Articles by

Ostorlab Team

This release introduces newly developed insecure mobile apps, improves the Monkey Tester for reliable prompt-based input during dynamic scans, and enhances the web crawler to explore deeper routes with faster performance. These improvements boost scanning coverage, accuracy, and reliability

Security

Introducing Ostorlab Security Testing Benchmarks: Real Vulnerabilities, Real Impact

The first open-source benchmark suite featuring 93 realistic vulnerable mobile apps that mirror a...

Mon 22 September 2025

Security

Banking Report 2025: Security at the Core of Mobile Finance

Large-scale security analysis of 500+ top mobile banking apps reveals widespread vulnerabilities,...

Mon 15 September 2025

Security

Automating Security Research: AI Engine Exploits Complex Blind Code Injection

Precision beats payload spray using Ostorlab's AI engine to systematically land RCE on Titiler an...

Thu 04 September 2025

This article showcases Ostorlab's AI Pentest Engine's process for analyzing an Android application for Intent Redirection vulnerabilities. Follow the engine's journey from static analysis and initial findings to rigorous dynamic validation, demonstrating its ability to not only identify potential threats but also to meticulously discard false positives.

This article presents a thorough, hands-on analysis and real-world exploitation of a hardcoded GCP service account with overprivileged Pub/Sub access discovered in a HackerOne mobile app. It details how Ostorlab’s AI-powered pentesting engine automated the full cycle—from authentication and permission enumeration to end-to-end message injection/interception—enabling remediation within four days.

Latest posts

From Signal to the Android SDK: Chaining Path Traversal, Mimetype Confusion, Security Check Bypass and File Descriptor Bruteforce for Arbitrary File Access

This technical analysis reveals how sophisticated attack chains—combining path traversal, symbolic link manipulation, and Android SDK quirks—can breach Signal Android's defenses to extract sensitive internal files, despite its legendary encryption remaining intact. While Signal patched these vulnerabilities within days, the discoveries offer crucial lessons about how seemingly minor bugs can be chained into powerful exploits, and why even the best security architecture needs multiple layers of defense

Mon 11 August 2025

Automating Security Research: AI Engine Exploits Report Portal XXE (CVE-2021-29620)

This article presents a thorough, hands-on analysis and proof of concept for exploiting an OOB XXE vulnerability CVE-2021-29620 in Report Portal. It details how Ostorlab's AI-powered pentesting engine was used to automate the full cycle.

Thu 07 August 2025

From Random to Intelligent: How AI-Powered Monkey Testing Achieves 10x Mobile App Coverage

Ostorlab’s AI Monkey Tester transforms mobile app security testing by using natural language prompts and generative AI to automatically generate intelligent, context-aware test scenarios, resulting in up to a 10x increase in application coverage compared to traditional, rule-based testing approaches.

Fri 01 August 2025

Automating Security Research: AI Engine Exploits Zulip Stored XSS (CVE-2025-52559)

This article presents a thorough, hands-on analysis and proof of concept for exploiting the stored XSS vulnerability CVE-2025-52559 in Zulip. It details how Ostorlab's AI-powered pentesting engine was used to automate the full cycle.

Mon 28 July 2025

SSL Scanner Overhaul and Improved UI Call Coverage Powered by User-Defined Prompts

This release introduces major enhancements to our AI-powered UI exploration engine, delivering smarter and more adaptive dynamic scanning across modern applications. We've overhauled our SSL scanner to detect 15+ critical SSL/TLS vulnerabilities with improved precision, and rebuilt the taint analysis engine for deeper and more reliable vulnerability detection. The release also expands coverage for secrets detection, mobile misconfigurations, and modern CVEs. Across the board, platform performance has been refined for greater speed, stability, and accuracy.

Tue 22 July 2025

Expanded Privacy Analysis, Attack Surface Profiling, and GitHub Source Mapping Improvements

Ostorlab's May 2025 update delivers comprehensive privacy analysis capabilities with 21 new data collection categories and enhanced verification tools. This release introduces specialized Attack Surface scan profiles for optimized security assessments, adds GitHub source code integration for precise vulnerability mapping, and implements QPS rate limiting for controlled scanning. Additional improvements include mobile scan URL regex controls, streamlined Jira integration, and expanded fingerprinting capabilities for improved detection accuracy.

Mon 12 May 2025

Bypassing Obfuscation in Android Apps: A Dual Approach with DalvikFLIRT and LLM-Powered Rewrites

This research introduces a pioneering dual approach that combines signature-based matching (DalvikFLIRT) with LLM-powered code transformation to bypass sophisticated Android app obfuscation, enabling automated security analysis of previously impenetrable code.

Wed 16 April 2025

CNIL Standard Integration, SARIF Support, Copilot Enhancements, and Smarter Vulnerability Analysis.

This release introduces CNIL standard support, SARIF export, and improved vulnerability insights with locations and advanced search. Copilot is more powerful, performance is faster, and asset and remediation workflows are smoother.

Mon 07 April 2025


Previous
1 of 11