Skip to content

Instantly share code, notes, and snippets.

@joegasper

joegasper/proofpoint-decoder.html

Last active March 23, 2020 19:37
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save joegasper/f0ba72ef5df5abb42d2b6729038dfe3d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save joegasper/f0ba72ef5df5abb42d2b6729038dfe3d to your computer and use it in GitHub Desktop.
Download ZIP
ProofPoint URL Defense (TAP) Decoder
Raw
proofpoint-decoder.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>ProofPoint URLdefense Decoder</title>
<style type="text/css">
#decoded
{
width:515px;
height:400px;
border:1px solid red;
padding: 10px;
awhite-space: pre-wrap; /* css-3 */
white-space: -moz-pre-wrap; /* Mozilla, since 1999 */
white-space: -pre-wrap; /* Opera 4-6 */
white-space: -o-pre-wrap; /* Opera 7 */
word-wrap: break-word; /* Internet Explorer 5.5+ */
}
</style>
<script>
function getQueryVar(varName,URL){
// Grab and unescape the query string - appending an '&' keeps the RegExp simple
// for the sake of this example.
var URLqueryStr = unescape(URL.value) + '&';
// Dynamic replacement RegExp
var regex = new RegExp('.*?[&\\?]' + varName + '=(.*?)&.*');
// Apply RegExp to the query string
val = URLqueryStr.replace(regex, "$1");
// If the string is the same, we didn't find a match - return false
return val == URLqueryStr ? false : val;
}
function decodePP(URL){
var lt = /</g,
gt = />/g,
ap = /'/g,
ic = /"/g,
jv = /javascript:/g;
var destURL_param = getQueryVar('u',URL).toString()
var destURL0 = destURL_param.replace(lt, "&lt;").replace(gt, "&gt;").replace(ap, "&#39;").replace(ic, "&#34;").replace(jv, "javascriptcolon"); //XSS protections
var destURL1 = destURL0.replace(/-3A/g, ":").replace(/_/g, "/").replace(/-7E/g, "~").replace(/-2560/g, "`").replace(/-21/g, "!").replace(/-40/g, "@").replace(/-23/g, "#")
var destURL2 = destURL1.replace(/-24/g, "$").replace(/-25/g, "%").replace(/-255E/g, "^").replace(/-26/g, "&").replace(/-2A/g, "*").replace(/-28/g, "(").replace(/-29/g, ")")
var destURL3 = destURL2.replace(/-5F/g, "_").replace(/-2B/g, "+").replace(/-2D/g, "-").replace(/-3D/g, "=").replace(/-257B/g, "{").replace(/-257D/g, "}").replace(/-257C/g, "|")
var destURL4 = destURL3.replace(/-5B/g, "[").replace(/-5D/g, "]").replace(/-255C/g, "\\").replace(/-26quot-3B/g, "\"").replace(/-3B/g, ";").replace(/-26-2339-3B/g, "'").replace(/-26lt-3B/g, "<")
var destURL5 = destURL4.replace(/-26gt-3B/g, ">").replace(/-3F/g, "?").replace(/-2C/g, ",")
document.getElementById("answer").setAttribute('href',destURL5);
document.getElementById("answer").innerHTML = destURL5;
}
</script>
</head>
<body>
<h1>ProofPoint URL Defense (TAP) Decoder</h1>
<p>Decode a ProofPoint URL Defense link:</p>
<form>
<input type="URL" name="URL" placeholder="ProofPoint Link">
<input type="submit" value="Decode" onclick="decodePP(URL); return false;">
</br> </br>
<p>Decoded URL:</br></p>
<div id='decoded'>
<a id="answer" href='#'> </a>
</div>
</form>
</body>
</html>
@prubin73
Copy link
Copy Markdown

prubin73 commented Nov 14, 2018

Thanks for this!

@citron
Copy link
Copy Markdown

citron commented Jul 26, 2019

Proofpoint URL Defense is some kind of Ransomware. Pay to be able to read your own emails...

@daniel-yj-yang
Copy link
Copy Markdown

daniel-yj-yang commented Jan 7, 2020

replace(/257D/g, "}").
should be
replace(/-257D/g, "}").
?

@joegasper
Copy link
Copy Markdown
Author

joegasper commented Feb 3, 2020

Thanks @yj-danielyang - updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment