Thread: RSPS Database Breach Checker (API)

Page 1 of 3 123 LastLast
Results 1 to 10 of 22
  1. #1 RSPS Database Breach Checker (API) 
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    28
    Posts
    870
    Thanks given
    630
    Thanks received
    957
    Rep Power
    5000
    Attached image Attached image
    (~Uptime affected by updates)

    Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).

    This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
    The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.

    All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) — Thank you @Co Pure Gs for sharing & compiling these breaches.

    You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]

    Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.
    API is Cloudflare Rate Limited and is set to 1000 requests a minute (PER IP). If you require more requests per minute, message me. If you are receiving error "429", please adjust your usage.

    — Can use HTTP or HTTPS protocol

    Supported algorithms:
    • MD5
    • SHA-1
    • SHA-256
    • SHA-512
    • PLAIN-TEXT

    BCrypt is not available. Further hashing algorithms added upon request.

    — Data is sorted by most commonly used passwords, then hashed
    — Returns hashPos (the line number of the password/hash)
    — Returns severity (top X most common passwords)

    Java:

    Python:

    PowerShell Module:



    Request Example 1. Query if Hash/Password is on Breach List:


    Spoiler for Checking if X hash password is listed:
    Request Data Example:

    Code:
    (required) token : <String>
    (optional-default="") hash : <String> [HASHES ONLY]
    (optional-default="") password : <String> [PLAN TEXT PASSWORDS ONLY]
    
    //MD5
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=25ab1f0f2d6386a2702867cd82573ada
    
    //SHA-1
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=403926033d001b5279df37cbbe5287b7c7c267fa
    
    //SHA-256
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd
    
    //SHA-512
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=0e2d148eff53f3b82ee3aa6f62c9ef8e3ceeddff865a733c294db55023b121e81f5ffdde83dc07e274c7389d1e1e430c20d582889a6399c32811fff47f260be6
    
    //PLAIN-TEXT
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&password=123123
    Return Data Example:
    Code:
    {
    	"token": "39439e74fa27c09a4",
    	"hash": "ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd",
    	"hashPos": 2,
    	"severity": "Top 100 Common Passwords",
    	"databaseBreach": "Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
    	"hashType": "SHA-256",
    	"breached": true
    }

    Request Example 2. View/Download X amount of hashes as a JSON, sorted by most commonly used: [New Feature]

    Spoiler for Returning top X amount of hashes as JSON (Download Option):
    Request Data Example:
    Code:
    (required) viewhashes : true, false
    (required) hashtype : md5, sha1, sha256, sha512
    (optional-default=0) amount : 0 -> 100000
    (optional-default=false) download : true, false
    
    //Top 5 most common MD5 Hashes
    https://api.rsps.tools/jetkai/breachcheck?viewhashes=true&hashtype=md5&amount=5
    
    //Top 5 most common SHA-1 Hashes
    https://api.rsps.tools/jetkai/breachcheck?viewhashes=true&hashtype=sha1&amount=5
    
    //Top 5 most common SHA-256 Hashes
    https://api.rsps.tools/jetkai/breachcheck?viewhashes=true&hashtype=sha256&amount=5
    
    //Top 5 most common SHA-512 Hashes
    https://api.rsps.tools/jetkai/breachcheck?viewhashes=true&hashtype=sha512&amount=5
    Return Data Example:
    Code:
    {
         "hashes": [
            "7c4a8d09ca3762af61e59520943dc26494f8941b",
            "40bd001563085fc35165329ea1ff5c5ecbdbbeef",
            "99efc50a9206bde3d7a8e694aad8e138ca7dc3f7",
            "403926033d001b5279df37cbbe5287b7c7c267fa",
            "8cb2237d0679ca88db6464eac60da96345513964"
         ]
    }

    Implement this into a Server Source (Example):

    Spoiler for - Ruse -:
    This is an Example implemententation... I would recommend still giving an option for players to use these passwords, just use this as a message warning. This example shows how to block newly created accounts from using ANY breached password.
    1. Copy the BreachCheckAPI.java file over to the utils folder
    2. Copy the commons-codec-1.15.jar library file over to your libs filder
    3. Add the commons-codec-1.15.jar library to your compiler / IDE
    4. Open the PlayerLoading.java file
    5. Find:
    Code:
    		if (!file.exists()) {
    			return LoginResponses.NEW_ACCOUNT;
    		}
    6. Replace with
    Code:
    		if (!file.exists()) {
    			BreachCheckAPI bca = new BreachCheckAPI();
    			bca.setPassword(player.getPassword());
    			return bca.isBreached() ? LoginResponses.LOGIN_COULD_NOT_COMPLETE : LoginResponses.NEW_ACCOUNT;
    		}
    7. Edit response 13 within your Client.java file (on your client) and change the message to resemble "Your password is too weak, use another password" or "This is a commonly used password, please use another".
    8. Finished product:
    Attached image
    9. You can also add this to the ::changepassword command as-well, refusing to allow the password to be changed (or warn)


    TODO:
    • Add more hashes from more databases

    You can also use other services like haveibeenpwned, if you would rather search for usernames/email addresses.... OR...... @Omar, @Jay Gatsby & @Kris may have a more promising tool in the works!


    I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.

    PS - Made this font extra extra small for you Corey + thanks for mentioning about CF Rate Limiting!
    Last edited by jet kai; 08-01-2021 at 11:44 PM. Reason: new feature - view/download top x amount of hashes as json
    Reply With Quote  
     


  2. #2  
    What is a Java?

    Leon.'s Avatar
    Join Date
    Oct 2013
    Posts
    1,919
    Thanks given
    173
    Thanks received
    802
    Rep Power
    5000
    Hopefully nobody uses this maliciously
    Attached image

    Attached image
    Attached image

    Reply With Quote  
     

  3. Thankful users:


  4. #3  
    Banned

    Join Date
    Dec 2019
    Age
    31
    Posts
    376
    Thanks given
    361
    Thanks received
    214
    Rep Power
    0
    Quote Originally Posted by jet kai View Post
    Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).

    This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
    The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.

    All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) — Thank you @Co Pure Gs for sharing & compiling these breaches.

    You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]

    Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.

    Supported algorithms:
    • MD5
    • SHA-1
    • SHA-256
    • PLAIN-TEXT

    BCrypt is not available. Further hashing algorithms added upon request.

    Request Data Example:
    Code:
    //MD5
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=25ab1f0f2d6386a2702867cd82573ada
    
    //SHA-1
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=403926033d001b5279df37cbbe5287b7c7c267fa
    
    //SHA-256
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd
    
    //PLAIN-TEXT
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&password=123123
    Return Data Example:
    Code:
    	{
    		"token":"39439e74fa27c09a4",
    		"hash":"cbfdac6008f9cab4083784cbd1874f76618d2a97",
    		"databaseBreach":"Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
    		"hashType":"SHA-1",
    		"breached":true
    	}
    Source: View on GitHub
    Download: Download from GitHub

    I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.

    TODO:
    • HTTP Requests only at the moment, I am being lazy & will buy a cert soon™.

    You can also use other services like haveibeenpwned, if you would rather search for usernames/email addresses.... OR...... @Omar, @Jay Gatsby & @Kris may have a more promising tool in the works!




    PS - Made this font extra extra small for you Corey
    Nice one jet
    Reply With Quote  
     

  5. Thankful user:


  6. #4  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    28
    Posts
    870
    Thanks given
    630
    Thanks received
    957
    Rep Power
    5000
    Quote Originally Posted by Leon. View Post
    Hopefully nobody uses this maliciously
    Attached image
    Shouldn't be able to be used maliciously really, the databases are out there - this is just a tool to check if a password/hash has been used & leaked within an RSPS DB.

    Hopefully, CF Rate Limiting would help in some-way

    PS - Added an example of how to add this to an existing Server Source.
    Reply With Quote  
     

  7. Thankful user:


  8. #5  
    Registered Member

    Join Date
    Feb 2013
    Posts
    19
    Thanks given
    4
    Thanks received
    7
    Rep Power
    324
    Quote Originally Posted by jet kai View Post
    Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).

    This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
    The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.

    All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) — Thank you @Co Pure Gs for sharing & compiling these breaches.

    You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]

    Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.
    API is Cloudflare Rate Limited and is set to 1000 requests a minute (PER IP). If you require more requests per minute, message me. If you are receiving error "429", please adjust your usage.

    Supported algorithms:
    • MD5
    • SHA-1
    • SHA-256
    • PLAIN-TEXT

    BCrypt is not available. Further hashing algorithms added upon request.

    Request Data Example:
    Code:
    //MD5
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=25ab1f0f2d6386a2702867cd82573ada
    
    //SHA-1
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=403926033d001b5279df37cbbe5287b7c7c267fa
    
    //SHA-256
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd
    
    //PLAIN-TEXT
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&password=123123
    Return Data Example:
    Code:
    	{
    		"token":"39439e74fa27c09a4",
    		"hash":"cbfdac6008f9cab4083784cbd1874f76618d2a97",
    		"databaseBreach":"Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
    		"hashType":"SHA-1",
    		"breached":true
    	}
    Implement this into a Server Source (Example):
    Spoiler for - Ruse -:
    This is an Example implemententation... I would recommend still giving an option for players to use these passwords, just use this as a message warning. This example shows how to block newly created accounts from using ANY breached password.
    1. Copy the BreachCheckAPI.java file over to the utils folder
    2. Copy the commons-codec-1.15.jar library file over to your libs filder
    3. Add the commons-codec-1.15.jar library to your compiler / IDE
    4. Open the PlayerLoading.java file
    5. Find:
    Code:
    		if (!file.exists()) {
    			return LoginResponses.NEW_ACCOUNT;
    		}
    6. Replace with
    Code:
    		if (!file.exists()) {
    			BreachCheckAPI bca = new BreachCheckAPI();
    			bca.setPassword(player.getPassword());
    			return bca.isBreached() ? LoginResponses.LOGIN_COULD_NOT_COMPLETE : LoginResponses.NEW_ACCOUNT;
    		}
    7. Edit response 13 within your Client.java file (on your client) and change the message to resemble "Your password is too weak, use another password" or "This is a commonly used password, please use another".
    8. Finished product:
    Attached image
    9. You can also add this to the ::changepassword command as-well, refusing to allow the password to be changed (or warn)

    Source: View on GitHub
    Download: Download from GitHub

    I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.

    TODO:
    • HTTP Requests only at the moment, I am being lazy & will buy a cert soon™.

    You can also use other services like haveibeenpwned, if you would rather search for usernames/email addresses.... OR...... @Omar, @Jay Gatsby & @Kris may have a more promising tool in the works!




    PS - Made this font extra extra small for you Corey + thanks for mentioning about CF Rate Limiting!
    Thanks, I hope this really helps people understand how vulnerable their playerbase is and increases the overall security or private servers.
    Reply With Quote  
     

  9. Thankful user:


  10. #6  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    28
    Posts
    870
    Thanks given
    630
    Thanks received
    957
    Rep Power
    5000
    Update to API:
    — Added HTTPS support server-side & within GitHub source code (you can pick either HTTP or HTTPS)
    — Added SHA-512 to list of supported hashing algorithms

    -- Edit 6:12AM BST

    — Data is sorted by most commonly used passwords, then hashed
    — Returns hashPos (the line number of the password/hash)
    — Returns severity (top X most common passwords)

    Return Data Updated:
    Code:
    {
    	"token": "39439e74fa27c09a4",
    	"hash": "ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd",
    	"hashPos": 2,
    	"severity": "Top 100 Common Passwords",
    	"databaseBreach": "Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
    	"hashType": "SHA-256",
    	"breached": true
    }
    Last edited by jet kai; 04-29-2021 at 07:12 AM.
    Reply With Quote  
     

  11. #7  
    Registered Member
    hc747's Avatar
    Join Date
    Dec 2013
    Age
    26
    Posts
    1,474
    Thanks given
    3,312
    Thanks received
    691
    Rep Power
    1098
    Quote Originally Posted by jet kai View Post
    Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).

    This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
    The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.

    All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) — Thank you @Co Pure Gs for sharing & compiling these breaches.

    You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]

    Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.
    API is Cloudflare Rate Limited and is set to 1000 requests a minute (PER IP). If you require more requests per minute, message me. If you are receiving error "429", please adjust your usage.

    — Can use HTTP or HTTPS protocol

    Supported algorithms:
    • MD5
    • SHA-1
    • SHA-256
    • SHA-512
    • PLAIN-TEXT

    BCrypt is not available. Further hashing algorithms added upon request.

    Request Data Example:
    Code:
    //MD5
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=25ab1f0f2d6386a2702867cd82573ada
    
    //SHA-1
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=403926033d001b5279df37cbbe5287b7c7c267fa
    
    //SHA-256
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd
    
    //SHA-512
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=0e2d148eff53f3b82ee3aa6f62c9ef8e3ceeddff865a733c294db55023b121e81f5ffdde83dc07e274c7389d1e1e430c20d582889a6399c32811fff47f260be6
    
    //PLAIN-TEXT
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&password=123123
    Return Data Example:
    Code:
    {
        "token": "39439e74fa27c09a4",
        "hash": "ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd",
        "hashPos": 2,
        "severity": "Top 100 Common Passwords",
        "databaseBreach": "Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
        "hashType": "SHA-256",
        "breached": true
    }
    — Data is sorted by most commonly used passwords, then hashed
    — Returns hashPos (the line number of the password/hash)
    — Returns severity (top X most common passwords)

    Implement this into a Server Source (Example):
    Spoiler for - Ruse -:
    This is an Example implemententation... I would recommend still giving an option for players to use these passwords, just use this as a message warning. This example shows how to block newly created accounts from using ANY breached password.
    1. Copy the BreachCheckAPI.java file over to the utils folder
    2. Copy the commons-codec-1.15.jar library file over to your libs filder
    3. Add the commons-codec-1.15.jar library to your compiler / IDE
    4. Open the PlayerLoading.java file
    5. Find:
    Code:
            if (!file.exists()) {
                return LoginResponses.NEW_ACCOUNT;
            }
    6. Replace with
    Code:
            if (!file.exists()) {
                BreachCheckAPI bca = new BreachCheckAPI();
                bca.setPassword(player.getPassword());
                return bca.isBreached() ? LoginResponses.LOGIN_COULD_NOT_COMPLETE : LoginResponses.NEW_ACCOUNT;
            }
    7. Edit response 13 within your Client.java file (on your client) and change the message to resemble "Your password is too weak, use another password" or "This is a commonly used password, please use another".
    8. Finished product:
    Attached image
    9. You can also add this to the ::changepassword command as-well, refusing to allow the password to be changed (or warn)

    Source: View on GitHub
    Download: Download from GitHub

    I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.

    TODO:
    • Add more hashes from more databases

    You can also use other services like haveibeenpwned, if you would rather search for usernames/email addresses.... OR...... @Omar, @Jay Gatsby & @Kris may have a more promising tool in the works!




    PS - Made this font extra extra small for you Corey + thanks for mentioning about CF Rate Limiting!
    Great idea, seems like a really useful tool. With that said, the code snippet provided seems as though it leaves servers susceptible to denial of service attacks by allowing users to trigger thread blocking code arbitrarily... Some form of (server sided) rate-limiting and asynchrony (co-routines or fork-joining) would also be advisable.
    Reply With Quote  
     

  12. Thankful user:


  13. #8  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    28
    Posts
    870
    Thanks given
    630
    Thanks received
    957
    Rep Power
    5000
    Quote Originally Posted by hc747 View Post
    Great idea, seems like a really useful tool. With that said, the code snippet provided seems as though it leaves servers susceptible to denial of service attacks by allowing users to trigger thread blocking code arbitrarily... Some form of (server sided) rate-limiting and asynchrony (co-routines or fork-joining) would also be advisable.
    Yea, it's up to the servers to throttle this from their-side - this is just some example code. If they send too many requests, they'll just receive error 429 from Cloudflare and will just return false to "isBreached()".
    The server shouldn't go off with 500+ requets a second unless the networking is extremely bad. Also, this example code only occurs when a new account is created. But you're right about potential attacks on accounts that haven't been created yet, it's down to the server owner to throttle account creations & requests to the API.
    Last edited by jet kai; 04-29-2021 at 08:03 AM. Reason: edit
    Reply With Quote  
     

  14. #9  
    Banned
    Join Date
    Jun 2016
    Posts
    27
    Thanks given
    200
    Thanks received
    14
    Rep Power
    0
    I thought it was already pretty standard though not to use the same passwords for everything, seems interesting non the less- nice contribution
    Reply With Quote  
     

  15. Thankful user:


  16. #10  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    28
    Posts
    870
    Thanks given
    630
    Thanks received
    957
    Rep Power
    5000
    - Added Python & PowerShell (Module) examples, I am still currently updating the comments on them & readme docs
    - Tested response and HTTP is about ~2x faster than HTTPS on initial connection
    Reply With Quote  
     

Page 1 of 3 123 LastLast

Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. Replies: 6
    Last Post: 10-14-2014, 05:19 PM
  2. Replies: 14
    Last Post: 10-17-2011, 07:31 PM
  3. Best Database Software for RSPS/Runescape?
    By TORONTO in forum RS2 Server
    Replies: 41
    Last Post: 03-10-2011, 08:02 PM
  4. Replies: 10
    Last Post: 08-21-2009, 02:02 PM
  5. Eversio - The RSPS API
    By blakeman8192 in forum RS2 Server
    Replies: 30
    Last Post: 02-20-2009, 11:46 AM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •