Giters

JacksonVD / PwnedPasswordsDLL-API

Open source solution to check prospective AD passwords against previously breached passwords

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

std::size_t found = APIResponse.find(hash.substr(5));

WhAtEvErYoUmEaN opened this issue · comments

commented

Pardon my limited understanding of C++, but won't this call find any occurence of the hash substring within a hash?

For example, if my hash would start with 12d21, it would then be caught in this API call:
https://api.pwnedpasswords.com/range/f3bbb (it would be another substring of course, but try finding the same occurence of the substring twice on purpose :) ) because it contains the hash 077086193E012D21A7EB92E6AC7E4134B2A.

In any way, wouldn't it be better to compare to whole hash after you fetched the response?

commented

Hiya, I'm currently travelling so I'll investigate this further when I return. Here's what I currently believe to be true (may well be wrong so apologies if so!)
APIResponse is returned from cURL as the body of the resolved page - each hash substring on the returned page excludes the starting 5 characters specified in the /range/ parameter in the URL. Therefore, the response only needs to be searched for the remaining substring of the hash to be found (the substr function with one parameter takes the substring from the supplied integer, i.e. supplying substr(5) will take from character 5 onwards).

To use the URL you supplied as an example - if the hash variable was F3BBB45647264C35D16C52085EC6D0BC20737B78, then the range F3BBB would be searched. The returned body would then be searched for the hash variable, with the first five characters removed, i.e. 45647264C35D16C52085EC6D0BC20737B78 - thus, a match would be found in the body at some position. The find() function itself returns the position at which the first match is found, and will only return a value if the entire string passed as a parameter is matched. As a result, I believe only the entire hash will be found (minus the first five characters which are the range to search).

Sorry if this has been very rambly! I'll review this again in a few days when I return home. I may very well be incorrect so please feel free to ask me to clarify anything or correct me.

I hope you're having a lovely day/night :)

commented

Yup, i understood the substring aswell as the API completely wrong. I'm sorry for that.
Thank you for the quick and thorough response!