This API allows to get some intel about prone to be compromised websites, already -worth to mention- pwned websites and to get the security awareness score of websites which have been unmasked (desenmascarados in Spanish) among other information.
For a full reference of this service check it out here.
This is the first approach to provide an API for the desenmascara.me service therefore the amount of details returned is limited. If you want to obtain the full details you may go directly either to the desenmascara.me
service or pwnedwebsites.com
Querying if a given website has been pwned
The most common use of the API is to return compromised details for a given URL. The API takes a single parameter which is the URL to
be searched for. It will search for either for http or https version of the website.
will return pwned website details (url; incident; date; sector; reference) separated by ";"
http://www.isc.org ; redirecting visitors to the Angler Exploit Kit ; 29 Dec 2014, midnight ; Internet consortium ; http://www.scmagazine.com/isc-website-compromised-possibly-due-to-vulnerable-wordpress-plugin/article/390192/
In case the queried website has not been pwned but it was in the desenmascara.me database, the following text will appear
Not pwned yet
In case the queried website has not been pwned and it was not in the desenmascara.me database, the following text will appear
Not desenmascarada yet
Getting the security awareness score of a given website
In the same way as getting a pwned website, in order to return the security awareness score of a given website, the API takes a single parameter which is the URL to be searched for.
will return the url, the score value of the website and the last date which was unmasked (desenmascarado in Spanish) separated by ";"
http://www.fbi.gov ; 60 ; 6 Apr 2015, 1:27 p.m.
In case the queried website has not been unmasked yet (desenmascarado in Spanish), the following text will appear
HTTP o HTTPS
Not desenmascarada yet
In contrast to querying a pwned website
where the search is either for http and https, here by default when querying a website as above the query is for http. If you want to query the https version of a website
you should do it as below:
will return the score value of the website along with the last date which was unmasked (desenmascarado in Spanish)
https://www.securizame.com ; 120 ; 1 Apr 2015, 1:13 p.m.
Notice that based on the kind of query (either http or https) the result may be different as the website infrastructure
result different to the https version
http://www.securizame.com ; 35 ; 13 Jan 2013, 8:53 p.m.
Querying the number of URLs related to a given brand
There are either fake or no official pages for several brands. Take a look to some stats collected.
By quering a given brand or word you can get the number of URLs retrieved by the desenmascara.me service.
will return the brand (or word), and the number of URLs available in the desenmascara.me service related to this brand (or word).
ANOTHER POTENTIAL USES
rayban ; 93
One of the core purposes of this search is to search for number of brands but you can use it as you like. The term
used here will look in the metadata
field, therefore you can use as your imagination allows you:
To get some numbers about software used
apache ; 16570
To get some numbers about CMSs used
wordpress ; 3395
Security headers used
httponly ; 3603
and so on... you get the idea right? :)
Getting the URL's MD5 and the current status of 10 random FAKE websites for a given brand
In order to have an idea of the data collected you can get some examples of websites (obfuscated with the MD5 instead of the URL) for any brand, let's say for example for RayBan.
By quering a given brand you can get 10 random of URL's MD5 and it's current status.
will return a list of 10 objects as below:
MD5 FAKE URL;CURRENT STATUS;LAST TIME CHECKED
16f3d05fb5444508348321341a4006a0; Taken down; 19 Oct 2015, 11:30 a.m.
d46c2eb0f15552d58a9a77ff8a9e69a6; Taken down; 19 Oct 2015, 11:30 a.m.
b06b725ce038a84400fa61943c42041a; 200; 19 Oct 2015, 11:30 a.m.
7e8fe862a4e1f81d53a9cfac626b8185; Taken down; 19 Oct 2015, 11:30 a.m.
652bf36df12e52276fd999c1d78af58b; URL error; 19 Oct 2015, 11:32 a.m.
962f77050e510f6245dfb2798b13ccc2; URL error; 19 Oct 2015, 11:32 a.m.
b85feec71ebcfb45453697cdef1e006a; URL error; 19 Oct 2015, 11:33 a.m.
38aba6dd07d04df593ce6c2f8a024d4e; 200; 19 Oct 2015, 11:34 a.m.
1045c21841f73ede0b0acd751430485a; 200; 19 Oct 2015, 9:10 a.m.
14ad4767035825044696c76d1d0c67f9; URL error; 19 Oct 2015, 9:11 a.m.
The CURRENT STATUS values can be:
- Taken down: A FAKE website has been taken down by the brand or cooperators as any of this.
- 200: A FAKE website is still active.
- URL error: A FAKE website does not exists anymore.
- Socket error: A FAKE website either is not existing anymore or raised a timeout while checking the status.
