chrisdoman/getUrlScanGreatCannonHits.py

## getUrlScanGreatCannonHits.py
'''
 Gets possible Great Cannon injections from UrlScan
'''


import requests
import json

# Insert your urlscan API Key
api_key = ''
seen_ids = []

def getTaskIds(hostname):
    js = requests.get( 'https://urlscan.io/api/v1/search/?size=10000&q=domain:' + hostname).content
    result = json.loads(js)
    for task in result['results']:
        task_id = task['_id']
        checkTask(task_id)

def checkTask(task_id):
    try:
        global seen_ids
        if task_id not in seen_ids:
            seen_ids.append(task_id)
            js = requests.get( 'https://urlscan.io/api/v1/result/' + task_id + '/').content
            result = json.loads(js)
            for request in result['data']['requests']:
                filename = request['request']['request']['url']
                response_length = request['response']['dataLength']
                # Bad http://push.zhanzhang.baidu.com/push.js
                if 'push.js' in filename and response_length > 1000:
                    print ('Suspicious push.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
                # Bad http://js.passport.qihucdn.com/11.0.1.js
                if '11.0.1.js' in filename and response_length > 1000:
                    print ('Suspicious 11.0.1.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
                # Bad http://hm.baidu.com/hm.js
                if 'hm.js' in filename and response_length < 15000 and response_length > 2000:
                    print ('Suspicious hm.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
    except Exception as ex:
        pass

getTaskIds('push.zhanzhang.baidu.com')
getTaskIds('js.passport.qihucdn.com')
getTaskIds('hm.baidu.com')
# checkTask('3fd5a719-24d9-42cd-ae10-87129ad87fd1')
	'''
	Gets possible Great Cannon injections from UrlScan
	'''


	import requests
	import json

	# Insert your urlscan API Key
	api_key = ''
	seen_ids = []

	def getTaskIds(hostname):
	js = requests.get( 'https://urlscan.io/api/v1/search/?size=10000&q=domain:' + hostname).content
	result = json.loads(js)
	for task in result['results']:
	task_id = task['_id']
	checkTask(task_id)

	def checkTask(task_id):
	try:
	global seen_ids
	if task_id not in seen_ids:
	seen_ids.append(task_id)
	js = requests.get( 'https://urlscan.io/api/v1/result/' + task_id + '/').content
	result = json.loads(js)
	for request in result['data']['requests']:
	filename = request['request']['request']['url']
	response_length = request['response']['dataLength']
	# Bad http://push.zhanzhang.baidu.com/push.js
	if 'push.js' in filename and response_length > 1000:
	print ('Suspicious push.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
	# Bad http://js.passport.qihucdn.com/11.0.1.js
	if '11.0.1.js' in filename and response_length > 1000:
	print ('Suspicious 11.0.1.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
	# Bad http://hm.baidu.com/hm.js
	if 'hm.js' in filename and response_length < 15000 and response_length > 2000:
	print ('Suspicious hm.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
	except Exception as ex:
	pass

	getTaskIds('push.zhanzhang.baidu.com')
	getTaskIds('js.passport.qihucdn.com')
	getTaskIds('hm.baidu.com')
	# checkTask('3fd5a719-24d9-42cd-ae10-87129ad87fd1')