Open nwhitehorn opened 4 years ago
Here's a JavaScript stub I hacked up this afternoon that successfully de-mangles every ProofPoint URL I could find. Apologies for quality, but I'll see about integrating it and send a pull request if it works.
let detect_pattern = new RegExp('https://urldefense(?:\.proofpoint)?\.com/(v[0-9])/')
let v1_pattern = new RegExp('https://urldefense(?:\.proofpoint)?\.com/v1/url\\?u=(.*)&k=.*')
let v2_pattern = new RegExp('https://urldefense(?:\.proofpoint)?\.com/v2/url\\?u=(.*)&[dc]=.*')
let v3_pattern = new RegExp('https://urldefense(?:\.proofpoint)?\.com/v3/__(.+)__;([^\!]*).*')
let v3_token_pattern = new RegExp('\\*(\\*.)?', 'g')
let length_codes = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_'
function unmangleProofpointLink (a) {
proofpoint = a.match(detect_pattern);
if (!proofpoint)
return a;
var v = proofpoint[1];
if (v == 'v1') {
return decodeURIComponent(a.match(v1_pattern)[1]);
} else if (v == 'v2') {
var url = a.match(v2_pattern)[1];
url = url.replace(/-/g, '%');
url = url.replace(/_/g, '/');
return decodeURIComponent(url);
} else if (v == 'v3') {
var url = a.match(v3_pattern);
var encbytes = atob(url[2].replace(/_/g, '/').replace(/-/g, '+') + '==');
var encbytes_off = 0;
function insert_encbytes(chunk) {
var len = 1;
if (chunk.length > 1)
len = length_codes.search(chunk[2]) + 2;
out = encbytes.substring(encbytes_off, encbytes_off + len);
encbytes_off += len;
return out;
}
url = url[1].replace(v3_token_pattern, insert_encbytes)
return url;
}
}
Thank you for this suggestion. Could you forward me some emails containing these links, so I can test this?
Thank you for this suggestion. Could you forward me some emails containing these links, so I can test this?
There are a few thousand examples at https://markmail.org/search/?q=urldefense
Any chance you could add unmangling of ProofPoint URLs as well? There's a reference implementation of the demangling (in Python) at https://help.proofpoint.com/Threat_Insight_Dashboard/Concepts/How_do_I_decode_a_rewritten_URL%3F