- 403: A FAKE website either is not allowing us to gather information or it has been blocked.
- Parked: A FAKE website domain has been removed and now the domain it is parked.
Querying the number of websites prone to be compromised (scoring less than 20) by Country
By querying a country (always in lowercase) you can get the number of URLs whose websites are hosted there with a score less than 20 (prone to be compromised). Take a look to the stats to get an idea about the top countries.
will return the number of URLs available in the desenmascara.me service for the country queried and with a score less than 20
spain ; 819
Unmasking (desenmascarando in Spanish) a website in real time
Not ready yet. At this time the only way to unmask (desenmascarar in Spanish) a website is directly through the
desenmascara.me service. This API does only provide information from the Database.
Querying 10 URLs potentially prone to be compromised (the lowest score possible) by TLD (gov, es. com...)
It took me some time to publish this feature as I am aware of the potential malicious uses, but the goal of this service is to raise web security awareness to web owners, and honestly I think this way, despite being the hard way, it is a legitimate method to raise security awareness by exposing some numbers and data, and the most important, it is neither illegal nor unethical.
By querying a TLD (just the letters without dot) you will get a list of the 10 websites with the lowest scoring (security awareness value).
In other words, this list is a potential list of websites prone to be compromised.
will return the URLs with the lowest score
Notice that a website under the dol.gov was compromised in the past.
http://www.doe.in.gov : -165
http://www.cbp.gov : -140
http://www.performance.gov : -40
https://studentaid.ed.gov : -40
http://webapps.dol.gov : -10
http://www.dol.gov : -10
http://woodstockct.gov : -10
http://www.fairhousing.arkansas.gov : -10
http://www.washingtoncounty.in.gov : -10
http://arcadia-fl.gov : -10
Bear in mind that the last desenmascara.me date is not showed, it is possible a website listed there has been already updated but it has
not been desenmascarado again. You can use the desenmascara.me service in order to show the full details.
Querying if a given website has been blacklisted in the past by SafeBrowsing
Not ready yet
Querying if a given website has been categorized either as fake, not official or official
Contact with me
Prior to use this API make sure the URL you are going to query is valid. Only letters, numbers and the underscore and dash symbols are allowed.
In case you use this API with a non valid URL such as: b
you will obtain a standard 404 desenmascara.me response with the full HTML code. It is your responsability make sure the URLs you are querying
are valid otherwise you may obtain results unable to be parsed correctly.
Below you can find a list of valid URL formats to use either with http or https:
And some non valid URLs
- GET http://desenmascara.me/api/google.com
- GET http://desenmascara.me/api/51pojieb.com
- GET http://desenmascara.me/api/espace-prelevement.eu
- GET http://desenmascara.me/api/www.google.com
- GET http://desenmascara.me/api/www.dreamhouse1990.com
- GET http://desenmascara.me/api/wt9.97sky.cn
- GET http://desenmascara.me/api/hiroba.dqx.jp.sq.fscjv.com
- GET http://desenmascara.me/api/n
- GET http://desenmascara.me/api/nothing
- GET http://desenmascara.me/api/http://www.securitybydefault.com
I can imagine infinite purposes to use this data (currently I am using it for research purposes).
One of the main purposes of this service is to show the relation between poor maintained websites and malicious websites. It is a call for webmasters in order to keep update their websites.
- For fun
- For research
- For stats
- To discover websites prone to be compromised
- For context in websites related security incidents
- For monitor changes in the website infrastructure
- For evaluate confidence in a given website
- For integration in services which categorize websites based on reputation
- For brand abuse monitoring
- For historic purposes
- Use your imagination and out-of-the-box-thinking
There is also a private API provided to companies under request which gives full access to data like urlfeeds.
i.e: URL feeds with more data under request:
- URLs with either a determined score or score range (i.e: websites with a score < 0)
- URLs with a specific software/CMS/technology
- Websites which had been blacklisted in the past by Safebrowsing
- Websites with a specific domain expiring date (i.e: websites whit the domain expiring in the next 3 days)
Anti-counterfeiting (feed related with this research)
- Fake websites for a given brand
- Full feed of Fake websites with their current status
There isn't any for the public API.
There isn't any of that either.
There's not much point; all the metadata extracted with this service is public. I hope you have best things to do than trying to
abuse a small personal research project.
I am not responsible for the use you might do with the information gathered with this service. My goal is to highlight the danger of
not keeping update the websites. This service is used with public metadata. Use this information under your own responsability.
If you have any issues while using this API, any question or just want to share with me the purposes for what you are using these data just drop me an email: my email address is available out there or through the contact form.