Have I Been Pwned

This package contains two functions that allows you to search for breaches and pastes given an email address as an input.

History

Date

Version

Comments

10/2022

2.0.4

Fix for proxy support

5/2022

2.0.3

Updated API call

6/2020

2.0.2

Added proxy support

4/2020

2.0.1

Support added for App Host

11/2019

2.0.0

Updated to use hibp api v3.0. Now requires an apikey

app.config settings:

Set if using a proxy

[fn_hibp]
## Proxy settings if needed
#hibp_proxy_http=
#hibp_proxy_https=
hibp_api_key=< Have I Been Pwned API Key>

As of recent July 2019 changes, HIBP released v3 of the API (deprecating v2) and now requires a for-fee API Key (see https://haveibeenpwned.com/API/Key). If upgrading from version 1.0.0, manually add the hibp_api_key setting to your app.config file.

Version 2.0.0 of Have I Been Pwned includes a modification to the returned payload. These changes include the incorporation of resilient-lib and results from the post processing script modified from results.Breaches to results.content[“Breaches”].

Function Inputs:

Function Name

Type

Required

Example

email_address

String

Yes

"test@resilientsystems.com"

Function Outputs:

Have I Been Pwned Get Breaches:

{
  "Inputs": {
    "email_address": "test@email.com"
  },
  "Run Time": "2000",
  "Breaches":
    [
       {
          u'PwnCount':14936670,
          u'Domain':u'000webhost.com',
          u'IsSensitive':False,
          u'Name':u'000webhost',
          u'Title':u'000webhost',
          u'DataClasses':[
             u'Email addresses',
             u'IP addresses',
             u'Names',
             u'Passwords'
          ],
          u'LogoType':u'png',
          u'IsSpamList':False,
          u'IsRetired':False,
          u'BreachDate':u'2015-03-01',
          u'IsFabricated':False,
          u'ModifiedDate':      u'2017-12-10T21:44:27      Z',
          u'AddedDate':      u'2015-10-26T23:35:45      Z',
          u'IsVerified':True,
          u'Description':u'In approximately March 2015,
          the free web hosting provider <a href="http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html" target="_blank" rel="noopener">000webhost suffered a major data breach</a> that exposed almost 15 million customer records. The data was sold and traded before 000webhost was alerted in October. The breach included names,
          email addresses and plain text passwords.'
       },
       {
          u'PwnCount':7990619,
          u'Domain':u'8tracks.com',
          u'IsSensitive':False,
          u'Name':u'8tracks',
          u'Title':u'8tracks',
          u'DataClasses':[
             u'Email addresses',
             u'Passwords'
          ],
          u'LogoType':u'png',
          u'IsSpamList':False,
          u'IsRetired':False,
          u'BreachDate':u'2017-06-27',
          u'IsFabricated':False,
          u'ModifiedDate':      u'2018-02-16T07:09:30      Z',
          u'AddedDate':      u'2018-02-16T07:09:30      Z',
          u'IsVerified':True,
          u'Description':u'In June 2017,
          the online playlists service known as <a href="https://blog.8tracks.com/2017/06/27/password-security-alert/" target="_blank" rel="noopener">8Tracks suffered a data breach</a> which impacted 18 million accounts. In their disclosure,
          8      Tracks advised that &quot;the vector for the attack was an employee\u2019s GitHub account,
          which was not secured using two-factor authentication&quot;. Salted SHA-1 password hashes for users who <em>didn\'t</em> sign up with either Google or Facebook authentication were also included. The data was provided to HIBP by whitehat security researcher and data analyst Adam Davies and contained almost 8 million unique email addresses.'
       }
    ]
}

Have I Been Pwned Get Pastes:

{
  "Inputs": {
    "email_address": "test@email.com"
  },
  "Pastes":
    [
       {
          u'Date':None,
          u'Source':u'AdHocUrl',
          u'EmailCount':9893,
          u'Id':      u'http://siph0n.in/exploits.php?id=3670',
          u'Title':u'siph0n.in'
       },
       {
          u'Date':None,
          u'Source':u'AdHocUrl',
          u'EmailCount':12002,
          u'Id':      u'http://siph0n.in/exploits.php?id=3892',
          u'Title':u'siph0n.in'
       },
       {
          u'Date':None,
          u'Source':u'AdHocUrl',
          u'EmailCount':99791,
          u'Id':      u'http://siph0n.in/exploits.php?id=4680',
          u'Title':u'remotestaff.com.au'
       }
    ]
}

Pre-Process Scripts:

This example sets the email_address value to the value of the Incident’s Artifact.

inputs.email_address = artifact.value

Post-Process Script:

This example adds to the artifact’s description the number of breaches the email address was a part of if any exist.

if results.Breaches:
  try:
    des = artifact.description.content
  except Exception, e:
    des = None

  if des is None:
    artifact.description = "Breaches: " + str(len(results.Breaches))
  else:
    artifact.description = des + "\nBreaches: " + str(len(results.Breaches))

Rules

Rule Name

Object Type

Workflow Triggered

Conditions

Have I Been Pwned Search

Artifact

Have I Been Pwned Search

Type has one of ["Email Recipient", "Email Sender"]

To package for distribution,

python ./fn_hibp/setup.py sdist

The resulting .tar.gz file can be installed using

pip install <filename>.tar.gz

To run the integration:

resilient-circuits run