Articles


Web
DOM XSS Fuzzing strategies - Part 1
Sat 22 December 2018
By ASM

XSS are still by far the most common tyope of vulnerabilities, this article presents strategies to automate the search for XSSes.

Mobile
Hardcoded AWS keys in Mobile Applications
Thu 20 December 2018

This article is about how to manage AWS access keys when using AWS services in your mobile application.

Ostorlab
New Features and Roadmap
Thu 20 September 2018

The last few months, Ostorlab team has been hard at work adding exciting new features. Some of these have already hit production, or will do so in the upcoming weeks and months.

ML
Reinforcement Learning & Automated Testing - part 1
Mon 22 January 2018

I will be sharing through a series of blog posts our past experimentations with the use of reinforcement learning for automated testing, to both chase bugs and find vulnerabilities.

Mobile
Critical attack surface of mobile applications
Wed 17 January 2018

the Attack Surface of mobile applications.

Mobile
Finding security bugs in Android applications the hard way
Fri 16 June 2017

Ostorlab is a community effort to build a mobile application vulnerability scanner to help developers build secure mobile applications. One of the new key components of the scanner detection capabilities is a new shiny static taint engine for Android Dalvik Bytecode that was heavily optimized for performance and low false positives.

Ostorlab
New Taint Engine ... more vulnerabilities found
Sun 23 April 2017

We have been for the last few months hard at work developing a new scan engine to identify new classes of vulnerabilities. The new scan engine is capable of identifying SQL injections, intent hijacking, insecure random seed, insecure cryptography etc.

Mobile
Testing Cordova Applications
Thu 24 November 2016

Hybrid frameworks like Cordova offers the advantage of building one app for multiple platform (support for Android, iOS, Windows Phone, FireOS, FirefoxOS ...) . The framework is easy and fast to develop with and offers generally a single API for all platforms.

Mobile
Android, SQL and ContentProviders or Why SQL injections aren't dead yet ?
Thu 03 November 2016

Before we get into SQL injections and what might go wrong, we'll start by covering some technical information on Content Providers...