Thread: RSPS Database Breach Checker (API)

Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1 RSPS Database Breach Checker (API) 
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    25
    Posts
    757
    Thanks given
    405
    Thanks received
    403
    Discord
    View profile
    Rep Power
    2160
    Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).

    This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
    The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.

    All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) Thank you [Only registered and activated users can see links. ] for sharing & compiling these breaches.

    You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]

    Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.
    API is Cloudflare Rate Limited and is set to 1000 requests a minute (PER IP). If you require more requests per minute, message me. If you are receiving error "429", please adjust your usage.

    Can use HTTP or HTTPS protocol

    Supported algorithms:
    • MD5
    • SHA-1
    • SHA-256
    • SHA-512
    • PLAIN-TEXT

    BCrypt is not available. Further hashing algorithms added upon request.

    Request Data Example:
    Code:
    //MD5
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=25ab1f0f2d6386a2702867cd82573ada
    
    //SHA-1
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=403926033d001b5279df37cbbe5287b7c7c267fa
    
    //SHA-256
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd
    
    //SHA-512
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=0e2d148eff53f3b82ee3aa6f62c9ef8e3ceeddff865a733c294db55023b121e81f5ffdde83dc07e274c7389d1e1e430c20d582889a6399c32811fff47f260be6
    
    //PLAIN-TEXT
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&password=123123
    Return Data Example:
    Code:
    {
    	"token": "39439e74fa27c09a4",
    	"hash": "ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd",
    	"hashPos": 2,
    	"severity": "Top 100 Common Passwords",
    	"databaseBreach": "Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
    	"hashType": "SHA-256",
    	"breached": true
    }
    Data is sorted by most commonly used passwords, then hashed
    Returns hashPos (the line number of the password/hash)
    Returns severity (top X most common passwords)

    Implement this into a Server Source (Example):
    Spoiler for - Ruse -:
    This is an Example implemententation... I would recommend still giving an option for players to use these passwords, just use this as a message warning. This example shows how to block newly created accounts from using ANY breached password.
    1. Copy the BreachCheckAPI.java file over to the utils folder
    2. Copy the commons-codec-1.15.jar library file over to your libs filder
    3. Add the commons-codec-1.15.jar library to your compiler / IDE
    4. Open the PlayerLoading.java file
    5. Find:
    Code:
    		if (!file.exists()) {
    			return LoginResponses.NEW_ACCOUNT;
    		}
    6. Replace with
    Code:
    		if (!file.exists()) {
    			BreachCheckAPI bca = new BreachCheckAPI();
    			bca.setPassword(player.getPassword());
    			return bca.isBreached() ? LoginResponses.LOGIN_COULD_NOT_COMPLETE : LoginResponses.NEW_ACCOUNT;
    		}
    7. Edit response 13 within your Client.java file (on your client) and change the message to resemble "Your password is too weak, use another password" or "This is a commonly used password, please use another".
    8. Finished product:

    9. You can also add this to the ::changepassword command as-well, refusing to allow the password to be changed (or warn)


    Java:
    • Source: [Only registered and activated users can see links. ]
    • Download: [Only registered and activated users can see links. ]

    Python:
    • Source: [Only registered and activated users can see links. ]
    • Download: [Only registered and activated users can see links. ]

    PowerShell Module:
    • Source: [Only registered and activated users can see links. ]
    • Download: [Only registered and activated users can see links. ]



    I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.

    TODO:
    • Add more hashes from more databases

    You can also use other services like [Only registered and activated users can see links. ], if you would rather search for usernames/email addresses.... OR...... [Only registered and activated users can see links. ], [Only registered and activated users can see links. ] & [Only registered and activated users can see links. ] may have a more promising tool in the works!




    PS - Made this font extra extra small for you Corey + thanks for mentioning about CF Rate Limiting!
    Last edited by jet kai; 05-02-2021 at 09:31 PM. Reason: HTTPS, SHA-512 & Returned JSON Data
    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]
    Reply With Quote  
     


  2. #2  
    What is a Java?

    Leon.'s Avatar
    Join Date
    Oct 2013
    Posts
    1,920
    Thanks given
    159
    Thanks received
    775
    Discord
    View profile
    Rep Power
    4846
    Hopefully nobody uses this maliciously


    [Only registered and activated users can see links. ]
    [Only registered and activated users can see links. ]
    Reply With Quote  
     

  3. Thankful users:


  4. #3  
    Extreme Donator


    Rythe's Avatar
    Join Date
    Dec 2019
    Age
    28
    Posts
    361
    Thanks given
    303
    Thanks received
    172
    Discord
    View profile
    Rep Power
    590
    Quote Originally Posted by jet kai View Post
    Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).

