LOGIN REGISTER
API Docs User Guide
Overview
Introduction
Dashboard
Core Search
Starting a Search
Reputation
Understanding the different tabs
Using the tables
Additional Functionality
Miscellaneous
Frequently Asked Questions
Support and Contact

Advanced Search

Validin supports advanced searching for host responses using a SQL-like search syntax.

Using this syntax, you can find responses with much more precision than the single-feature search interface.

The search syntax is deliberately designed to be relatively flat and to reflect the pivots that currently exist in the simplified search interface.

All simple searches for host responses can be translated into an advanced search by specifying the appropriate search key.

Quick-Start: Examples

Find .top domains with the banner hash 84720d986378f5cec174dee13e4e13ad that include post or dlh or correo.

banner_0_hash="84720d986378f5cec174dee13e4e13ad" AND host="*.top"

Primary Search Criteria

These are the main search keys and their data types. You must provide at least one of these in every search query.

Endpoint

  • host - domain name
  • ip - IP address

HTML Response Features

  • body_hash - hash (MD5)
  • class_0_hash - hash
  • class_1_hash - hash
  • ext_links.meta - domain name
  • ext_links.links - domain name
  • ext_links.js - domain name
  • ext_links.anchor - domain name
  • ext_links.iframe - domain name
  • favicon_hash - hash (MD5)
  • gtag - string
  • meta - string (e.g., "<meta name=\"twitter:title\" content=\"Validin\">" or search key ":::\"twitter:title\":\"Validin\"")
  • title - string

HTTP Response Features

  • banner_start_line - string (e.g., "HTTP/1.1 200 OK")
  • banner_0_hash - hash
  • http_date - string (when significantly in the past or future)
  • etag - string
  • header_hash - hash
  • jarm - hash
  • last_modified - string
  • location - string (the complete Location: header value)
  • location_domain - domain name (the domain in the Location: header value, if present)
  • location_ip - IP address (the IP in the Location: header value, if present)
  • path - string (the path that was actually requested)
  • server - string (the Server: header value)

Certificate Features

  • cert.not_before - string
  • cert.not_after - string
  • cert.issuer - string (e.g.: "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1")
  • cert.DC - string
  • cert.EMAILADDRESS - string
  • cert.ISSUER - string
  • cert.L - string
  • cert.O - string
  • cert.OU - string
  • cert.CN - domain
  • cert.ST - string
  • cert.SUBJECTALTNAME - string
  • cert.fingerprint - hash (MD5)
  • cert.fingerprint_sha256 - hash (SHA256)
  • cert.domain - domain

Secondary Search Criteria

These search criteria may be added as long as there is at least one primary search criteria in your search query.

Endpoint

  • port - integer

HTML Response Features

  • length - integer

Example HTTP Response

This is an example HTTP response that highlights the searchable fields:

{
  "host": "www.validin.com",
  "ip": "137.184.54.107",
  "scheme": "https",
  "port": 443,
  "banner": "HTTP/1.1 200 OK\r\nServer: nginx/1.18.0 (Ubuntu)\r\nDate: Thu, 06 Feb 2025 01:20:23 GMT\r\nContent-Type: text/html\r\nLast-Modified: Fri, 31 Jan 2025 20:39:35 GMT\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nVary: Accept-Encoding\r\nETag: W/\"679d3507-345d\"\r\nExpires: Thu, 01 Jan 1970 00:00:01 GMT\r\nCache-Control: no-cache\r\nStrict-Transport-Security: max-age=31536000; includeSubDomains\r\nX-Content-Type-Options: nosniff\r\nContent-Security-Policy: script-src 'self' unpkg.com validin.com www.validin.com;font-src 'self' validin.com www.validin.com data:;img-src 'self' validin.com www.validin.com miro.medium.com data:;\r\nContent-Encoding: gzip\r\n\r\n",
  "title": "Threat Hunting and DNS Enrichment | Validin",
  "meta": [
    {
      "content": "\"Validin | Validin\"",
      "name": "\"title\""
    }
  ],
  "length": 13405,
  "ext_links": {
    "meta": [
      "www.validin.com",
      "twitter.com"
    ],
    "links": [
      "www.validin.com"
    ],
    "js": [
      "www.validin.com"
    ],
    "anchors": [
      "app.validin.com",
      "twitter.com",
      "www.linkedin.com"
    ]
  },
  "cert_fingerprint_sha256": "c44f6738c8ee74b7058e9a97fe6bb3f8921bb04adcb098e51ff3c44aaf4568d3",
  "cert_chain_serials": [
    "09162170B9947805FCA7C560BB84972C",
    "0B259422CED9812A15A04E99528A0EFA"
  ],
  "body_hash": "b33d4ced80dae7e5e57b894a291440c0d509dd4b",
  "favicon_hash": "52ec0f426864bc98b38b85effb309a16",
  "class_0_hash": "a66438c6f99fcb420676889ab7488906",
  "class_1_hash": "0747e6c0d3242123025bb06c288d54dd",
  "banner_0_hash": "12ab132141b147c4750b6775b8fe9e1c",
  "date_info": {
    "date_format": "rfc-1123"
  },
  "header_hash": "e5e1f4adf1852ff99579",
  "start_line": "HTTP/1.1 200 OK",
  "cert": {
    "cert_issuer": {
      "C": "US",
      "O": "DigiCert Inc",
      "OU": "www.digicert.com",
      "CN": "RapidSSL TLS RSA CA G1"
    },
    "chain_fingerprints": [
      "cbfe9eb43b3b37fe0dfbc4c2eb2d4e07d08bd8e8"
    ],
    "not_before": "2024-09-05T00:00:00Z",
    "not_after": "2025-09-16T23:59:59Z",
    "verification_status": 0,
    "issuer": "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1"
  },
  "cert_details": {
    "jarm": "2ad2ad0002ad2ad00042d42d0000005d86ccb1a0567e012264097a0315d7a7",
    "fingerprint": "44c465cfc920f026bf4e51f0811079df95a70965",
    "domains": [
      "*.validin.com",
      "validin.com"
    ]
  }
}
Using the tables  |  Lookalikes