@ -39,3 +39,21 @@ export function search (input, searchRegex, removeRegex, includeTotal) {
return output; return output;
} }
/**
* URL regular expression
*/
const protocol = "[A-Z]+://",
hostname = "[-\\w]+(?:\\.\\w[-\\w]*)+",
port = ":\\d+",
path = "/[^.!,?\"<>\\[\\]{}\\s\\x7F-\\xFF]*" +
"(?:[.!,?]+[^.!,?\"<>\\[\\]{}\\s\\x7F-\\xFF]+)*";
export const URL_REGEX = new RegExp(protocol + hostname + "(?:" + port + ")?(?:" + path + ")?", "ig");
/**
* Domain name regular expression
*/
export const DOMAIN_REGEX = /\b((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}\b/ig;

77
src/core/operations/DefangURL.mjs
View File

@ -1,10 +1,12 @@
/** /**
* @author arnydo [arnydo@protonmail.com] * @author arnydo [arnydo@protonmail.com]
* @copyright Crown Copyright 2016 * @author n1474335 [n1474335@gmail.com]
* @copyright Crown Copyright 2018
* @license Apache-2.0 * @license Apache-2.0
*/ */
import Operation from "../Operation"; import Operation from "../Operation";
import {URL_REGEX, DOMAIN_REGEX} from "../lib/Extract";
/** /**
* DefangURL operation * DefangURL operation
@ -18,12 +20,33 @@ class DefangURL extends Operation {
super(); super();
this.name = "Defang URL"; this.name = "Defang URL";
this.module = "URL"; this.module = "Default";
this.description = "Takes a Universal Resource Locator (URL) and 'Defangs' it; meaning, the URL becomes invalid and neutralizes the risk of accidentally clicking on a malicious link.<br><br>This is often used when dealing with malicious links or IOCs.<br><br>Works well when combined with the 'Extract URLs' operation."; this.description = "Takes a Universal Resource Locator (URL) and 'Defangs' it; meaning the URL becomes invalid, neutralising the risk of accidentally clicking on a malicious link.<br><br>This is often used when dealing with malicious links or IOCs.<br><br>Works well when combined with the 'Extract URLs' operation.";
this.infoURL = ""; this.infoURL = "https://isc.sans.edu/forums/diary/Defang+all+the+things/22744/";
this.inputType = "string"; this.inputType = "string";
this.outputType = "string"; this.outputType = "string";
this.args = []; this.args = [
{
name: "Escape dots",
type: "boolean",
value: true
},
{
name: "Escape http",
type: "boolean",
value: true
},
{
name: "Escape ://",
type: "boolean",
value: true
},
{
name: "Process",
type: "option",
value: ["Valid domains and full URLs", "Only full URLs", "Everything"]
}
];
} }
/** /**
@ -32,12 +55,48 @@ class DefangURL extends Operation {
* @returns {string} * @returns {string}
*/ */
run(input, args) { run(input, args) {
let defang = input.replace(/http/gi, "hxxp"); const [dots, http, slashes, process] = args;
defang = defang.replace(/\./g, "[.]");
defang = defang.replace(/:\/\//g, "[://]"); switch (process) {
return defang; case "Valid domains and full URLs":
input = input.replace(URL_REGEX, x => {
return defangURL(x, dots, http, slashes);
});
input = input.replace(DOMAIN_REGEX, x => {
return defangURL(x, dots, http, slashes);
});
break;
case "Only full URLs":
input = input.replace(URL_REGEX, x => {
return defangURL(x, dots, http, slashes);
});
break;
case "Everything":
input = defangURL(input, dots, http, slashes);
break;
}
return input;
} }
} }
/**
* Defangs a given URL
*
* @param {string} url
* @param {boolean} dots
* @param {boolean} http
* @param {boolean} slashes
* @returns {string}
*/
function defangURL(url, dots, http, slashes) {
if (dots) url = url.replace(/\./g, "[.]");
if (http) url = url.replace(/http/gi, "hxxp");
if (slashes) url = url.replace(/:\/\//g, "[://]");
return url;
}
export default DefangURL; export default DefangURL;

8
src/core/operations/ExtractDomains.mjs
View File

@ -5,7 +5,7 @@
*/ */
import Operation from "../Operation"; import Operation from "../Operation";
import { search } from "../lib/Extract"; import { search, DOMAIN_REGEX } from "../lib/Extract";
/** /**
* Extract domains operation * Extract domains operation
@ -38,10 +38,8 @@ class ExtractDomains extends Operation {
* @returns {string} * @returns {string}
*/ */
run(input, args) { run(input, args) {
const displayTotal = args[0], const displayTotal = args[0];
regex = /\b((?=[a-z0-9-]{1,63}\.)(xn--)?[a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,63}\b/ig; return search(input, DOMAIN_REGEX, null, displayTotal);
return search(input, regex, null, displayTotal);
} }
} }

14
src/core/operations/ExtractURLs.mjs
View File

@ -5,7 +5,7 @@
*/ */
import Operation from "../Operation"; import Operation from "../Operation";
import { search } from "../lib/Extract"; import { search, URL_REGEX } from "../lib/Extract";
/** /**
* Extract URLs operation * Extract URLs operation
@ -38,16 +38,8 @@ class ExtractURLs extends Operation {
* @returns {string} * @returns {string}
*/ */
run(input, args) { run(input, args) {
const displayTotal = args[0], const displayTotal = args[0];
protocol = "[A-Z]+://", return search(input, URL_REGEX, null, displayTotal);
hostname = "[-\\w]+(?:\\.\\w[-\\w]*)+",
port = ":\\d+";
let path = "/[^.!,?\"<>\\[\\]{}\\s\\x7F-\\xFF]*";
path += "(?:[.!,?]+[^.!,?\"<>\\[\\]{}\\s\\x7F-\\xFF]+)*";
const regex = new RegExp(protocol + hostname + "(?:" + port +
")?(?:" + path + ")?", "ig");
return search(input, regex, null, displayTotal);
} }
} }