    This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
    The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.

    All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) — Thank you [Only registered and activated users can see links. ] for sharing & compiling these breaches.

    You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]

    Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.

    Supported algorithms:
    • MD5
    • SHA-1
    • SHA-256
    • PLAIN-TEXT

    BCrypt is not available. Further hashing algorithms added upon request.

    Request Data Example:
    Code:
    //MD5
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=25ab1f0f2d6386a2702867cd82573ada
    
    //SHA-1
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=403926033d001b5279df37cbbe5287b7c7c267fa
    
    //SHA-256
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd
    
    //PLAIN-TEXT
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&password=123123
    Return Data Example:
    Code:
    	{
    		"token":"39439e74fa27c09a4",
    		"hash":"cbfdac6008f9cab4083784cbd1874f76618d2a97",
    		"databaseBreach":"Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
    		"hashType":"SHA-1",
    		"breached":true
    	}
    Source: [Only registered and activated users can see links. ]
    Download: [Only registered and activated users can see links. ]

    I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.

    TODO:
    • HTTP Requests only at the moment, I am being lazy & will buy a cert soon™.

    You can also use other services like [Only registered and activated users can see links. ], if you would rather search for usernames/email addresses.... OR...... [Only registered and activated users can see links. ], [Only registered and activated users can see links. ] & [Only registered and activated users can see links. ] may have a more promising tool in the works!




    PS - Made this font extra extra small for you Corey
    Nice one jet
    Reply With Quote  
     

  5. Thankful user:


  6. #4  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    25
    Posts
    757
    Thanks given
    405
    Thanks received
    403
    Discord
    View profile
    Rep Power
    2160
    Quote Originally Posted by Leon. View Post
    Hopefully nobody uses this maliciously
    Shouldn't be able to be used maliciously really, the databases are out there - this is just a tool to check if a password/hash has been used & leaked within an RSPS DB.

    Hopefully, CF Rate Limiting would help in some-way

    PS - Added an example of how to add this to an existing Server Source.
    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]
    Reply With Quote  
     

  7. Thankful user:


  8. #5  
    Registered Member
    Join Date
    Feb 2013
    Posts
    17
    Thanks given
    1
    Thanks received
    3
    Discord
    View profile
    Rep Power
    45
    Quote Originally Posted by jet kai View Post
    Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).

    This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
    The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.

    All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) — Thank you [Only registered and activated users can see links. ] for sharing & compiling these breaches.

    You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]

    Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.
    API is Cloudflare Rate Limited and is set to 1000 requests a minute (PER IP). If you require more requests per minute, message me. If you are receiving error "429", please adjust your usage.

    Supported algorithms:
    • MD5
    • SHA-1
    • SHA-256
    • PLAIN-TEXT

    BCrypt is not available. Further hashing algorithms added upon request.

    Request Data Example:
    Code:
    //MD5
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=25ab1f0f2d6386a2702867cd82573ada
    
    //SHA-1
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=403926033d001b5279df37cbbe5287b7c7c267fa
    
    //SHA-256
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd
    
    //PLAIN-TEXT
    http://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&password=123123
    Return Data Example:
    Code:
    	{
    		"token":"39439e74fa27c09a4",
    		"hash":"cbfdac6008f9cab4083784cbd1874f76618d2a97",
    		"databaseBreach":"Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
    		"hashType":"SHA-1",
    		"breached":true
    	}
    Implement this into a Server Source (Example):
    Spoiler for - Ruse -:
    This is an Example implemententation... I would recommend still giving an option for players to use these passwords, just use this as a message warning. This example shows how to block newly created accounts from using ANY breached password.
    1. Copy the BreachCheckAPI.java file over to the utils folder
    2. Copy the commons-codec-1.15.jar library file over to your libs filder
    3. Add the commons-codec-1.15.jar library to your compiler / IDE
    4. Open the PlayerLoading.java file
    5. Find:
    Code:
    		if (!file.exists()) {
    			return LoginResponses.NEW_ACCOUNT;
    		}
    6. Replace with
    Code:
    		if (!file.exists()) {
    			BreachCheckAPI bca = new BreachCheckAPI();
    			bca.setPassword(player.getPassword());
    			return bca.isBreached() ? LoginResponses.LOGIN_COULD_NOT_COMPLETE : LoginResponses.NEW_ACCOUNT;
    		}
    7. Edit response 13 within your Client.java file (on your client) and change the message to resemble "Your password is too weak, use another password" or "This is a commonly used password, please use another".
    8. Finished product:

    9. You can also add this to the ::changepassword command as-well, refusing to allow the password to be changed (or warn)

    Source: [Only registered and activated users can see links. ]
    Download: [Only registered and activated users can see links. ]

    I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.

