Does fullHashes.find Safe Browsing API work?

348 views
Skip to first unread message

Nikolay Garbuzov

unread,
Jun 16, 2016, 11:54:22 AM6/16/16
to Google Safe Browsing API
Hi,

I'm trying to integrate with Safe Browsing v4 and can successfully call threatListUpdates.fetch and get raw hashes prefixes.
After decoding them from Base64 and splitting by parts, I get something like (prefix size length is 4, so 8 symbols in string representation) [00004c61, 00008245, 00009177, 00009c76, 0000a7c1
So, my expectation is that if I call fullHashes:find

{
   "client": {
    "clientId":       "clientId",
    "clientVersion":  "1.0.0"
  },
  "clientStates": ["Cg0IARAGGAEiAzAwMTABEK5FGgIYCOSGowU="],
  "threatInfo": {
    "threatTypes":      ["MALWARE"],
    "platformTypes":    ["WINDOWS"],
    "threatEntryTypes": ["URL"],
    "threatEntries": [
      {"hash": "00004c61"}
    ]
  }
}

than SB API should return full hash, but it just returns

{
  "negativeCacheDuration": "300.000s"
}


{
  "negativeCacheDuration": "300.000s"
}

So, does fullHashes:find works at all? Can it be used in production code or it's not stable?

Thanks,
Nikolay
 

Alex Wozniak

unread,
Jun 16, 2016, 12:00:29 PM6/16/16
to Google Safe Browsing API
Hi Nikolay,

Thanks for your message and apologies for the confusion. Our documentation is actually incorrect. For JSON requests, you'll actually want to pass the hash prefix in base64 encoded form. For example:

{ client: {clientId: "myClient", clientVersion: "1.0.0"}, client_states: ["Cg0IARAGGAEiAzAwMTABEK5FGgIYCOSGowU="], threat_info: {threat_types: ["MALWARE"], platform_types: ["WINDOWS"], threat_entry_types: ["URL"], threat_entries: [{ hash: "WwuJdQx48jM=" }]}}

I'll make sure this is clear in our documentation. Let me know if you encounter any other issues!

Thanks,
Alex

Nikolay Garbuzov

unread,
Jun 16, 2016, 12:21:19 PM6/16/16
to Google Safe Browsing API
Thanks Alex,

It works fine if I use  Base64 encoded prefixes, but I observe another weird thing:

If I send

{
   "client": {
    "clientId":       "clientId",
    "clientVersion":  "1.0.0"
  },
  "clientStates": ["Cg0IARAGGAEiAzAwMTABEK5FGgIYCOSGowU="],
  "threatInfo": {
    "threatTypes":      ["MALWARE"],
    "platformTypes":    ["WINDOWS"],
    "threatEntryTypes": ["URL"],
    "threatEntries": [
      {"hash": "AACcdg=="}
    ]
  }
}

than I get

{
  "matches": [
    {
      "threatType": "MALWARE",
      "platformType": "WINDOWS",
      "threat": {
        "hash": "AACcduzOXZ4KxD7p6Q3bGfIpk8XMfD2+jaPZqRHk0hk="
      },
      "threatEntryMetadata": {
        "entries": [
          {
            "key": "bWFsd2FyZV90aHJlYXRfdHlwZQ==",
            "value": "TEFORElORw=="
          }
        ]
      },
      "cacheDuration": "300.000s",
      "threatEntryType": "URL"
    }
  ],
  "negativeCacheDuration": "300.000s"
}

so, it looks wrong that threatEntryMetadata.enties are encoded to base64 and here https://developers.google.com/safe-browsing/v4/update-api#http-post-response_2 it looks ok and not encrypted.

What do you think about it?

Alex Wozniak

unread,
Jun 16, 2016, 12:30:42 PM6/16/16
to Google Safe Browsing API
Thanks Nikolay, another good catch. The metadata is also base64-encoded (decoding it will give you <malware_threat_type, LANDING>). I will be updating our documentation shortly to clarify which fields use base64-encoded form, including hash and metadata.

Nikolay Garbuzov

unread,
Jun 16, 2016, 12:49:00 PM6/16/16
to Google Safe Browsing API
Great, thans Alex. I'm just curios - why enties are encoded? According to https://developers.google.com/safe-browsing/v4/metadata#about-metadata there should be only human readable strings, but may be some other values are possible there also?

Alex Wozniak

unread,
Jun 20, 2016, 11:46:12 AM6/20/16
to Google Safe Browsing API
Hi Nikolay,

FYI our documentation has been updated to reflect the base64 encoding.

We may consider passing human-readable strings in a future version of the API, but this approach optimizes for our protocol buffer API clients (as used in our Go client on github).

Nikolay Garbuzov

unread,
Jun 20, 2016, 11:54:27 AM6/20/16
to google-safe-...@googlegroups.com
Got it, thanks, Alex!

--
You received this message because you are subscribed to a topic in the Google Groups "Google Safe Browsing API" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-safe-browsing-api/UC2nP2tPTVs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-safe-browsi...@googlegroups.com.
To post to this group, send email to google-safe-...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-safe-browsing-api.
For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages