Ostorlab's May 2025 update delivers comprehensive privacy analysis capabilities with 21 new data collection categories and enhanced verification tools. This release introduces specialized Attack Surface scan profiles for optimized security assessments, adds GitHub source code integration for precise vulnerability mapping, and implements QPS rate limiting for controlled scanning. Additional improvements include mobile scan URL regex controls, streamlined Jira integration, and expanded fingerprinting capabilities for improved detection accuracy.
Enhanced PDF report naming: improved how PDF exports are named, making it easier to organize and identify reports.
🎯 Attack Surface
Introduced two new scan profiles for Attack Surface scanning: to give a better control over scan depth and focus:
Attack Surface KEV Scan: A targeted scan focused on Known Exploited Vulnerabilities (KEV), to identify the most critical and actively exploited security issues.
Attack Surface Exhaustive Scan: A comprehensive scan for thorough coverage of
your organization's external security posture.
You'll now need to select a scan profile when creating a new Attack Surface scan
🔗 Integrations
Enhanced GitHub integration to show vulnerabilities in your code as comments: With Ostorlab Github App integration, when the platform finds security issues, it adds comments directly into your pull request at the exact location when vulnerabilities are detected with single-click button to apply fixes.
This gives developers immediate context about vulnerabilities right in their codebase, making it easier to
understand and fix security issues without switching between tools.
🛡️ Scanning & Vulnerability Management
Implemented Option to control QPS (Queries Per Second) rate limiting for outgoing network traffic during vulnerability
scans.
This feature lets you specify query-per-second limits for Web App, Web API, Network, and Attack Surface scans.
Added Scope URLs regexes in monitoring rules: Added support for whitelisting specific domains in mobile
scans using regex patterns. This narrows testing to just the relevant parts of your application.
Create Rule:
Update Rule:
🎫 Remediation
Streamlined Jira integration experience: Jira ticket creation process has UI improvement for more intuitive and
consistent interface.
🔒 Compliance & Privacy
Privacy Analysis Enhancements
New privacy scan summary table: Added a comprehensive table that shows app data collection practices
including:
What's declared in the privacy policy
Actual policy quotes as validation
What our scans detected in the app
Evidence when we find discrepancies
This makes spotting privacy compliance issues much easier at a glance.
Privacy Policy Analysis Expansion
Enhanced privacy scanning with 21 new data collection categories, giving more comprehensive privacy policy
analysis. Categories now include:
Sensitive personal information (EMAIL, PERSONAL_IDENTIFIERS)
User behavior monitoring (SEARCH_QUERIES, APP_USAGE, BROWSING_ACTIVITY)
This expansion enables more thorough identification of privacy concerns, improves compliance verification, and helps
you better understand potential privacy risks in applications.
🔍 Detection
Fingerprinting Enhancements
Added fingerprinting for native libraries: Enhanced detection capabilities for three critical libraries
commonly bundled in privacy-focused messaging applications:
libsignal_jni: Core cryptographic library for secure messaging
libsqlcipher: Database encryption library that protects local message storage
libringrtc: WebRTC implementation for secure voice and video calling
Added fingerprinting: We now detect mojoPortal, Craft CMS, and FastCGI.
Biometric Authentication Security
Added detection for insecure biometric authentication: Our new scanner identifies apps using fingerprint or face
recognition without proper cryptographic binding. This detects when biometric verification isn't securely linked to
cryptographic keys, a vulnerability that attackers can exploit to bypass security controls on both Android and iOS.
Code Example of Insecure Biometric Authentication
Below is an example of insecure biometric authentication implementation where a CryptoObject is passed to the biometric prompt but not actually used to decrypt user data:
// VULNERABLE IMPLEMENTATION: Biometric authentication with CryptoObject but without actually using itpublicclassMisusedCryptoObjectAuthenticator{privatestaticfinalStringENCRYPTED_DATA_KEY="encrypted_data";privateSharedPreferencespreferences;privateCiphercipher;privateSecretKeysecretKey;publicMisusedCryptoObjectAuthenticator(Contextcontext){this.preferences=context.getSharedPreferences("app_prefs",Context.MODE_PRIVATE);try{// Initialize crypto componentsKeyGeneratorkeyGenerator=KeyGenerator.getInstance("AES");keyGenerator.init(256);secretKey=keyGenerator.generateKey();cipher=Cipher.getInstance("AES/GCM/NoPadding");cipher.init(Cipher.ENCRYPT_MODE,secretKey);}catch(Exceptione){e.printStackTrace();}}publicvoidauthenticateUser(finalAuthenticationCallbackcallback){try{// We create a CryptoObject and pass it to the biometric promptBiometricPrompt.CryptoObjectcryptoObject=newBiometricPrompt.CryptoObject(cipher);BiometricPromptbiometricPrompt=newBiometricPrompt(activity,executor,newBiometricPrompt.AuthenticationCallback(){@OverridepublicvoidonAuthenticationSucceeded(BiometricPrompt.AuthenticationResultresult){// VULNERABILITY: We have the cryptoObject but don't use it!// Instead, we just set a flag or retrieve data directly// The CryptoObject from the result is ignoredBiometricPrompt.CryptoObjectcryptoResult=result.getCryptoObject();// Simply set authentication flag without using the CryptoObjectsetAuthenticated(true);callback.onSuccess();}@OverridepublicvoidonAuthenticationFailed(){callback.onFailure("Authentication failed");}});// We pass the cryptoObject to authenticatebiometricPrompt.authenticate(promptInfo,cryptoObject);}catch(Exceptione){callback.onFailure("Error: "+e.getMessage());}}privatevoidsetAuthenticated(booleanauthenticated){preferences.edit().putBoolean("is_authenticated",authenticated).apply();}// VULNERABILITY: This method retrieves sensitive data without requiring the// cryptoObject that was used during authenticationpublicStringgetSensitiveData(){// Simply checks a boolean flag instead of using crypto bindingif(preferences.getBoolean("is_authenticated",false)){// Get data without using the CryptoObject for decryptionStringencryptedData=preferences.getString(ENCRYPTED_DATA_KEY,null);// We manually decrypt using our stored secretKey instead of// using the key bound to biometric authenticationreturndecryptWithStoredKey(encryptedData);}returnnull;}privateStringdecryptWithStoredKey(StringencryptedData){// Decrypt using the stored key, not the one from biometric authenticationtry{// This uses the class-level secretKey, not anything from the biometric resultCipherdecryptCipher=Cipher.getInstance("AES/GCM/NoPadding");decryptCipher.init(Cipher.DECRYPT_MODE,secretKey);returnnewString(decryptCipher.doFinal(Base64.decode(encryptedData,Base64.DEFAULT)));}catch(Exceptione){returnnull;}}}
Vulnerability explanation:
1. The code creates and passes a CryptoObject to the biometric authentication process
2. However, after successful authentication, the CryptoObject is ignored
3. Instead of using the CryptoObject to decrypt sensitive data, the app:
- Sets a simple boolean flag
- Uses a separate stored key for decryption that isn't tied to biometric verification
4. This allows attackers to bypass biometric security by directly manipulating the stored flag or accessing the decryption key
GraphQL Security
Enhanced GraphQL analyzers to report secure vulnerability when no vulnerabilities are detected, giving you more
confidence in security assessments.
Threat Center
We've added support for several CVEs:
CVE-2025-2825/CVE-2025-31161: Critical CrushFTP Authentication Bypass - A severe vulnerability (CVSS 9.8)
affecting CrushFTP versions 10.0.0-10.8.3 and 11.0.0-11.3.0 that allows complete authentication bypass through
manipulation of S3-style authentication headers and cookies.
CVE-2025-22457: Ivanti Stack-Based Buffer Overflow - Critical remote code execution vulnerability affecting Ivanti
Connect Secure, Policy Secure, and ZTA Gateways through insufficient validation of X-Forwarded-For HTTP headers.
CVE-2025-2636: InstaWP Connect Plugin LFI Vulnerability - Critical local file inclusion vulnerability in the
popular InstaWP Connect WordPress plugin affecting over 30,000 active installations.
CVE-2025-32432: Craft CMS Remote Code Execution - Critical unauthenticated RCE vulnerability affecting multiple
Craft CMS versions through insecure deserialization in the asset transformation process.
CVE-2024-12847: Enhanced Netgear Router Command Injection Detection - We've improved detection using a dynamic
echo
payload with randomized tokens, eliminating false positives while maintaining accurate vulnerability detection.
CVE-2019-9874: Sitecore Anti-CSRF Deserialization Vulnerability - Critical RCE vulnerability in Sitecore CMS
allowing unauthenticated attackers to execute arbitrary code through unsafe deserialization.
CVE-2017-3066: Adobe ColdFusion RCE via Java Deserialization - Critical vulnerability enabling unauthenticated
attackers to execute arbitrary code by sending specially crafted serialized Java objects.
CVE-2017-12637: SAP NetWeaver AS Java Directory Traversal - High-severity vulnerability enabling unauthenticated
attackers to access sensitive server files through path traversal manipulation.