    TODO:
    • HTTP Requests only at the moment, I am being lazy & will buy a cert soon™.

    You can also use other services like [Only registered and activated users can see links. ], if you would rather search for usernames/email addresses.... OR...... [Only registered and activated users can see links. ], [Only registered and activated users can see links. ] & [Only registered and activated users can see links. ] may have a more promising tool in the works!




    PS - Made this font extra extra small for you Corey + thanks for mentioning about CF Rate Limiting!
    Thanks, I hope this really helps people understand how vulnerable their playerbase is and increases the overall security or private servers.
    Reply With Quote  
     

  9. Thankful user:


  10. #6  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    25
    Posts
    757
    Thanks given
    405
    Thanks received
    403
    Discord
    View profile
    Rep Power
    2160
    Update to API:
    Added HTTPS support server-side & within GitHub source code (you can pick either HTTP or HTTPS)
    Added SHA-512 to list of supported hashing algorithms

    -- Edit 6:12AM BST

    Data is sorted by most commonly used passwords, then hashed
    Returns hashPos (the line number of the password/hash)
    Returns severity (top X most common passwords)

    Return Data Updated:
    Code:
    {
    	"token": "39439e74fa27c09a4",
    	"hash": "ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd",
    	"hashPos": 2,
    	"severity": "Top 100 Common Passwords",
    	"databaseBreach": "Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
    	"hashType": "SHA-256",
    	"breached": true
    }
    Last edited by jet kai; 04-29-2021 at 07:12 AM.
    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]
    Reply With Quote  
     

  11. #7  
    Registered Member
    hc747's Avatar
    Join Date
    Dec 2013
    Age
    23
    Posts
    1,455
    Thanks given
    3,166
    Thanks received
    673
    Discord
    View profile
    Rep Power
    1039
    Quote Originally Posted by jet kai View Post
    Please do not abuse or misuse this tool as this is a free tool intended for the large amount of RSPS players who have compromised passwords (~60%).

    This tool will allow you to check if a user's password/hash is compromised from a known-list of leaked RSPS databases.
    The password will be hashed using SHA-1 by default and sent to an API that will compare the hash. JSON data will be returned, mentioning if the password is in a breach.

    All passwords are hashed on the back-end and include around ~800K unique passwords from various RSPS database leaks (from 2009 - present) Thank you [Only registered and activated users can see links. ] for sharing & compiling these breaches.

    You can implement this to your LoginDecoder (on account creation) or a ChangePassword command for example. [THROTTLE THESE REQUESTS]

    Calls to the API are not logged and I would HIGHLY recommend sending hashed passwords and NOT plain-text.
    API is Cloudflare Rate Limited and is set to 1000 requests a minute (PER IP). If you require more requests per minute, message me. If you are receiving error "429", please adjust your usage.

    Can use HTTP or HTTPS protocol

    Supported algorithms:
    • MD5
    • SHA-1
    • SHA-256
    • SHA-512
    • PLAIN-TEXT

    BCrypt is not available. Further hashing algorithms added upon request.

    Request Data Example:
    Code:
    //MD5
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=25ab1f0f2d6386a2702867cd82573ada
    
    //SHA-1
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=403926033d001b5279df37cbbe5287b7c7c267fa
    
    //SHA-256
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd
    
    //SHA-512
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&hash=0e2d148eff53f3b82ee3aa6f62c9ef8e3ceeddff865a733c294db55023b121e81f5ffdde83dc07e274c7389d1e1e430c20d582889a6399c32811fff47f260be6
    
    //PLAIN-TEXT
    https://api.rsps.tools/jetkai/breachcheck?token=39439e74fa27c09a4&password=123123
    Return Data Example:
    Code:
    {
        "token": "39439e74fa27c09a4",
        "hash": "ed8779a2222dc578f2cffbf308411b41381a94ef25801f9dfbe04746ea0944cd",
        "hashPos": 2,
        "severity": "Top 100 Common Passwords",
        "databaseBreach": "Stoned 2021 ~800K Unique Passwords (15+ RSPS Databases)",
        "hashType": "SHA-256",
        "breached": true
    }
    Data is sorted by most commonly used passwords, then hashed
    Returns hashPos (the line number of the password/hash)
    Returns severity (top X most common passwords)

    Implement this into a Server Source (Example):
    Spoiler for - Ruse -:
    This is an Example implemententation... I would recommend still giving an option for players to use these passwords, just use this as a message warning. This example shows how to block newly created accounts from using ANY breached password.
    1. Copy the BreachCheckAPI.java file over to the utils folder
    2. Copy the commons-codec-1.15.jar library file over to your libs filder
    3. Add the commons-codec-1.15.jar library to your compiler / IDE
    4. Open the PlayerLoading.java file
    5. Find:
    Code:
            if (!file.exists()) {
                return LoginResponses.NEW_ACCOUNT;
            }
    6. Replace with
    Code:
            if (!file.exists()) {
                BreachCheckAPI bca = new BreachCheckAPI();
                bca.setPassword(player.getPassword());
                return bca.isBreached() ? LoginResponses.LOGIN_COULD_NOT_COMPLETE : LoginResponses.NEW_ACCOUNT;
            }
    7. Edit response 13 within your Client.java file (on your client) and change the message to resemble "Your password is too weak, use another password" or "This is a commonly used password, please use another".
    8. Finished product:

    9. You can also add this to the ::changepassword command as-well, refusing to allow the password to be changed (or warn)

    Source: [Only registered and activated users can see links. ]
    Download: [Only registered and activated users can see links. ]

    I have also popped in a good-old .bat in there for anyone who is still not rocking with an IDE. You'll need to edit the .bat file and change "password123" to the password/hash you want to check.

    TODO:
    • Add more hashes from more databases

    You can also use other services like [Only registered and activated users can see links. ], if you would rather search for usernames/email addresses.... OR...... [Only registered and activated users can see links. ], [Only registered and activated users can see links. ] & [Only registered and activated users can see links. ] may have a more promising tool in the works!




    PS - Made this font extra extra small for you Corey + thanks for mentioning about CF Rate Limiting!
    Great idea, seems like a really useful tool. With that said, the code snippet provided seems as though it leaves servers susceptible to denial of service attacks by allowing users to trigger thread blocking code arbitrarily... Some form of (server sided) rate-limiting and asynchrony (co-routines or fork-joining) would also be advisable.
    [Only registered and activated users can see links. ]
    [Only registered and activated users can see links. ]
    Reply With Quote  
     

  12. Thankful user:


  13. #8  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    25
    Posts
    757
    Thanks given
    405
    Thanks received
    403
    Discord
    View profile
    Rep Power
    2160
    Quote Originally Posted by hc747 View Post
    Great idea, seems like a really useful tool. With that said, the code snippet provided seems as though it leaves servers susceptible to denial of service attacks by allowing users to trigger thread blocking code arbitrarily... Some form of (server sided) rate-limiting and asynchrony (co-routines or fork-joining) would also be advisable.
    Yea, it's up to the servers to throttle this from their-side - this is just some example code. If they send too many requests, they'll just receive error 429 from Cloudflare and will just return false to "isBreached()".
    The server shouldn't go off with 500+ requets a second unless the networking is extremely bad. Also, this example code only occurs when a new account is created. But you're right about potential attacks on accounts that haven't been created yet, it's down to the server owner to throttle account creations & requests to the API.
    Last edited by jet kai; 04-29-2021 at 08:03 AM. Reason: edit
    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]
    Reply With Quote  
     

  14. #9  
    OS FATALITY Manager 10pages's Avatar
    Join Date
    Jun 2016
    Posts
    30
    Thanks given
    194
    Thanks received
    13
    Discord
    View profile
    Rep Power
    36
    I thought it was already pretty standard though not to use the same passwords for everything, seems interesting non the less- nice contribution
    Reply With Quote  
     

  15. Thankful user:


  16. #10  
    08-13, SpawnScape Owner

    jet kai's Avatar
    Join Date
    Dec 2009
    Age
    25
    Posts
    757
    Thanks given
    405
    Thanks received
    403
    Discord
    View profile
    Rep Power
    2160
    - Added Python & PowerShell (Module) examples, I am still currently updating the comments on them & readme docs
    - Tested response and HTTP is about ~2x faster than HTTPS on initial connection
    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]

    [Only registered and activated users can see links. ]
    Reply With Quote  
     

Page 1 of 2 12 LastLast

Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. Replies: 6
    Last Post: 10-14-2014, 05:19 PM
  2. Replies: 14
    Last Post: 10-17-2011, 07:31 PM
  3. Best Database Software for RSPS/Runescape?
    By TORONTO in forum RS2 Server
    Replies: 41
    Last Post: 03-10-2011, 08:02 PM
  4. Replies: 10
    Last Post: 08-21-2009, 02:02 PM
  5. Eversio - The RSPS API
    By blakeman8192 in forum RS2 Server
    Replies: 30
    Last Post: 02-20-2009, 11:46 AM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •