Search 🎨

• Revamped Search: Reworked the search UI to make searching very seamless, without the hassle of having to remember search keywords.

  

• Added support for applying search filters even if Ticket Grouping is used.
• Fixed saved rules appearing to the all organisation users. Now, saved rules appear only to the user who saved them.

Remediation

• Allow the selection of any issue type available in the JIRA project scope.

Inventory & Attack Surface 🎯

• Search Assets using Regular Expressions (RegEx): Added support for advanced search patterns using regular expressions.
• Fixed slow loading of impacted assets in the threat center.
• Added support to limit assets to the asset owner when exporting potential nodes.
• Fixed a bug where in search with multiple fingerprints.

Detection 🔍

New Vulnerabilities

• Bleichenbacher vulnerability - Added detection for potential exposure to the Bleichenbacher attack (PKCS#1 v1.5 padding oracle) in SSL/TLS connections. The Bleichenbacher attack allows attackers to exploit weaknesses in RSA-encrypted communications, potentially decrypting sensitive data such as session keys.
• Weak Cipher Suites - Added detection for identifying whether a server supports weak cipher suites in its SSL/TLS connections.
• Raccoon Attack Implementation - Added detection for Raccoon Attack vulnerabilities in SSL certificates.
• ALPACA Attack - Added detection for ALPACA (Application Layer Protocol Confusion) attack vulnerabilities in SSL/TLS certificates.
• Backdoored Cryptographic Algorithms - Detection for backdoored cryptographic algorithms in SSL certificates, specifically targeting RC4 and Dual_EC_DRBG.
• Lucky Thirteen - The Lucky Thirteen attack targets the TLS (Transport Layer Security) protocol, specifically its handling of padding in encrypted messages. This attack exploits vulnerabilities in certain TLS implementations with block ciphers like AES.
• SSL/TLS Protocol - Added detection to identify outdated and potentially vulnerable SSL/TLS protocols such as SSLv3, TLSv1, and TLSv1.1, which are known to have security vulnerabilities.
• SSL Certificate - This check assesses the security and validity of SSL/TLS certificates by analyzing the certificate's attributes and ensuring compliance with modern best practices. Additionally, the check supports both domain names and IP addresses as targets for validation.
• Forward Secrecy in SSL/TLS connections - Checks if the server does not support Forward Secrecy (FS), which is vital for protecting session keys.

CVEs & Fingerprinting

• Add Jetpack version based detection - This implementation introduces detection for vulnerable Jetpack plugin actively exploited in the wild.
• CVE-2024-9634 - Detection of the GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in versions up to 3.16.3.
• CVE-2024-9487 - Detection of a cryptographic signature verification flaw in GitHub Enterprise Server allowed bypassing SAML SSO authentication leading to unauthorized user access.
• CVE-2024-23113 - Detection of a critical format string vulnerability affecting various Fortinet devices, including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManage.
• CVE-2024-47374 - LiteSpeed Cache plugin for WordPress is vulnerable to a stored cross-site scripting (XSS) vulnerability in versions up to and including 6.5.0.2.
• CVE-2024-28987 - The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
• CVE-2024-9463 - An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in the disclosure of usernames, clear-text passwords, device configurations, and device API keys of PAN-OS firewalls.

Authorization Bypass 🔐

• Fixes to 4xx Bypass Detection to Remediate False Positives: Improved detection accuracy to reduce false positives in 4xx bypass scenarios.

Network Interception 🚦

• Add HTTP2 Support: Implemented support for HTTP2 traffic extraction. HTTP2 is more powerful than HTTP1 but comes with increased complexity to reconstruct traffic.

• Fix HTTP1 Handling: Resolved issues with handling requests under the HTTP1 protocol to maintain compatibility.

UI 🎨

• Improve Reporting of Outdated Dependencies: Enhanced reporting of vulnerabilities due to outdated dependencies to offer a clearer understanding of the issue and where it is.

• Improve Privacy Issues Detection: Upgraded detection mechanisms to better identify and manage privacy-related issues.

• Fix to Oxotitan UI: Addressed UI glitches and improved overall user interface consistency for a smoother user experience.

• Add Sorting of Findings by Risk: Introduced sorting capabilities for findings based on risk, making prioritization more efficient.

• Improvement to Tags Listing and Autocomplete: Enhanced tags listing and autocomplete features to improve usability and user interaction.

Detection 🔍

• Add Support for More Scalar Types in API Autodiscovery: Extended support for additional scalar types, enhancing compatibility with diverse API schemas.

• Add Detection and Fingerprinting of Several CVEs: Implemented mechanisms for detecting and fingerprinting multiple CVEs, strengthening security posture, specifically:

• CVE-2024-47176 - This vulnerability involves the CUPS (Common UNIX Printing System), allowing potential remote execution of arbitrary code by exploiting improper input validation and binding to an unrestricted IP address [1][2].

• CVE-2024-8963 - A path traversal vulnerability in Ivanti Cloud Services Appliance versions before 4.6 Patch 519, allowing unauthorized remote access to restricted functionality [1].
• CVE-2024-8522 - A SQL Injection vulnerability in the LearnPress WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries via the '/wp-json/learnpress/v1/courses' API endpoint, potentially extracting sensitive data.
• CVE-2024-45409 - A vulnerability in the Ruby SAML library improperly verifies the signature of SAML responses, allowing unauthenticated attackers to forge SAML assertions and potentially log in as arbitrary users [1][2].
• CVE-2024-40711 - An out-of-bounds write vulnerability in the ImageMagick software suite allows attackers to trigger the issue via specially crafted image files, potentially leading to arbitrary code execution.

Custom Checks ✔️

• Add Support for Private Repos: Enabled functionality to work with private repositories securely.

• Use Deploy SSH Keys: Introduced use of deploy SSH keys for secure operations in private environments.

• Add Support for Custom Agent Logs: Facilitated the generation and management of custom logs for monitoring agent activities.

Analysis Environment 🧩

• Add API Endpoints to Scans Analysis Environment: Added new API endpoints to enhance scans analysis and improve investigation processes.

• Improve Request-Response Research: Optimized methodologies for analyzing request-response interactions for better performance.

• Add Mixing of Java and C Stack Traces: Enhanced debugging capabilities by enabling mixed Java and C stack trace analysis.

Attack Surface 🎯

• Fix Grouping of Fingerprints in Attack Surface by Adding OS: Improved fingerprint grouping to include OS data, optimizing analysis and identification.

• Fix Fingerprint Collection for IP Assets: Enhanced processes for collecting fingerprints related to IP assets for more accurate assessments.

Instrumentation 📏

• Fix Parsing of Integer Arguments in Flutter/Dart Apps: Corrected parsing logic for integer arguments within Flutter/Dart applications to ensure accuracy.

Authorization Bypass 🔐

• Fixes to 4xx Bypass Detection to Remediate False Positives: Improved detection accuracy to reduce false positives in 4xx bypass scenarios.

• Support for Archived Pages Detection: Implemented support to identify and handle archived pages, aiding historical data analysis.

RSS Feed 📡

• Add RSS Feed: Introduced an RSS feed to keep users updated on the latest changes. Access it https://blog.ostorlab.co/feed/rss.xml or https://blog.ostorlab.co/feed/atom.xml

🚀 User Interface:

• Added notification when triggering the discovery phase. This helps inform users about the discovery process, which may take time on large organizations.
• New Tags menu with an autocomplete feature for easier navigation and centralized management. All tags are now grouped in a single page and can be centrally edited on all tickets or assets.

• CVSSv4 support in PDF exports for clearer representation of vulnerabilities. The new visualisation makes it easier to understand each element, from vector, complexity to the need for authentication.

• Grouped vulnerabilities by risk rating in tables, making it easier to differentiate between confirmed and potential findings of the same category.
• Enhanced speed of fetching threat center counts for impacted assets.

🤖 AI:

• Improved AI model for generating vulnerability recommendations. New findings are now reported with increased accuracy.

🔍 API Autodiscovery:

• Added support for scanning schema files, including GraphQL, OpenAPI, WSDL, and XML.

🛠️ OXO:

• Fixed issue where new agent groups were incompatible with all asset types.
• Added multi-select for asset types during agent group creation.

💻 Flutter:

• Support added for the latest Flutter version 3.24.

🔐 Network Interception:

• Multiple bug fixes to prevent missed clear traffic.
• Improved interception of TLS traffic in native code.
• Fixed decoding issues in HTTP/1.1 traffic.

🛡️ Threat Center:

• Added coverage for CVEs:
• CVE-2024-20439 & CVE-2024-20440: Critical vulnerability in Cisco Smart Licensing Utility allowing administrative access. Severity: 9.8/10.
• CVE-2024-7593: Critical authentication bypass vulnerability in Ivanti vTM. Severity: 9.8/10.
• CVE-2024-40766: Critical vulnerability in SonicWall firewalls enabling unauthorized access. Severity: 9.3/10.
• CVE-2024-6386: Critical RCE vulnerability in WPML WordPress plugin. Severity: 9.9/10.
• CVE-2024-39717: Critical vulnerability in Versa Director allowing web shell installation. Severity: 9.8/10.
• CVE-2024-7029: High-severity command injection in AVTECH IP cameras. Severity: 8.7/10.
• CVE-2024-43399: Critical Zip Slip vulnerability in Mobile Security Framework (MobSF). Severity: 9.8/10.
• CVE-2024-6633: Critical vulnerability in Fortra’s FileCatalyst Workflow. Severity: 9.8/10.

🧪 Taint Analysis:

• Improved code reachability reporting.
• Fixed incorrect StatFS findings.
• Added health detection API.

🔍 Dynamic Analysis:

• Enhanced server findings reporting, including host and port numbers for open local ports.

🔄 Port Scanning:

• Updated service and OS detection mechanisms.
• Fixed issue with empty services being collected.

🌐 Web Crawling:

• Added screenshot functionality post-authentication for better debugging.

🔍 Fingerprinting:

• Added support for fingerprinting tech stacks with active threats:
• VigorConnect, Ivanti, MobSF, Avtech IP Camera, Versa, SonicWALL SonicOS.
• Improved version detection when multiple versions of the same software are identified.

🌐 Attack Surface:

• Fixed IP range handling for more accurate detection.

🔄 GitHub Actions:

• Migrated from Docker to composite action, supporting workflows across Windows and MacOS platforms.

🛡️ Open-Source OXO

• We are happy to announce the release of OXO Titan, an intuitive User Interface (UI) to transform user interaction with OXO, a vulnerability scanning orchestrator that automatically binds tools together allowing for rapid scale. This OnPrem UI encapsulates OXO's capabilities within an accessible interface, democratizing advanced security scanning techniques. By bridging the gap between the myriad of complex tools and a simple UI, OXO Titan streamlines operations and enhances the user experience.
• The OXO scan process now exits automatically once completed, streamlining your workflow.

To learn more about OXO Titan, read the full article.

📊 PDF Reports

• Track Vulnerability Trends: Easily monitor your asset's vulnerability trends over the last 6 months with our new graph that breaks down vulnerabilities by risk rating.

  

• See Open vs. Closed Vulnerabilities: Quickly understand the state of your vulnerabilities with a new graph summarizing open and closed issues.

  

• Identify Critical Issues Faster: A new graph now highlights the top 10 most severe vulnerabilities, helping you prioritize critical issues.

  

⚡📡 Attack Surface

• Added support for running an autodiscovery scan. Autodiscovery enables continuous monitoring of an organization's infrastructure to detect missing and rogue assets. This helps with finding blind spots like forgotten or missing acquisition infrastructure, unaccounted-for dev and production machines, or lost assets during internal restructuring and staff change. To run an autodiscovery scan, go to the new scan page and select Attack Surface.

  

• Improved Asset Filtering: Filter assets more effectively by certificate details, including serial number, subject, issuer, and validity dates.
• Enhanced Search Functionality: Search more accurately with the fixed exclusion search feature, ensuring you find exactly what you need.

🔍 Detection

• Enhanced vulnerability assessment with support for the Common Vulnerability Scoring System Version 4.0 (CVSSv4). This can be accessed on the details page of a vulnerability.

  

• Known Exploitable Vulnerabilities: Enhanced security tracking by adding new CVEs - CVE-2024-38077, CVE-2021-33044, CVE-2024-5932, CVE-2024-28986, and CVE-2022-31814.
• Added support for patched versions, minimizing false positives and ensuring your vulnerabilities are accurately reported.
• Fixed an OpenSSH False Positive, ensuring only relevant vulnerabilities are reported.
• Fixed a bug where invalid targets were scanned due to incomplete URL configuration (missing port, scheme, or host). This fix ensures that no inaccurate results are reported.
• Added support for exposing the OS from scans, helping you gain more precise fingerprinting details.
• Fixed a bug where Microsoft authentication was not working, improving the call coverage of web scans.

⚠️ Threat Center

Support for Dahua network IP cameras, pfSense open-source firewall and router software, and Traccar GPS tracking. The addition of these targets will help flag assets that are affected by high-severity threats with active exploitation.

📘 Knowledge Base

• More Accurate Vulnerability Scores: We've fixed the CVSSv3 Vector for the Django Debug Mode to provide more precise information.
• Improved Technical Details: The Insecure Register Receiver Flag Technical details have been fixed so that they're correctly rendering, giving you better clarity on a vulnerability's details.

🛡️ Privacy Compliance Testing

We added a new type of scan, Privacy Compliance Testing, which is available for all asset types. The Privacy Compliance Testing identifies privacy concerns by analyzing the application's data collection, usage practices, and compliance with privacy policies.

To learn more about this new feature, see the Privacy Compliance Testing page.

🇼 Agent WhatWeb

Added detection for several fingerprints:

• OFBiz plugin: An open-source enterprise resource planning (ERP) system.
• Cisco Smart Software Manager On-Prem (SSM On-Prem): A Smart Licensing solution that enables customers to administer products and licenses on their premises.
• Raisecom: A global leading vendor providing comprehensive access solutions and network devices.
• Acronis cyber infrastructure plugin: A multi-tenant, hyper-converged infrastructure solution for cyber protection. The agent was also fixed to not scan non HTTP services.

🌌 Agent Asteroid

• Known Exploitable Vulnerabilities: Enhanced security tracking by adding new CVEs - CVE-2024-5217, CVE-2024-38856, CVE-2024-43044, CVE-2024-7120, and CVE-2024-20419.

🛡️ OXO

• Fixed a crash when OXO is run with no asset (--no-asset).

🎨 User Experience Enhancements

• In order to provide more clarity on what each type of scan does, all scan profiles are now visible, even if they're inactive.

  

• Fixed a bug when confirming an asset without selecting an owner.
• Fixed a bug which was causing some fingerprints not to show.

⚠️️ Threat Center

• We are excited to introduce the Threat Center, a dedicated hub for viewing the latest security alerts and understanding which of your assets are affected. With this new feature, you can easily scan affected assets directly from the Threat Center, ensuring you stay on top of potential threats. Access the Threat Center here.

  

🛡️ Improved Detection

• Detection for Exposed Docker Registry API vulnerability.

🔒 Security Enhancements

• To bolster account security, we now require users to verify their password before making any changes to Two-Factor Authentication settings. This additional step adds an extra layer of protection to your account..

  

🎨 User Interface Enhancements

• We've reworked the Call Coverage interface to improve usability. In compact mode, dynamic analysis scenarios are now only displayed on hover, providing a cleaner and more streamlined user experience.

  

Agent XSS 🛡️

• Enhanced XSS Detection: Improved detection capabilities for XSS vulnerabilities and improved vulnerability reporting.
• Error Handling: Refined error management by properly catching and handling Browser exceptions.

Agent Reporting Engine 📊

• Reporting Enhancements: Updated documentation for deploying scanners and enhanced error handling.
• Alert System Improvements: Revised the conditions for app download failure alerts for application continuous monitoring.

Agent Asteroid 🌌

• Known Exploitable Vulnerabilities: Enhanced security tracking by adding new CVEs (CVE-2024-33544, CVE-2024-40725, CVE-2024-6745, CVE-2024-34102, CVE-2024-5315, CVE-2024-31982, CVE-2024-23692, CVE-2024-6387, CVE-2024-36401, CVE-2024-36991, CVE-2024-37032, CVE-2023-52251, CVE-2024-28995, CVE 2024 29973, CVE-2024-4879).

CircleCI Integration 🔄

• Continuous Integration Enhancements: Significantly improved the CircleCI configuration across all projects, optimizing build times, and ensuring more reliable build outcomes. Enhanced pipeline automation to include automatic testing and quality checks.

User Interface Enhancements 🎨

• UI Improvements: Introduced enhancements to user interface improving dashboard performance for large organisations.

Security and Workflow Enhancements 🔒

• Codecov Integration: Implemented Codecov across all repositories to monitor code coverage, ensuring comprehensive testing and higher code quality.
• UV Workflow Updates: Transitioned development pipelines to UV, standardizing build processes and improving deployment efficiency across projects.

This update introduces new detection capabilities, new data & privacy controls, improved user experience across the platform, and bug fixes.

🛡️ Detection

• CocoaPods Supply Chain Vulnerability: We added detection for critical vulnerabilities in CocoaPods. One Key Vulnerability is CVE-2024-38368. This vulnerability allowed attackers to claim unclaimed CocoaPods packages and insert malicious code. The potential for widespread damage was immense, affecting both individual developers and large organizations relying on CocoaPods for dependency management. We go over this vulnerability in-depth in our recent article.
• CVE_2024_2194: We added detection for the WP Statistics plugin for WordPress, which is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5.
• Insecure Crypto Mode: A fix was made to improve the rules used to detect Insecure Crypto Mode.

🤝 Compliance

• California Consumer Privacy Act Controls: New support for the California Consumer Privacy Act (CCPA), a comprehensive data privacy law that grants California residents new rights regarding their personal information. To check your app's compliance with the CCPA, click on a scan, scroll down, and then click on the 'Standards' tab.

  

• Secure Privacy Findings: Added support for reporting privacy issues, such as insecure collection of users' crash logs without consent, improper usage of contacts data, undeclared collection of users' health information, etc.

🙂 UX

• Search History: The search history is now kept in the search bar every time you navigate between pages, or forward/backward on the same page.

  

🕸️ Attack Surface

• Bulk Actions: We added support to run bulk actions (automation rules) directly from the Attack Surface.

  

This update introduces bug fixes, detection improvements, and attack surface enhancements to provide a more seamless user experience.

🛡️ Scanning

• Show source code for the detected vulnerabilities in the vulnerability details page.

  

🛠️ Remediation

• Customized the weekly email for attack surface auditors to only contain their data.

  

🕸️ Attack Surface & Inventory

• Added autocomplete for tags in assets.
  

  

• Enabled filtering of assets by ownership type.

  

📦 Detection

• Added detection for CVE-2022-24816 : A remote code execution vulnerability in the JT-JIFFLE extension of Geoserver allows remote attackers to execute arbitrary code.
• Added detection for CVE-2024-34470 : An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.

🐞 Bug Fixes

• Fixed the search function with inputs that included a schema.

  

• Fixed the iOS search issue when searching for common apps like Facebook.

  

• Fixed the issue where excluded values were still appearing in the graph during PDF generation.

This update introduces support for scanning apps using iOS TestFlight, Slack Integrations, support for scanning web apps with an SBOM, and other improvements.

🛡️ Scanning

• Added support for iOS TestFlight.

  

• Added support for SBOM to web scans for extended dependency detection.

  

📄 CI/CD Integrations

• Added integration of Slack for ticket notifications. See the documentation on how to configure the integration.

  

🛠️ Remediation

• Show tickets linked to vulnerabilities in the scan page, with support for filtering the tickets by risk rating.

  

• Added support for configuring automation rules to change the priority of the selected tickets to the specified value.

  

• Added ticket link to the Jira integration report.

📦 Detection

• Improved detection of Amazon secrets.
• Added detection for CVE-2024-24919, CVE-2024-23917, CVE-2024-27348, CVE-2024-4956, CVE-2021-40655, CVE-2024-29895, CVE-2024-4956, and CVE-2023-43208.

🐞 Bug Fixes & Improvements

• Reduced the loading time of the scan page by over 93%.

This update introduces multiple new integrations with CI/CD pipelines, improvements to dynamic traces interception & analysis, support for the MASVS standard, and many bug fixes.

📄 CI/CD Integrations

• Add integration of TeamCity CI/CD pipelines for automated scanning.

  

• Add integration of GoCD build processes.

  

🤖 Dynamic traces interception & analysis

• Add extraction of Dictionary arguments of Objective-C methods, this allows for improved detection of numerous vulnerabilities, like insecure data storage.
• Add support for dynamic instrumentation of Objective-C static methods, this improves the detection of over 250 rules.
• Add extraction & analysis of sockaddr C-structures to extract IP address and port.

📑 MASVS v2.0.0 standard

• MASV 2.0 is here, Ostorlab has support for it :+1:

🛠️ Remediation

• Added a due date field to the tickets and the ability to re-open all exception tickets after that period.
• Added a finished time field to the scan API.

🐞 Misc & Bug Fixes

• Fixed Tree-Like representation of organisations on the plans page.
  

  

• Fixed social authentication username conflict.

This update adds the discovery of hidden web paths, detection of libwebp vulnerability, and new CVE detections.

🤖 Open Source

OXO version 1.0 was released. It is 10x times faster, supports ARM64 architectures, and is packed with improved capabilities like scanning multiple assets, simpler and powerful CLI.

• Start a scan is now x10 times faster: In previous versions, starting a scan took almost 3 minutes. With OXO v1, it is now 10 times faster, starting a scan in just 16.5 seconds.
• Standalone Binary: OXO is now available as a standalone binary for macOS, Linux, and Windows.
• Support for macOS and ARM64 architecture for agents: If you're a macOS user with an ARM64 processor, we've got some great news for you! OXO can now support ARM64 agents natively.
• Scan an Inventory file: OXO added scanning multiple assets using an asset definition YAML file. This gives you the possibility to scan a large number of different types of assets at the same time.
• Friendlier CLI: As of OXO version 1, you can now specify the agent key in a concise way when running scans. Instead of using the full agent key, you can use the shorthand <org>@<name> format.
• New Documentation Website: OXO now has its dedicated documentation website, packed with tutorials and numerous examples.
• Agent Store: OXO now has a public agent store. You can publish your agent to the OXO store by simply following this tutorial.
• Follow scan progress by Default: Starting from the version v1, --follow is the default mode when you start a scan. OXO will keep you updated on the scan's progress.
• Pass Arguments to agents directly from the CLI: Agents can be fine-tuned using arguments which give you more control and flexibility. Passing arguments is now available throughout the CLI.
• Add the ability to persist messages: You can now persist any type of message you wish, such as IP, domain, link, and exposed services through the new OXO Open Source agent Nebula.

To read more about OXO v1.0, read the full blog post.

📦 Detection

• Added discovery of hidden web paths in agent hubble using Google Search and Wayback.
• Added detection of libwebp vulnerability.
• Added detection for CVE-2024-4040, CVE-2024-31461, CVE-2024-2389, CVE-2024-32764, CVE-2024-27956, CVE-2024-28890, CVE-2024-28255, and CVE-2024-26331.

🐞 Bug Fixes & Small improvements

• Fixed bug with CSV import of IPs not updating existing IP assets.
• Fixed bug with Jira Sync Fields.

This update improves the user interface of the platform, adds new detection for Webview-related vulnerabilities, and ships multiple bug fixes.

📦 Detection

• Added detection for CVE-2023-50969, CVE-2024-2879, CVE-2024-3273, CVE-2024-29269, CVE-2024-3400, and CVE-2023-24955.
• Added detection capabilities to identify insecure Webview practices in iOS applications.
• Added a concise and relevant detection for the use of dangerous deprecated APIs.

🛠️ Platform Improvements

• Added Compact view to the call coverage:

  

• Added the ability to specify relevant standards when generating scan reports:

  

• Improvement to the graph node appearance:

  

• Added the ability to search by Objective-C runtime in the ide:

  

• Added filtering for potential nodes:

🐞 Bug Fixes & Small improvements

• Defaulting new user role to Reader instead of the more privileged User. The change affects SSO / SAML access configuration and UI default.
• Improve OXO usage documentation.

This update significantly improves objective-C instrumentation, adds new detection for insecure data storage and Regex DoS, and ships multiple bug fixes.

📦 Detection & Knowledge Base

• Improve dynamic instrumentation for objective-C and persist collected stack traces in the Analysis Dynamic section.
• Added detection capabilities to identify insecure data storage practices in iOS applications. This includes identifying the use of potentially vulnerable storage mechanisms such as UserDefaults and UIPasteboard.
• Added detection for Regular Expression Denial of Service (ReDoS) vulnerabilities. This new feature identifies sinks that use user input to create regular expressions, which can lead to potential ReDoS attacks.
• Refined all KB recommendations to be actionable, so now we have a step-by-step process to solve vulnerabilities.

  

Frontend Enhancement

• Added table of contents to Blogs:

  

• Added highlighting to the Tips section:

  

• Added a button to download all PCAP files at once as a ZIP archive:

  

• Show graph edge & node labels in a card:

  

🐞 Bug Fixes

• Fixed the generation of rules for iOS to take init function into consideration.

This update introduces fixes for the Attack Surface, detection for the liblzma backdoor, and a public store for agents.

📦 Detection

• Added detection for Apple's Privacy Manifest files. A Privacy Manifest describes the data an app or third-party SDK collects and the reasons required APIs it uses. Developers are required to include it in their apps before May 1st, 2024. The detection rule checks that apps are compliant with the new requirement, and whether their implementation is secure or not.
• Added detection for Django DEBUG mode enabled.
• Added detection for leaking secrets in Web Apps.
• Added detection for liblzma backdoor.
• Added detection for CVE-2023-48788, CVE-2021-44529, CVE-2019-7256, CVE-2022-20767, CVE-2022-0412, and CVE-2024-1212.
• Improved detection for Personally Identifiable Information (PII). The rule now detects way more vulnerable methods that leak PII data. PII leaking is now also done using a static rule.
• Improved detection for Mixed content WebView settings by analyzing and detecting more dangerous WebView settings.

🤖 Open Source

• Made the OXO agent store public.

  

🐞 Bug Fixes

• Fixed confirming assets defaulting to red as the custom color.
• Fixed Android and iOS search filters not working for potential assets.
• Fixed the CVE matcher DNA to take into account the latest CVEs.

This update introduces fixes for the Attack Surface, migration of Agent's Docker Images to Docker Hub, enhanced detection capabilities for vulnerabilities, and support for ARM64 architecture in OSS.

🕸️ Attack Surface

• Addressed issue with Attack Surface creating non-confirmed assets from detected vulnerabilities. Users now have the ability to only collect metrics of confirmed and maintained attack surface assets without issues related to non-validated assets from scans.

🛠️ Infrastructure

• Migrated Agent's Docker Images to Docker Hub for improved visibility and speed into open-source OXO agents.

📦 Detection

• Added detection for aiohttp path traversal vulnerability actively getting exploited.
• Added detection of CSS injection vulnerabilities leading to application takeover, keylogging and defacement.

🤖 Open Source

• Added support for ARM64 architecture, enabling running the venerable OXO on Mac Machines with native speed.

This update introduces a series of new features related to the IDE, Jira integration, OXO, and many improvements to the platform.

📄 PCAP files exposed in the IDE.

• Designed for security teams looking to push the analysis even deeper, now you can download all raw PCAP for your mobile full scan.

  

🤖 Open Source

• Binaries for the OXO scanning orchestrator are available with every new release for Ubuntu, macOS, and Windows.

  

• Added agent key shortcuts: Instead of

oxo scan run --agent agent/ostorlab/nmap ip 8.8.8.8

You can now simply run:

oxo scan run --agent nmap ip 8.8.8.8

Or

oxo scan run --agent @your-org/nmap ip 8.8.8.8

• Added support for scanning Network ranges and IP addresses in the cloud runtime.

oxo scan --runtime=cloud run -g network_agent_group.yaml ip  8.8.8.8/30

📑 Jira custom fields mapping

• If you have Jira integration enabled on Ostorlab, you can now map custom fields from your tickets with Ostorlab fields.

  

• Syncing the fields and values can be done from your JIRA project to Ostorlab and vice-versa.

🕸️ Attack surface refinements

• Added ability to edit potential nodes, specifying a custom potential owner.

🔬 XSS detection

• Improvements to postMessage XSS detection, adding detection of XSS in complex data objects.

🐞 Bug Fixes

• Fixed segregation and excluded unreliable rules in the VirusTotal agent.
• Addressed ecosystem confusion for outdated dependencies detection.

This update introduces various improvements to the XSS scanner, the functionality of the open-source CLI, and monitoring rule creation.

🛠️ Platform Improvements

• Restructured the new monitoring rule flow to be more user-friendly and intuitive.

  

📦 Detection & Knowledge Base

• Added detection for Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability.
• Improve XSS Agent to detect PostMessage-based XSS.

🤖 Open Source

• Ship the first version of Nebula Agent for persisting messages locally.
• Added support for primitive arguments of agents in CLI scan run. You can pass arguments using the --arg flag, e.g.:

oxo scan run --agent agent/ostorlab/nmap --follow agent/ostorlab/nmap --arg fast_mode:False ip 8.8.8.8

This command will initiate a scan using the Nmap agent with the fast_mode argument set to False:

This update introduce a series of updates aimed at enhancing user experience, platform improvements, and bug fixes across various features.

🕸️ Attack Surface & Inventory Improvements

• Users can now export inventory assets to a CSV file for easier data manipulation and analysis.

  

• The asset owner field is now pre-populated when editing one or more assets as well as when confirming potential nodes.
• Fixed a bug where assigning attack surface owners to an attack surface auditor failed when users created a new owner within the modal.

📄 Remediation Enhancements

• Regular expressions are now supported for filtering data in Remediation, Inventory, and Attack Surface, allowing for more granular searches.
• Fixed exclusion filter functionality for assigned and self-reported tickets.
• Fixed ticket metrics to be based on closed time rather than modified time.
• Users can now open created tickets in new tabs when using the "Save & Add Another" feature for convenient access.

⚙️ Automation Rules Updates

• Introducing a new automation rule action enabling the deletion of tags assigned to selected tickets or assets, enhancing customization and control.
• You can now see a list of items a new rule will apply to before creating the rule.

  

🛡️ Scan Enhancements

• Fixed an issue with multiple downloads of exported scans.
• Mobile scan summaries now display IP addresses within the preview of backend links for better context.

  

📦 Detection & Knowledge Base

• Added detection for Insecure Storage vulnerabilities in mobile applications.
• Enhanced descriptions and recommendations for Personally Identifiable Information (PII) vulnerabilities, complete with insightful code snippets.
• Detections for HTML injection and dynamic code loading have also been refined for increased accuracy.

🤖 Open Source

• Added support for scanning a list of assets using a Yaml asset definition file. You can pass an asset definition file using the -a flag, e.g:

oxo scan run --install -g agent_group.yaml -a assets_group.yaml

🗝️ Improved API Keys page

The API keys page has been redesigned for ease of use.

OXO Open-Source Improving

OXO open-source is coming with new features and enhancements to facilitate its usage:

Enhanced Message Specification in Agent Groups :

• Users can now specify the source of messages within an agent group.
• Users now have the ability to specify the in_selector within the agent group definition. This feature overrides the default configuration set in the agent YAML file, providing more flexibility and customization.

  

Expanded Search Capabilities in the CLI :

• Search by Risk Rating : Users can now search for vulnerabilities based on specific risk ratings or a combination of multiple risk ratings.

  

• Keywords search in different fields : Users can now search for findings that contain a specific text.

  

Performance Enhancement :

• By reducing the health check interval for agents and optimizing the scaling process, users can now experience faster startup and execution times, significantly improving the overall efficiency of OXO open-source.

Security Enhancements

• Enhance the detection capabilities for path traversal vulnerabilities.
• Refine the detection mechanisms for improved identification of intent redirection vulnerabilities.

Test Credential Name

Users can now assign a custom name/label to their test credentials for improved organization and identification. With the help of this optional name/label, users can quickly recognize and manage their test credentials and differentiate between different test configurations.

Attack Surface Discovery Paths

The latest update incorporates attack surface discovery paths, offering detailed insights into how assets were discovered. This addition helps understand from which asset(s) a particular asset came from.

The attack surface discovery path of an asset can be viewed from the asset details page by going to the Inventory and then clicking on the asset.

The discovery path can also be seen from the discovery page and left-clicking on the asset in the graph.

Graph Edge Attributes

Graph edges now show attributes, facilitating a clearer understanding of the relationships between nodes. This is helpful when you want to know which tool discovered the node, when the node was discovered, when it was last 'seen', etc.

These updates collectively contribute to a deeper comprehension of the attack surface discovery.

🛠️ Enhanced Dynamic Analysis

Over the past month, significant advancements have been made in dynamic analysis. We've expanded our capabilities to include instrumentation support for Java, Kotlin, Swift, and Dart 🚀. We've also enhanced our detection mechanisms, identifying over 1,365 new vulnerable patterns in Swift and 846 in Dart.

🗝️ Refined IAM Management

We've fine-tuned IAM management by introducing two new roles: Reader, offering read-only access, and Attack Surface Auditor, designated for conducting thorough audits of the attack surface. This update ensures more tailored and secure access management.

🔍 More Detailed Attack Surface Insights

The Attack Surface feature now provides more detailed access control, tailored per Owner. This update enhances both the precision of discovered asset recommendations and the specificity of access rights, ensuring a more secure and efficient management of assets.

🛡️ Enhanced XSS Detection Capabilities

Our XSS Detection capabilities have undergone a significant overhaul, leading to better detection rates and broader coverage. We've added several new payloads and re-engineered our approach to authenticated testing, greatly enhancing the robustness of authentication during tests.

📦 Advanced Vulnerable Dependency Detection

We've improved the correlation between application fingerprints and known vulnerabilities searches. This enhancement has led to the detection of over 150% more new packages across various frameworks and languages, significantly boosting our ability to identify and mitigate vulnerabilities.

🐞 Bug Fixes

• Resolved an issue causing errors in the detection of source map code leaks.
• Fixed an error encountered when evaluating IP reputation.
• Addressed a bug that prevented the crawler from collecting request and response headers.
• Improved handling of large arguments collected during dynamic analysis.
• Corrected an issue with XSS tab timeouts, ensuring no findings are missed.
• Updated and clarified descriptions in our knowledge base entries.
• Fixed CSV validation errors during asset imports.
• Enhanced the computation of vulnerability DNA in the XSS Agent for more accurate detection.

HTTP Folders

Introducing HTTP Folders, a new way to navigate your app communication. Easily navigate domains and subdomains for a clear view of requests and responses, gaining valuable insights with streamlined visibility. You can see your app's HTTP folders in the IDE section of your scan report.

• ℹ️ Detailed Information: Each HTTP folder includes detailed information such as the domain, subdomain, and a list of requests and responses.
• 🔍 Search and Filter: Easily search and filter HTTP folders based on domain, subdomain, or specific requests, facilitating efficient monitoring and analysis.

Basic Authentication

Ostorlab now supports Basic Authentication in Web scans. Test applications seamlessly with Basic Authentication or Composed Authentication (Form-based or Script-based), enabling a more wide-ranging scan.

• 🔒 Various Authentication Methods: Unlock a spectrum of testing possibilities with support for Basic and Composed Authentication.
• 🌐 Expanded Testing Scope: Ensure wider coverage of your application testing.

Attack Surface Enhancement

We've enhanced the Attack Surface section to streamline navigation. Introducing the new "Nodes" tab, it provides a comprehensive list of all nodes in your attack surface graph, along with a summary of their properties, including type and ownership. You can see your Attack Surface "Nodes" in the Attack Surface section.

Stack Traces Search Enhancement

We've made an enhancement to the Stack Traces search in the Dynamic tab of the IDE section. Now, you can conveniently search stack traces by Runtime type, including Flutter, C, Dex, or Swift.

