Skip to content

Instantly share code, notes, and snippets.

@simoniz0r
Last active September 24, 2024 02:25
Show Gist options
  • Save simoniz0r/2189e5b8284a33796778fdf8bbef48f4 to your computer and use it in GitHub Desktop.
Save simoniz0r/2189e5b8284a33796778fdf8bbef48f4 to your computer and use it in GitHub Desktop.
Documentation for Google Safe Browsing undocumented API

https://transparencyreport.google.com/transparencyreport/api/v3/safebrowsing/status?site=domainhere:

When we get the results from the endpoint above, the actual results we want will be on the 3rd line. The first line will contain )]}', and the second line will be blank. Ignore both of those lines and get the results from the 3rd line.

Ex:

$ curl -sL 'https://transparencyreport.google.com/transparencyreport/api/v3/safebrowsing/status?site=testsafebrowsing.appspot.com' | tail -n -1
[["sb.ssr",3,1,0,1,1,0,1628410274243,"https://testsafebrowsing.appspot.com"]]

The 3rd line contains a nested array that tells us about the domain. The 2nd entry in the array gives a general status of the results, and the rest of the entries give more details.

What the results mean:

[[0]]: unimportant

[[1]]: Shows general status of the results. AFAIK, will either be 6, 5, 3, 2, or 1

  • 6: No available data
  • 5: This site hosts files that are not commonly downloaded
  • 3: Some pages on this site are unsafe
  • 2: This site is unsafe
  • 1: No unsafe content found

[[2]]: Will either be 0 for false or 1 for true.

  • 1: Sends visitors to harmful websites

[[3]]: Will either be 0 for false or 1 for true.

  • 1: Installs unwanted or malicious software on visitors’ computers

[[4]]: Will either be 0 for false or 1 for true.

  • 1: Tries to trick visitors into sharing personal info or downloading software (this result is for phishing domains)

[[5]]: Will either be 0 for false or 1 for true.

  • 1: Contains unwanted or malicious software

[[6]]: Will either be 0 for false or 1 for true.

  • 1: Distributes uncommon downloads

[[7]]: modified time

[[8]]: domain that was scanned

@JPBM135
Copy link

JPBM135 commented Jan 30, 2023

I believe 4 is for safe sites, take a look at the response for google:

)]}'

[["sb.ssr",4,0,0,0,0,0,1628205010479,"https://google.com/"]]

And facebook:

)]}'

[["sb.ssr",4,0,0,0,0,0,1670542087942,"https://facebook.com/"]]

So 4 might be an whitelist?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment