Product

Expanded Privacy Analysis, Attack Surface Profiling, and GitHub Source Mapping Improvements

Ostorlab's May 2025 update delivers comprehensive privacy analysis capabilities with 21 new data collection categories and enhanced verification tools. This release introduces specialized Attack Surface scan profiles for optimized security assessments, adds GitHub source code integration for precise vulnerability mapping, and implements QPS rate limiting for controlled scanning. Additional improvements include mobile scan URL regex controls, streamlined Jira integration, and expanded fingerprinting capabilities for improved detection accuracy.

Mon 12 May 2025

📈 Reporting & Export Enhancements

  • Enhanced PDF report naming: improved how PDF exports are named, making it easier to organize and identify reports.
    PDF Export Naming

🎯 Attack Surface

  • Introduced two new scan profiles for Attack Surface scanning: to give a better control over scan depth and focus:
    • Attack Surface KEV Scan: A targeted scan focused on Known Exploited Vulnerabilities (KEV), to identify the most critical and actively exploited security issues.
    • Attack Surface Exhaustive Scan: A comprehensive scan for thorough coverage of your organization's external security posture. You'll now need to select a scan profile when creating a new Attack Surface scan
      Attack Surface Scan Profiles

🔗 Integrations

  • Enhanced GitHub integration to show vulnerabilities in your code as comments: With Ostorlab Github App integration, when the platform finds security issues, it adds comments directly into your pull request at the exact location when vulnerabilities are detected with single-click button to apply fixes. This gives developers immediate context about vulnerabilities right in their codebase, making it easier to understand and fix security issues without switching between tools.

🛡️ Scanning & Vulnerability Management

  • Implemented Option to control QPS (Queries Per Second) rate limiting for outgoing network traffic during vulnerability scans. This feature lets you specify query-per-second limits for Web App, Web API, Network, and Attack Surface scans.
  • Added Scope URLs regexes in monitoring rules: Added support for whitelisting specific domains in mobile scans using regex patterns. This narrows testing to just the relevant parts of your application. Create Rule:
    Android Create Rule
    Update Rule:
    Android Edit Rule

🎫 Remediation

  • Streamlined Jira integration experience: Jira ticket creation process has UI improvement for more intuitive and consistent interface.
    Jira Integration UI

🔒 Compliance & Privacy

Privacy Analysis Enhancements

  • New privacy scan summary table: Added a comprehensive table that shows app data collection practices including:
    • What's declared in the privacy policy
    • Actual policy quotes as validation
    • What our scans detected in the app
    • Evidence when we find discrepancies

This makes spotting privacy compliance issues much easier at a glance.

Privacy Analysis Table

Privacy Policy Analysis Expansion

  • Enhanced privacy scanning with 21 new data collection categories, giving more comprehensive privacy policy analysis. Categories now include:
    • Sensitive personal information (EMAIL, PERSONAL_IDENTIFIERS)
    • Financial data (PAYMENT_FINANCIAL)
    • Sensitive attributes (BIOMETRIC_DATA, GENDER_IDENTITY, RELIGIOUS_BELIEFS, POLITICAL_AFFILIATIONS, PHILOSOPHICAL_BELIEFS, CRIMINAL_RECORD)
    • Location tracking (CURRENT_LOCATION, LOCATION_HISTORY)
    • Media access (USER_PHOTOS_MEDIA)
    • User behavior monitoring (SEARCH_QUERIES, APP_USAGE, BROWSING_ACTIVITY)

This expansion enables more thorough identification of privacy concerns, improves compliance verification, and helps you better understand potential privacy risks in applications.

🔍 Detection

Fingerprinting Enhancements

  • Added fingerprinting for native libraries: Enhanced detection capabilities for three critical libraries commonly bundled in privacy-focused messaging applications:

    • libsignal_jni: Core cryptographic library for secure messaging
    • libsqlcipher: Database encryption library that protects local message storage
    • libringrtc: WebRTC implementation for secure voice and video calling
  • Added fingerprinting: We now detect mojoPortal, Craft CMS, and FastCGI.

Biometric Authentication Security
  • Added detection for insecure biometric authentication: Our new scanner identifies apps using fingerprint or face recognition without proper cryptographic binding. This detects when biometric verification isn't securely linked to cryptographic keys, a vulnerability that attackers can exploit to bypass security controls on both Android and iOS.

