HaveIBeenPwned breaches/pastes check #964
Replies: 6 comments
-
|
Are you able to do this via the api without verifying ownership of the email/domain? |
Beta Was this translation helpful? Give feedback.
-
|
I believe so, I used https://github.com/thewhiteh4t/pwnedOrNot in the past and no verification was required just an email address Looking through the documentation it I can't see anything about requiring verification https://haveibeenpwned.com/API/v3#PastesForAccount The only thing could be the API rate limits I believe the basic tier is allowed to lookup 10 accounts every minute. |
Beta Was this translation helpful? Give feedback.
-
|
I'm open to it; we could send the pastes to excavate the same way we did with the postman stuff. As far as the rate limits we can cross that bridge when we come to it. |
Beta Was this translation helpful? Give feedback.
-
|
Looking at pwnedornot and the API documentation pastes looks like it comes in the form of So I was thinking to regex the specific email from the paste and get the characters after the Excavate likely won't work as they will be generic passwords most probably and won't all be from the same domain |
Beta Was this translation helpful? Give feedback.
-
|
In a past life I wrote a pastebin scraper and I can say it's really hard to reliably extract passwords from pastes. The ideal ones are formatted that way but there are even more that aren't (and there are some that are formatted that way but have something else instead of passwords). Pastes are wildly unpredictable and you really can't count on their format to be consistent (it makes sense, right, they are just arbitrary stuff from random people). You might be able to build a semi-reliable parser with AI, but instead of hard-coding paste-specific parsing logic I think it would be better to centralize the problem and improve bbot's excavate logic (i.e. with a better secrets extraction module). Still though, pastes are a great source of OSINT data; they will have subdomains, URLs, api keys., etc. So I'm all for it. |
Beta Was this translation helpful? Give feedback.
-
|
Ah that might be why pwnedorNot contains an if statement perhaps to combat that problem. I will start writing a module and looking further into it may yield me more insight into the problems, I will update this thread with any useful information |
Beta Was this translation helpful? Give feedback.
-
Using the discovered emails you should be able to retrieve any plaintext 'pastes' from the HaveIBeenPwned API if any are available. You also will be able to alert if the email is found in any breaches but I'm not sure if this functionality would align with what bbot aims.
Beta Was this translation helpful? Give feedback.
All reactions