Add XposedOrNot expansion module (email breach lookup, no API key required)#789
Merged
Merged
Conversation
key required) New expansion/hover module querying the XposedOrNot data-breach API for email attributes. Returns one text attribute per breach (year, records exposed, domain, exposed data classes, password storage risk) plus an exposure summary, in misp_standard format with correlation disabled. Works with zero configuration via the free keyless API (2 req/s, 25/hour per IP); an optional api_key config switches to the commercial Plus API with higher limits. 404 and empty responses are treated as a clean result. Includes pytest coverage (free path, Plus path with URL-encoded email, clean, 429, HTTP errors, invalid input) and the logo for the modules documentation site.
Member
|
Thank you! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds an expansion/hover module for XposedOrNot — an open, free data-breach search service. Given an email attribute, the module reports which known data breaches the address appears in, with per-breach context.
No API key required. The module works with zero configuration via the free keyless API (rate limits: 2 req/s, 25/hour per IP). An optional
api_key(from console.xposedornot.com) switches to the commercial Plus API with higher limits.Input / output
email,email-src,email-dst,target-email,whois-registrant-emailmisp_standard): onetextattribute per breach — value is the breach name; comment carries breach year, records exposed, affected domain, exposed data classes and password-storage risk — preceded by an exposure summary attribute. Correlation is disabled on all returned attributes to avoid correlation-graph noise. (There is currently no fitting object template in misp-objects for per-breach metadata, hence attributes rather than objects; happy to adapt if you prefer an object shape.)Sample summary attribute for a heavily-breached address:
Sample per-breach comment:
Behavior notes
api_key— no blocking retries inside the module server.User+Tag@Example.com).Testing
tests/test_xposedornot.py— 6 pytest cases (free path with exact-URL assertion, Plus path with URL-encoding, clean 404 + clean 200-empty, 429, HTTP error, invalid input), all mocked, no network required. 8/8 green alongsidetest_ransomlook.pylocally.black --check/isort --check-onlyclean against the repo config.documentation/generate.pyrenders the module entry (logo included atdocumentation/logos/xposedornot.png).misp-modulesserver: module registers, expansion and hover queries return the outputs above, unsupported attribute types are rejected.