Getting XSOAR to read QRcodes

It became a sort of attack vector to simply include malicious qr codes in emails and documents to trick the victim into reading them

The news items above are just a view I have been able to find.

So what can we do?

Well a good start would be to add the capability to XSOAR to detect and read these qr codes, extract the data and the URL (if available) and do what we always do: enrich and respond.

import cv2

def detect_qrcode_image(path):

    img = cv2.imread(path)
    detect = cv2.QRCodeDetector()
    value, points, straight_qrcode = detect.detectAndDecode(img)

    if points is not None:
        result = { "Detected" : True, "Value" : str(value)}
        result = { "Detected" : False}

    return CommandResults(

def main():
        entry_id = demisto.args().get('entry_id')
        file_path = demisto.executeCommand("getFilePath", {
            "id": entry_id
    except Exception as ex:
        demisto.error(traceback.format_exc())  # print the traceback
        return_error(f'Failed to execute qrcodereader. Error: {str(ex)}')

if __name__ in ('__main__', '__builtin__', 'builtins'):

the above code only needs the demisto/opencv container, at the time of writing the version was

So now we can simply use this code as an automation in our playbooks or playground to extract the value, which will be stored under QR in the context data.

Categories: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *