description = [[
http-unsafe-host checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service.

To use this script you need to have your own API key to access Google's Safe Browsing Lookup services. Sign up for yours at http://code.google.com/apis/safebrowsing/key_signup.html

* To learn more about Google's Safe Browsing:
http://code.google.com/apis/safebrowsing/

* To register and get your personal API key: 
http://code.google.com/apis/safebrowsing/key_signup.html
]]

---
-- @usage
-- nmap -p80 --script http-unsafe-host <host>
--
-- @output
-- PORT   STATE SERVICE
-- 80/tcp open  http
-- |_http-unsafe-host.nse: Host is known for distributing malware.
--
-- @args http-unsafe-host.url URL to check. Default: <code>http/https</code>://<code>host</code> 
---

author = "Paulino Calderon"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"malware", "discovery", "safe"}

require "http"
require "shortport"

portrule = shortport.http

---#########################
--ENTER YOUR API KEY HERE  #
---#########################
local APIKEY = ""
---#########################

local API_QRY = "https://sb-ssl.google.com/safebrowsing/api/lookup?client="..SCRIPT_NAME.."&apikey="..APIKEY.."&appver=1.5.2&pver=3.0&url="

action = function(host, port)
  local malware_found = false
  local output_lns = {}

  if not(host.targetname) then
    host.targetname = host.ip
  end
  local target = nmap.registry.args["http-unsafe-host.url"] or string.format("%s://%s", port.service, host.targetname) 

  if string.len(APIKEY) < 25 then
    return string.format("[ERROR] No API key found. Update the variable APIKEY in %s.",
                         SCRIPT_NAME) 
  end
 
  stdnse.print_debug(1, "%s: Checking url %s", SCRIPT_NAME, target) 
  local req = http.get_url(API_QRY..target)
  stdnse.print_debug(2, "%s", API_QRY..target)

  --The Safe Lookup API responds with a type when site is on the lists 
  if req.body then
    if http.response_contains(req, "malware") then
      output_lns[#output_lns+1] = "Host is known for distributing malware."
      malware_found = true
    end
    if http.response_contains(req, "phishing") then
      output_lns[#output_lns+1] = "Host is known for being used in phishing attacks."
      malware_found = true
    end
  end
  --For the verbose lovers
  if nmap.verbosity() >= 2 and not(malware_found) then
    output_lns[#output_lns+1] = "Host is safe to browse."
  end

  if #output_lns > 0 then
    return stdnse.strjoin("\n", output_lns)
  end
end