Code Example of Insecure Biometric Authentication

Below is an example of insecure biometric authentication implementation where a CryptoObject is passed to the biometric prompt but not actually used to decrypt user data:

// VULNERABLE IMPLEMENTATION: Biometric authentication with CryptoObject but without actually using it

public class MisusedCryptoObjectAuthenticator {
    private static final String ENCRYPTED_DATA_KEY = "encrypted_data";
    private SharedPreferences preferences;
    private Cipher cipher;
    private SecretKey secretKey;

    public MisusedCryptoObjectAuthenticator(Context context) {
        this.preferences = context.getSharedPreferences("app_prefs", Context.MODE_PRIVATE);
        try {
            // Initialize crypto components
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
            keyGenerator.init(256);
            secretKey = keyGenerator.generateKey();
            cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(Cipher.ENCRYPT_MODE, secretKey);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public void authenticateUser(final AuthenticationCallback callback) {
        try {
            // We create a CryptoObject and pass it to the biometric prompt
            BiometricPrompt.CryptoObject cryptoObject = new BiometricPrompt.CryptoObject(cipher);

            BiometricPrompt biometricPrompt = new BiometricPrompt(activity,
                    executor,
                    new BiometricPrompt.AuthenticationCallback() {
                        @Override
                        public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
                            // VULNERABILITY: We have the cryptoObject but don't use it!
                            // Instead, we just set a flag or retrieve data directly

                            // The CryptoObject from the result is ignored
                            BiometricPrompt.CryptoObject cryptoResult = result.getCryptoObject();

                            // Simply set authentication flag without using the CryptoObject
                            setAuthenticated(true);
                            callback.onSuccess();
                        }

                        @Override
                        public void onAuthenticationFailed() {
                            callback.onFailure("Authentication failed");
                        }
                    });

            // We pass the cryptoObject to authenticate
            biometricPrompt.authenticate(promptInfo, cryptoObject);

        } catch (Exception e) {
            callback.onFailure("Error: " + e.getMessage());
        }
    }

    private void setAuthenticated(boolean authenticated) {
        preferences.edit().putBoolean("is_authenticated", authenticated).apply();
    }

    // VULNERABILITY: This method retrieves sensitive data without requiring the
    // cryptoObject that was used during authentication
    public String getSensitiveData() {
        // Simply checks a boolean flag instead of using crypto binding
        if (preferences.getBoolean("is_authenticated", false)) {
            // Get data without using the CryptoObject for decryption
            String encryptedData = preferences.getString(ENCRYPTED_DATA_KEY, null);
            // We manually decrypt using our stored secretKey instead of
            // using the key bound to biometric authentication
            return decryptWithStoredKey(encryptedData);
        }
        return null;
    }

    private String decryptWithStoredKey(String encryptedData) {
        // Decrypt using the stored key, not the one from biometric authentication
        try {
            // This uses the class-level secretKey, not anything from the biometric result
            Cipher decryptCipher = Cipher.getInstance("AES/GCM/NoPadding");
            decryptCipher.init(Cipher.DECRYPT_MODE, secretKey);
            return new String(decryptCipher.doFinal(Base64.decode(encryptedData, Base64.DEFAULT)));
        } catch (Exception e) {
            return null;
        }
    }
}

Vulnerability explanation: 1. The code creates and passes a CryptoObject to the biometric authentication process 2. However, after successful authentication, the CryptoObject is ignored 3. Instead of using the CryptoObject to decrypt sensitive data, the app: - Sets a simple boolean flag - Uses a separate stored key for decryption that isn't tied to biometric verification 4. This allows attackers to bypass biometric security by directly manipulating the stored flag or accessing the decryption key

GraphQL Security

  • Enhanced GraphQL analyzers to report secure vulnerability when no vulnerabilities are detected, giving you more confidence in security assessments.

Threat Center

We've added support for several CVEs:

  • CVE-2025-2825/CVE-2025-31161: Critical CrushFTP Authentication Bypass - A severe vulnerability (CVSS 9.8) affecting CrushFTP versions 10.0.0-10.8.3 and 11.0.0-11.3.0 that allows complete authentication bypass through manipulation of S3-style authentication headers and cookies.

  • CVE-2025-22457: Ivanti Stack-Based Buffer Overflow - Critical remote code execution vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways through insufficient validation of X-Forwarded-For HTTP headers.

  • CVE-2025-2636: InstaWP Connect Plugin LFI Vulnerability - Critical local file inclusion vulnerability in the popular InstaWP Connect WordPress plugin affecting over 30,000 active installations.

  • CVE-2025-32432: Craft CMS Remote Code Execution - Critical unauthenticated RCE vulnerability affecting multiple Craft CMS versions through insecure deserialization in the asset transformation process.

  • CVE-2024-12847: Enhanced Netgear Router Command Injection Detection - We've improved detection using a dynamic echo payload with randomized tokens, eliminating false positives while maintaining accurate vulnerability detection.

  • CVE-2019-9874: Sitecore Anti-CSRF Deserialization Vulnerability - Critical RCE vulnerability in Sitecore CMS allowing unauthenticated attackers to execute arbitrary code through unsafe deserialization.

  • CVE-2017-3066: Adobe ColdFusion RCE via Java Deserialization - Critical vulnerability enabling unauthenticated attackers to execute arbitrary code by sending specially crafted serialized Java objects.

  • CVE-2017-12637: SAP NetWeaver AS Java Directory Traversal - High-severity vulnerability enabling unauthenticated attackers to access sensitive server files through path traversal manipulation.