How to test if a URL is a phishing in command line using Google Safe Browsing?

Question

In Google Safe Browsing, there are two ways to test if a URL is a phishing URL:

1. lookup-based and
2. hash-based.

In this question, I focus on the hash-based solution, better for privacy, as used by browsers such as Firefox.

For this, the browser downloads a hash database goog-phish-shavar which is saved as ~/.cache/mozilla/firefox/<profile_folder>/safebrowsing/goog-phish-shavar.sbstore.

Now, I want to test a URL in command line as follows

test-safebrowsing-url goog-phish-shavar.sbstore http://example-phishing.com 

How to do this?

Answer 1

For Google Safe Browsing v3, there is https://github.com/Stefan-Code/gglsbl3.

For Google Safe Browsing v4, there is https://github.com/afilipovich/gglsbl

They both support command line usage of hash-based analysis.

Answer 2

The files that you are looking at are Firefox-specific and so you'll need something like sbdbdump to extract the hash prefixes from it:

cd ~/.cache/mozilla/firefox/<profile_folder>/safebrowsing/   
~/sbdbdump/dump.py -v --name goog-phish-shavar . > ~/goog-phish-shavar.hashes

and then you'll have to convert a URL to its possible hashes following the hashing rules. regexp-lookup.py can help with that.

Finally, you'll have to check all of the URL hashes against the list of prefixes. If you find any matches, you need to make a request for the full hashes that start with that prefix.