[Expansion] Enhancement of 'qrcode' module to support remote URLs (Anti-Quishing) #757
Description
Description
I am currently working on analyzing Quishing (QR Code Phishing) campaigns. In many modern attacks, the QR Code is not sent as an email attachment, but hosted remotely and displayed via an HTML <img> tag (URL).
Current Behavior
I audited the current code of misp_modules/modules/expansion/qrcode.py.
The module currently limits the input to attachments only:
mispattributes = {"input": ["attachment"], "output": ["url", "btc"]}
Furthermore, the handler function immediately expects the data key (base64 content) to be present, preventing the processing of remote links/attributes.
Proposed Solution
I would like to contribute an enhancement to this module to support URLs as input.
Implementation Plan:
1. Update introspection to accept url and link attributes.
2.Update the handler logic to detect if the input is a URL.
3.Use the requests library to fetch the remote image into memory.
4.Convert the fetched content to a numpy array (compatible with the existing cv2/pyzbar decoding logic).
This will allow analysts to decode QR codes from URLs directly within MISP without manually downloading the file first.
I am working on a Pull Request for this.