Last active
May 5, 2023 19:58
-
-
Save JamoCA/328157ed2caf3c2887ef5cfc1e9d46e3 to your computer and use it in GitHub Desktop.
ColdFusion function to validate hashed password with HaveIBeenPwned API v2 to return numeric breach count. (cfml)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!--- 20230505 Inspired by on https://github.com/JayIsPainting/CFML_HIBP but returns a numeric value (for use with APIs) | |
GIST: https://gist.github.com/JamoCA/328157ed2caf3c2887ef5cfc1e9d46e3 | |
---> | |
<cffunction name="getPasswordBreachCount" returntype="numeric" output="no" access="public" hint="Checks supplied password against HaveIBeenPwnd Passwortd APIv2 and returns number of breachs."> | |
<cfargument name="pwd" type="string" required="true"> | |
<cfset local.passwordHash = hash(arguments.pwd, "SHA")> | |
<cfset local.prefix = left(hash(arguments.pwd, "SHA"), 5)> | |
<cfset local.passMatch = right(local.passwordHash, len(local.passwordHash)-5)> | |
<cfhttp url="https://api.pwnedpasswords.com/range/#local.prefix#" method="get" useragent="CFML_PwnChk" result="local.cfhttp" getasbinary="never"></cfhttp> | |
<cfset local.searchResult = refind("(^|\s)#local.passMatch#\:(\d+)($|\s)", local.cfhttp.filecontent, 1, true)> | |
<cfset local.breachCount = (arraylen(local.searchResult.match) eq 4) ? local.searchResult.match[3] : 0> | |
<cfreturn javacast("int", local.breachCount)> | |
</cffunction> | |
<cfset passwordToTest = "password"> | |
<cfset numberofBreaches = getPasswordBreachCount(passwordToTest)> | |
<cfif numberofBreaches> | |
<cfoutput> | |
<p><b>Attention:</b> The password you have chosen is known exist in data breach(es) on another site(s).<br> | |
It has been compromised <b><u>#numberformat(numberofBreaches)#</u></b> times. It should be considered insecure.<br> | |
If you use this password on other sites, you should consider changing it.</p> | |
</cfoutput> | |
<cfelse> | |
<p>Password has not been found in any online breaches.</p> | |
</cfif> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment