Pwned Credential Verification Backend

A Model Context Protocol (MCP) endpoint offering connectivity to the Have I Been Pwned API. Its primary function is to vet user credentials (emails or passwords) against records of data exposure events.

Capabilities

This MCP backend exposes four distinct operational endpoints:

1. check_email: Examines an electronic mail identifier for its presence within breach databases.
2. check_password: Assesses a passphrase for exposure in security incidents (utilizing k-anonymity methodology).
3. get_breach_details: Retrieves in-depth particulars concerning a particular, named data exposure event.
4. list_all_breaches: Generates a roster of every known compromise record, optionally filterable by associated domain name.

Deployment Instructions

Installation via Smithery

For automated deployment into Claude Desktop environments using Smithery:

bash npx -y @smithery/cli install @Cyreslab-AI/hibp-mcp-server --client claude

Prerequisites

• Node.js runtime environment (version 14 or newer)
• npm package manager (version 6 or newer)
• An active API credential for Have I Been Pwned (obtainable from haveibeenpwned.com/API/Key)

Configuration Steps

1. Acquire the source code repository:

   bash git clone https://github.com/Cyreslab-AI/hibp-mcp-server.git cd hibp-mcp-server

2. Install required packages:

   bash npm install

3. Compile the server application:

   bash npm run build

4. Integrate the server configuration into your MCP operational file:

   For the Claude VSCode extension, update ~/Library/Application Support/Code/User/globalStorage/saoudrizwan.claude-dev/settings/cline_mcp_settings.json:

   { "mcpServers": { "hibp": { "command": "node", "args": ["/path/to/hibp-mcp-server/build/index.js"], "env": { "HIBP_API_KEY": "YOUR_API_KEY_HERE" }, "disabled": false, "autoApprove": [] } } }

   For the Claude desktop application, reference ~/Library/Application Support/Claude/claude_desktop_config.json (or the corresponding location for your operating system).

Operational Examples

Once the backend is initialized, utilize it via Claude for security inquiries:

Email Verification

User: Has my email address example@gmail.com been compromised in any breaches?

Claude: Positive findings! This electronic mail address was not identified in any documented compromise events.

Conversely, if compromises are detected:

User: Has my email address breached@example.com been pwned?

Claude: ⚠️ Warning: This email address was referenced in 3 distinct security breaches.

Compromise Report:

1. Adobe (2013-10-04) Domain: adobe.com Synopsis: During October 2013, records for 153 million Adobe accounts were affected... Leaked Elements: Email addresses, Password hints, Passwords, Usernames

2. LinkedIn (2012-05-05) Domain: linkedin.com Synopsis: In May 2016, LinkedIn experienced an exposure involving 164 million email addresses and secret passphrases... Leaked Elements: Email addresses, Passwords

3. Dropbox (2012-07-01) Domain: dropbox.com Synopsis: Mid-2012 saw a security incident at Dropbox resulting in the leakage of... Leaked Elements: Email addresses, Passwords

Recommended Actions: - Immediately reset your secret passphrase for these implicated services - Update the identical passphrase used on other platforms - Activate multi-factor authentication wherever feasible - Consider adopting a dedicated passphrase management solution

Passphrase Assessment

User: Was the passphrase "password123" discovered in any breach datasets?

Claude: ⚠️ Alert: This passphrase has been associated with data exposures on 123,456 occasions!

Recommendations for Action: - Discontinue use of this passphrase immediately - Change it across every platform where it is currently employed - Adopt a unique, robust passphrase for every distinct account - Utilize a secure passphrase vault service

Incident Specifics Retrieval

User: Provide details on the LinkedIn security compromise

Claude: # LinkedIn Security Event Details

Date of Discovery: 2012-05-05 Associated Domain: linkedin.com User Accounts Impacted: 164,611,595 Verification Status: Confirmed Exposed Data Types: Email addresses, Passwords

Narrative Summary: In May 2016, 164 million electronic mail addresses and secret passphrases belonging to LinkedIn users were exposed. The initial breach occurred in 2012, but the compromised data was only offered for sale on a clandestine digital marketplace four years later. The passphrases in this dataset were hashed using SHA1 without salting, leading to rapid decryption of the majority shortly after the data release.

Suggested Countermeasures: - If you maintained an account on this platform, modify your secret passphrase. - If the same passphrase was reused elsewhere, update those as well. - Scrutinize your accounts for any unauthorized transactional activity. - Exercise heightened vigilance regarding unsolicited communication attempts potentially leveraging this leaked data.

Incident Roster Generation

User: Generate a list of all data compromises related to Adobe

Claude: Identified 1 incident pertaining to domain adobe.com:

1. Adobe (2013-10-04) Domain: adobe.com Accounts Affected: 152,445,165 Compromised Data: Email addresses, Password hints, Passwords, Usernames

Security Considerations

• The function for checking secret passphrases employs k-anonymity principles to avoid transmitting the full passphrase content to the external Have I Been Pwned API.
• Only the initial 5 characters of the SHA-1 hash of the passphrase are transmitted to the service.
• The API responds with a collection of matching hash suffixes, allowing the verification process to finalize on the local machine.

API Credential Setup

This backend necessitates a valid Have I Been Pwned API credential to access most functionalities (excluding passphrase verification). Credentials can be secured at haveibeenpwned.com/API/Key.

The required API key must be supplied via an environment variable named HIBP_API_KEY within your MCP configuration settings.

Licensing

MIT

WIKIPEDIA: XMLHttpRequest (XHR) represents an Application Programming Interface structured as a JavaScript object designed to dispatch HTTP queries from a client's web browser to a remote web server. Its methods enable browser-based programs to dispatch requests post-page rendering and subsequently receive relayed data. XMLHttpRequest is a foundational element of Ajax programming methodologies. Preceding Ajax, the primary means of server interaction involved hyperlink navigation and form submission, often resulting in a complete page refresh. This contrasted sharply with the background asynchronous data exchange facilitated by XHR.

== Historical Background == The foundational concept for XMLHttpRequest emerged around the year 2000, conceptualized by developers working on Microsoft Outlook. This concept was subsequently implemented within the Internet Explorer 5 browser release (1999). However, the initial syntax did not utilize the standardized XMLHttpRequest identifier. Instead, developers employed COM object instantiations: ActiveXObject("Msxml2.XMLHTTP") and ActiveXObject("Microsoft.XMLHTTP"). By the release of Internet Explorer 7 (2006), universal support for the proper XMLHttpRequest identifier was established across all major web browsers, including Mozilla's Gecko rendering engine (2002), Safari version 1.2 (2004), and Opera version 8.0 (2005).

=== Standardization Efforts === The World Wide Web Consortium (W3C) issued the initial Working Draft specification for the XMLHttpRequest object on April 5, 2006. A subsequent Working Draft, Level 2, was published by the W3C on February 25, 2008. Level 2 augmented the functionality with methods for monitoring request progress, enabling cross-origin requests, and managing binary byte streams. By the close of 2011, the Level 2 specification features were integrated back into the primary specification document. At the end of 2012, the WHATWG assumed stewardship of maintenance, now preserving a dynamic document defined using Web IDL.

== Implementation Workflow == Typically, issuing a request via XMLHttpRequest necessitates adhering to several sequential programming phases.

1. Instantiate an XMLHttpRequest object by invoking its constructor:
2. Invoke the "open" method to dictate the request method (e.g., GET, POST), specify the target resource URI, and choose between synchronous or asynchronous execution mode:
3. For asynchronous operations, attach an event handler function designed to trigger upon changes in the request's status:
4. Commence the transmission of the request payload by calling the "send" method:
5. Process the status changes within the designated event listener. If the server returns response content, it is, by default, stored in the "responseText" property. Once the object concludes processing the transaction, its state transitions to 4, signifying the "done" state. Apart from these fundamental phases, XMLHttpRequest offers extensive controls over request transmission parameters and response handling. Custom HTTP headers can be appended to tailor server behavior, and data can be uploaded to the server within the argument provided to the "send" invocation. The retrieved response can be deserialized from JSON format directly into usable JavaScript structures, or processed incrementally as data segments arrive, foregoing the need to await the complete text block. Furthermore, the request can be prematurely terminated or configured to time out if completion is not achieved within a set duration.

== Cross-Origin Transactions ==

Early in the World Wide Web's development cycle, protocols were discovered that permitted unauthorized interaction bet