From 62cb76d6de70401bceea3a58b70437f7d727ce6e Mon Sep 17 00:00:00 2001
From: Manuel Schneider <schneider@cert.uni-stuttgart.de>
Date: Sat, 19 May 2018 12:52:14 +0200
Subject: [PATCH 1/2] unofficial HIBP endpoint: domainsearch

---
 apidocs/haveIBeenPwned.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 apidocs/haveIBeenPwned.md

diff --git a/apidocs/haveIBeenPwned.md b/apidocs/haveIBeenPwned.md
new file mode 100644
index 0000000..47beda9
--- /dev/null
+++ b/apidocs/haveIBeenPwned.md
@@ -0,0 +1,20 @@
+Unofficial API-Endpoints for HIBP
+=================================
+
+## DomainSearch
+
+When using the [domain search feature](https://haveibeenpwned.com/DomainSearch) from HIBP you receive email
+notifications with a token to get all breaches for all accounts within the domain.
+
+Currently (April 2018), to get the search results for this token, the workflow and endpoints are:
+
+* The token can be extracted from a link of the form `https://haveibeenpwned.com/DomainSearch/${token}`, which is contained in the mail from HIBP
+* Trigger a mail with links to the search-result: `GET https://haveibeenpwned.com/api/multidomainsearch/${token}`
+  Response should be `"ReadyForVerificationToken"`
+* In the new mail, look for a link of the form `https://haveibeenpwned.com/DomainSearch/${token}/json` and `GET` it. It contains the full result of your search in json format:
+```
+{
+    "BreachSearchResults": [ { DomainName: "...", Alias: "...", Breaches: [ <See breach model from https://haveibeenpwned.com/API/v2#BreachModel> ] }]
+    "PasteSearchResults": [ { DomainName: "...", Alias: "...", Pastes: [ <See paste model from https://haveibeenpwned.com/API/v2#PasteModel> ] }]
+}
+```

From 19447d1a96c2372ab99dc2544f5a17061140b480 Mon Sep 17 00:00:00 2001
From: Manuel Schneider <schneider@cert.uni-stuttgart.de>
Date: Sat, 19 May 2018 12:56:00 +0200
Subject: [PATCH 2/2] add link to new md to overview table

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a1d98ed..c47854d 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ API | Description | Auth | HTTPS | Link | Free / Commercial|
 | Flashpoint Intel | Threat Intel | `apiKey` | Yes | [Link!](https://www.flashpoint-intel.com/api/) |?|
 | Flexera | Vuln Management | `apiKey` | Yes | [Link!](http://helpnet.flexerasoftware.com/svm/api/Default.htm) |?|
 | HackerOne | Query HackerOne reports | `apiKey` | Yes | [Link!](https://api.hackerone.com/docs/v1) |?|
-| have i been pwned | - | `apiKey` | Yes | [Link!](https://haveibeenpwned.com/API/v2) |?|
+| have i been pwned | [unofficial endpoints](apidocs/haveIBeenPwned.md) | `apiKey` | Yes | [Link!](https://haveibeenpwned.com/API/v2) |?|
 | Hybrid Analysis | Online Sandbox | `none` | Yes | [Link!](https://www.hybrid-analysis.com/apikeys/info) |Free|
 | Malwr.com | Malware analysis | `apiKey` | Yes | [Link!](https://malwr.com/) |?|
 | MAlshare | Malware Sharing  | `apiKey` | Yes | [Link!](https://malshare.com/doc.php) |?|