Audit Logs

Introducing a comprehensive audit logging system. This new feature allows organization admins to track and monitor various activities and changes within the organization, providing enhanced visibility into user actions. You can see your organization's audit logs in the Audit Logs section of the Library.

• 📜 Audit Actions: Auditing a wide range of actions, including user logins, data modifications, configuration changes, and more.
• 🕦 User Activity Tracking: Recording user interactions to assist in maintaining accountability and security.
• ℹ️ Detailed Information: Each audit log entry includes detailed information such as the user responsible, timestamp, and a description of the specific action taken.
• 🔍 Search and Filter: Easily search and filter audit logs based on user, date, or specific activities, facilitating efficient monitoring and analysis.

Bitbucket CI/CD Integration

Seamlessly integrate Ostorlab security scanning into your CI/CD pipelines. Get started with our documentation.

🔐 IDE & Security Improvements

• 📄 Mobile scan logs displayed directly in the IDE.

  

• ⚡ Faster and more responsive IDE.

• 🚫 Critical risk rating added.

  

• 🌐 Reputation report for IP/domains.

• Detect Oauth account takeover from config files
• Not aggregate exception and false positive tickets.

🎨 UI Enhancements & Fixes

• 🛠️ Fix scan summaries for shared scans.
• 🖥️ Distinguish between store and file targets in remediation sections: Scan from the store and file scans are now aggregated separately. This allows you to distinguish between the two types of scans in the remediation section.
• ⚡ Faster ticket page loading.
• Possibility to add titles when creating scans.

  

• New scan events in the ticket page.
• Support for SVG images in organization images.
• In the subscription page: show tag Canceled only if the plan is active.
• When exiting the ticket page in edit mode, a prompt is displayed to save the modifications.
• Rework the organisation settings page.
• Add bulk delete for test credentials.
• Add the ability to disable email notifications.
• Improved function signature presentation with parameter name and type.

🔐 Open Source Updates

• Improved handling of connection issues during agent initiation.
• Improve presentation risk ratings in CLI.

🔐 Security Enhancements:

• 🛡️ Enhanced URL injection detection, added OAuth account takeover detection, and source map leak prevention, with improved dependency confusion vulnerability detection.
• 🌐 PCI and GDPR Compliance Standard Mapping.
• 📊 Separated findings between store and file scans for clearer reporting.
• 🚫 Enhanced CVE vulnerability reporting.

🚀 User Experience Improvements:

• 📄 Improved PDF reports with enhanced graphics and summaries.
• ⚡ Achieved a 10x speedup in secret detection for faster scans.
• 🖥️ Introduced a new ticket/remediation UI for better usability and common actions.
• 🔍 Enhanced scan search functionality for easier information retrieval.

Added support for multi-SBOM Scanning and the ability to scan SBOM files through CI/CD integrations.

📢 CI/CD support SBOM

🔄🛠️ ️Now it's possible to run the scan for SBOM files through the ostorlab CI/CD integrations, for more info refer to Github Integration, Azure-Devops Integration, CircleCi Integration

📢 Multi-SBOM

Ostorlab now supports the simultaneous scanning of multiple Software Bill of Materials (SBOM) files 📁📝 Documentation.

Ostorlab now supports filtering PDF report items by both risk rating and ticket status.

Ticket statuses are now also included in the report for better understanding:

During our recent Fix-It Week 🛠️😃, our dedicated team put in a tremendous effort to address and resolve over 107 issues affecting our systems. This action-packed week led to numerous improvements in functionality, stability, and security across various components of our application. 🚀🔧🔒 Below is a highlight of the most notable fixes: 📋🔍

Security:

• Improve brute force attack detection and remediation, particularly credential stuffing 🔐💪
• Improve XSS handling of form input fuzzing 🛡️🔍
• Improve description and recommendation of several common vulnerabilities 📝🔒
• Improve fingerprint detection of Xamarin dependencies 🧐🔍

Attack Surface:

• Improve handling of edge case TLD values 🔄🔍

UI:

• Add item filtering in the ticket edit mode 🔍🎫
• UI improvements 🎨✨

Production:

• Series of bug fixes, dead code deletion, and version upgrades, some with their fair share of breakages, pain, sweat, and tears 😅🚑🔧
• Add support for download geofencing in more countries 🌍📥🔒

Monkey Tester:

• Address navigation issues in some edge cases using image detection and OCR reading 🐒🔍📖

Jira:

• Updated Jira Projects API to fetch projects in real mode 📊🔄
• Add backporting of tickets in case Jira project settings are changed ↩️🎫

Mobile: * Support for Different Regions in iOS Downloader: Added support for downloading iOS applications in Japan, Russia, UK, Germany, and China 🌏📱🇯🇵🇷🇺🇬🇧🇩🇪🇨🇳.

We are excited to announce that Ostorlab now supports uploading an SBOM or Lockfile for extended dependency detection.

Supported Files

The platform supports an extensive list of SBOM and Lockfiles.

• SPDX
• CycloneDX
• gradle.lockfile
• pubspec.lock
• buildscript-gradle.lockfile
• pnpm-lock.yaml
• package-lock.json
• packages.lock.json
• pom.xml
• Gemfile.lock
• yarn.lock
• Cargo.lock
• composer.lock
• conan.lock
• mix.lock
• go.mod
• requirements.txt
• Pipfile.lock
• poetry.lock

To get started, refer to the detailed steps provided in our integration documentation here.

We are excited to announce the addition of CircleCI and AppCenter CI/CD integrations.

📢 Circleci

With CircleCI orb, you can integrate security scanning into your deployment pipeline. With this integration, you can enhance the security of your applications during the deployment process.

To get started, refer to the detailed steps provided in our integration documentation here.

📢 AppCenter

With AppCenter integration, you are able to incorporate Ostorlab security scanning into your CI/CD pipelines.

For more information and instructions, please refer to the documentation here.

We're excited to announce a series of updates and improvements designed to enhance your experience and security. Here's what's new:

🔐 Security Enhancements

• Added over 200 Flutter-specific detection rules for increased vulnerability spotting.🎯
• Improved vulnerability entries for various issues, including template injection, XML injection, ZIP path traversal, and more.🔧
• Addressed insecure biometric authentication and client-side XSS among new vulnerabilities.🛡️
• Launched an open-source Flutter vulnerable module for community contribution.🚀
• Rolled out a detection feature for Facebook insecure devsettings.🔍
• Minor bug fixes and improvements in our PDF generation process.📝

🔄 Authentication Improvements

• Social authentication now supports Google and Github providers, allowing for seamless and secure sign-in experiences.🔑

🧠 AI and Analysis Updates

• Introduced an AI Enhanced summary and recommendation system for better decision-making.🤖
• Added dynamic call listing to the analysis environment, allowing for more comprehensive exploration.🔎
• Deprecated some iOS findings for more accurate results.❌

🖥️ UI & UX Upgrades

• Revamped the notification UI for a more streamlined user experience.🔔
• Added ticket count in the remediation menu for better task management.📊
• Rolled out duration-based search filters to refine your search results.⏱️
• Slots counts are now visible on the payment page for improved transparency.💳
• We've also given our blog a fresh, new look!🌐

🤝 Integration and Support

• Minor bug fixes in Jira integration support for smoother collaboration.🔧
• Improved geofencing support for several countries, including India and UK.🌍
• Bettered Monkey Tester support for Webview based navigation on both Android and iOS platforms.📱

🐛 Bug Fixes & Open-Source Contributions

• Fixed bugs in AAB file support for a smoother app experience.🛠️
• Fixed multiple issues in open-source agents like Truffle Hog and Semgrep.🐞
• Released an open-source OSV agent for broader community collaboration.👥
• Addressed minor bugs to improve Automation Rules functioning.🔄

Our latest release is packed with numerous enhancements, designed to elevate your security experience with Ostorlab. From attack surface discovery to vulnerability detection and reporting, we have made significant strides to make your security journey smoother than ever before.

Here are some of the highlights of our latest release:

• Faster and easier navigation of artifacts and scan coverage;
• Weekly reporting that provides valuable insights into trends and patterns;
• Export button to CSV from both scan and tickets menus for enhanced convenience;
• Over 50 new vulnerability detections, further improving the quality of our security assessments;
• Improved SMS 2-FA based authentication, providing an added layer of security;
• Extraction of dynamic routing from popular web frameworks like Next.js and Nuxt.js, helping you identify potential vulnerabilities in your web applications more efficiently.

New Automation Rules

We are excited to announce the release of our new automation rules features, designed to streamline your workflow and simplify your security management. With these new features, you can now automatically assign owners, set tags, send email notifications, and more.

Here are a few examples of how the new automation rules can come in handy:

• Automatically assign vulnerabilities to a user for remediation;
• Confirm discovered assets and assign an owner automatically;
• Apply specific tags to assets that match certain filters;
• Receive email notifications when assets match a specific pattern, such as when a potential service has SSH exposed on a non-default port.

Flexible Yearly Plans: Use Your Testing Slots Anytime, Anywhere

We are thrilled to announce that we have made some significant changes to our yearly plans based on your feedback. One of the most requested features from our users has been the ability to adjust the usage of their yearly plans to meet spikes in testing needs, without losing testing slots during periods of inactivity or development.

We are delighted to inform you that we have taken note of your feedback, and have made necessary adjustments to our yearly plans, allowing access to all testing slots at any time. Additionally, you can now rest easy knowing that unused testing slots will not be lost during a particular month.

These updates are already available to our existing users with an active plan, and for those who wish to subscribe to a yearly plan.

We hope these changes will enable you to maximize the value of our service and meet your testing requirements without any hassle.

Attack Surface Enhancements

We've made a long list of changes to improve the experience of detecting and navigating your attack surface.

Here are just some of the cool new features:

• Narrow down on any asset using the filter button and access its direct asset connections or even its 2nd and 3rd connections. This feature helps us understand how the attack surface discovery detects new assets. A great example is a user with his work email registering multiple new domains that weren't tracked anywhere before. You know yourself, John from Marketing 🙂.
• Addition of powerful new search features like searching by multiple ownership types or excluding assets matching a search pattern.
• Convenient quick action buttons to trigger a scan or add a monitoring rule. If you are curious about that asset's vulnerabilities, just hit "Quick Scan".
• Bulk asset import makes it a breeze to add many assets by simply uploading a CSV file.
• Access asset data directly from the attack surface graph with information such as DNS Records, open services, used libraries, Whois data, in-use certificates, and much more.

A deeper look at your Mobile Applications Attack Surface.

Attack surface is not just about domain names and IP addresses, especially if you are a mobile-first company.

Ostorlab’s attack surface now detects and tracks mobile applications' attack surface, be it what is the app exposing, what dangerous features is it using, what libraries are used and most importantly tracking their changes and when they are changed. It will even list all backend systems and indicate their geographical location.

Mobile Scan Summary

Our latest work includes a new scan insights feature with a summary of scan reports and actionable feedback on how to improve the security of your app. Augmented with attack surface data, the report provides useful insight into the impact of the identified issues.

Faster Scans 🏎🏎🏎

If you have been using the platform for a while, you might have noticed that scans run faster, much faster. This has required a substantial amount of engineering effort to increase speed without sacrificing quality. This is only the first step toward achieving a full scan completion in under an hour which we aim to achieve before the end of this year.

• 🆕 Release of new automation rules to auto-assign owners, set tag, notify results, etc.
• 🆕 Added new export options to CSV and a copy of ticket.
• ⬆ Improved the UI of the attack surface adding search capabilities.
• 🆕 Added details to the Plans page on exact history usage.
• ⬆ Improved the speed and UI of scan artifacts and call coverage.
• 🆕 Added Jenkins support for remote build nodes.
• 🆕 Released weekly organisation summary email with collection of last scans, last findings and items requiring attention.
• 🆕 Added ability to save searches.
• 🐛 Multiple fixes to Jira ticket creation.
• ⬆ Added new search to the monitoring page.
• 🐛 Fixed handling of XAPK files.
• 🆕 Add scan summary new feature to the PDF reports.
• ⬆ Improved coverage of Web Authentication recorder to support new cases.
• 🆕 Added support in the crawler for path extraction of dynamically routed web frameworks like Next.js and Nuxt.js.
• 🆕 Release of new open-source agent for trufflehog.
• 🆕 Added Wireguard VPN support to several open-source agents like nmap, tsunami, nuclei ...
• 🆕 Improve Monkey tester support for SMS based 2-FA .
• ⬆ Improved reporting of public firebase databases.
• ⬆ Added detection of insecure biometric authentication implementation on Android.
• ⬆ Improved reporting of clear text traffic vulnerabilities.
• ⬆ Improved the backend vulnerability fuzzer and productionization of learning pipeline and addition of new test cases for SQL injection.
• 🆕 Improved PII detection in logs.
• 🐛 Deployed multiple fixes and improvements to secret detection.
• ⬆ Improved over 50 knowledge base entries like hasFragileUserData for better description and recommendation.
• ⬆ Improved detection of insecure file provider path settings.
• 🐛 Optimized the performance of several queries improving performance by 86%.

• 🎉 Faster scan and improved scan reliability
• 🚀 Mobile Attack surface tracking and historization
• ⚡ Improved backend detection and geographic location reporting

• 🎉 Improved metrics with over new 100 metrics collected and new dashboard showing both scanning health, remediation improvement and attack surface evolution.
• 🔒 Attack surface tracking and historization allowing for known what services and libraries are present and when they were introduced.

• 🚀 Release of Attack Surface asset discovery, a graph-based approach with improved coverage for better asset detection.
• ⚡ Ability to configure assets with owners, color, notes, tags, location, and risk rating to ease adding context and influence vulnerability risk rating.
• 📘 Collection of asset history with information like DNS, open services and ports, tech stacks, whois. This offers the ability to track changes and monitor evolution over time.
• 🔬 Out-of-the-box scan instrumentation with opentelemetry and improved debugging of Ostorlab's open-source engine.
• 💻 Open-sourcing of several new detectors for domain hijacking, recon, fingerprinting ...
• 🎌 Ability to search applications on the store by country.
• 📄 Certificate-based authentication for Mobile Scans and script-based authentication for web scans.
• 🐒 New analysis environment for web applications with intercepted traffic and visualization of crawl coverage (this one looks awesome).
• 📝 Improved plans management for large organizations with the ability to transfer subscriptions and resize them on the fly.
• 🎩 Improved Jira integrations with configuration test, risk rating selection, and improved information synchronization.

• 💎 New Attack Surface Discovery to discover known and unknown owned assets and schedule continuous monitoring
• 🔒 Add support for using Chrome Recorder script for Authentication
• 🎉 Add support for CRON based monitoring with defined schedules
• 🔨 Github Actions integrations
• 🎉 Open-sourcing of over 20 security testing agents (Zap, Whatweb, Whois IP, Whois Domain, Wappalyzer, Virus Total, Tsunami, Tracker, Subfinder, Openvas, Nuclei, Nmap ...)
• 🚀 Performance and resilience improvement to Ostorlab Agent Builder

• 👾 Improve detection of Flutter and React-Native vulnerabilities
• 👾 Add detection of several new classes of vulnerabilities, including Log4J
• 🎉 Open-Sourcing of Ostorlab scanning engine adding support for local runtime and Windows-based environment Adding Ostorlab Agent store to easily access and publish scan agent
• 🚀 New agent-group definition to define composable scan agent
• 🚀 New agent-group UI builder and YAML definition file generation
• 🚀 Automated agent builder from repo that automatically detects and builds new releases
• 🏫 New learning center exposing documentation, videos, scan sample and vulnerability knowledge base
• 🎉 Open-Sourcing Ostorlab knowledge base
• 🎉 Open-Sourcing agents for popular tools Nmap, Tsunami, Nuclei and Virustotal
• 🎉 Open-Sourcing agents for improved vulnerability tracking (Tracker, Persist Vulnz, Inject Asset and Debug)
• 🔐 Improve account security with OTP (One-Time-Password) support
• 🔨Add integrations portal to configure newly support integrations
• 🔨 Add Jira, Gitlab and Jenkins for CI/CD and ticketing integration
• 🔐 Add SAML-based authentication for SSO enterprise access

• Release of the Remediation API with better vulnerability lifecycle management, allowing detection of fixed vulnerabilities, re-opens and maintain status of exception and false positives
• New dashboard offering a glass box view into security posture and urgent tasks
• Management of patching and priority policies with SLO and tools to track and measure fix performance
• 3rd Party integrations with Jira
• Add Ticket timeline to with dynamic setting of start and end time
• Add grouping of ticket by status, priority and tag
• Add Ticket bulk edit mode

Focus on improving the Monkey Tester to improve coverage adding support for more strategies and advanced test case generation. Work also included better handling of Application packaging and management of our fleet of mobile devices.

• 🤖 An all improved Monkey Tester with highly improved code coverage
• 💐 UI Call coverage visualisation to understand what has been done

Focus on improving Web Scanner detection, adding several features, like Backend fingerprinting, adding more vulnerabilities and improving Backend Vulnerability representation model. Work also included improving Monkey Tester to support more advanced testing strategies. Key updates:

• 🤖 Adding support for multiple strategies to Monkey Tester
• 🪲 Multiple bug fixes and improvements to Backend Scanner, XSS Scanner, Fingerprint detections
• 🤖 Scale search indexing infrastructure to handle the increase in covered assets

• 🤖 Support of new backend vulnerabilities, like SQL with JDBC escape sequence, Jinja template injection, Python Object serialisation ...
• 🤖 Support of new backend vulnerabilities, like XXE, XSLT injection, Fastjson serialisation, PHP RCE ...
• 🪲 Tweaks to the JDWP Android monitor for coverage and performance.
• 🚀 Parallelization and backend vulnerability model generation to improve false positive confidence to 6*9 (99.9999%).

• 🪲 API traffic improvement and bug fixes
• 🔍 Multiple performance and enhanced result for the new search feature
• 🤖 New dynamic instrumentation engine for iOS based on LLDB
• 🤖 Improve iOS instrumentation to capture SQL, Crypto, Keychain, Zip, Wifi, Webkit, Biometric, Filesystem, HTTP, Preferences dangerous API
• 🤖 Enable backtracing of dangerous API to track their usage
• 🤖 Support of credential authentication in Web Scan
• 🤖 Improved Web Crawling to support mutated html

• 🔍 New rules to detect insecure javascript patterns and new insecure secret usage.
• 💐 Add search, tagging and call trace of extern functions, like JNI.
• 🔍 New scan search capability to search across all analysis asset types.
• 💐 API traffic IDE capability.
• 🤖 API to persist taint graph from scan.

• 🪲 Fixes to the Analysis Environment indexing to enable code and file search
• 📢 Deprecate Free+Analysis scan type in a revamp of the analysis environment
• 🚀 Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
• 🤖 Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
• 💐 Support for tagging of native function in IDE
• 🔍 Add multiple new sinks methods
• 🪲 Remove false positive in detection of RSA/ECB weak encryption
• 🪲 Bug fixes to taint analysis leading missing detections
• 🤖 Detection of valid Sendgrid API keys
• 🤖 Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
• 🤖 Detection of insecure Zip leading to path traversal arbitrary file overwrite
• 🪲 Fix Twitter API detection

• 🪲 Fixes to the Analysis Environment indexing to enable code and file search
• 📢 Deprecate Free+Analysis scan type in a revamp of the analysis environment
• 🚀 Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
• 🤖 Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
• 💐 Support for tagging of native function in IDE
• 🔍 Add multiple new sinks methods
• 🪲 Remove false positive in detection of RSA/ECB weak encryption
• 🪲 Bug fixes to taint analysis leading missing detections
• 🤖 Detection of valid Sendgrid API keys
• 🤖 Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
• 🤖 Detection of insecure Zip leading to path traversal arbitrary file overwrite
• 🪲 Fix Twitter API detection

• 🤖 Switch API encoding from JSON to UBJSON to add support for binary format
• 💐 Analysis Env javascript formatting
• 💐 Analysis Env detection of new file formats
• 💐 Analysis Env call trace node coloring to match function and method tagging
• 🪲 Multiple bug fixes and performance optimization of the Analysis Env
• 📢 Support for sharing report access using a shareable link
• 📢 Add edit mode to vulnerabilities to change risk rating or mark as a false positive
• 🚀 Detection of new secrets keys and dangerous functions

• 📢 Release of Android and iOS application analysis environment
• 🚀 Analysis Env support for APK and IPA file listing with content access
• 🚀 Analysis Env support for Code highlighting for HTML, Javascript, XML, Java, C++
• 🚀 Analysis Env support for Binary plist extraction
• 🚀 Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
• 🚀 Analysis Env support for Macho and ELF string listing
• 🚀 Analysis Env support for DEX classes listing
• 🚀 Analysis Env support for DEX smali listing and java decompilation
• 🚀 Analysis Env support for Android resource extraction
• 🚀 Analysis Env support for Android manifest extraction
• 🚀 Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
• 🚀 Analysis Env support for Dangerous functions tagging to identify security hotspots.
• 🚀 Analysis Env support for Contextual call trace generation.

• 📢 Release of continuous application monitoring from the store
• 🔍 Detection of weak Bluetooth connection
• 🔍 Detection of dynamic broadcast receiver with no permissions
• 📢 New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab
• 💐 Email and UI notification to inform of key events (scan completion, password change ...)
• 💐 Expose API key generation and management from the UI

• 📢 Release of Ostorlab lighthouse continuously scanning public applications
• 📢 Release of Ostorlab VulnDB UI to access internal known vulnz database
• 💐 Vulnerability tagged as affecting security and privacy, security only or privacy only
• 🔍 Detection of several privacy settings in Android manifest
• 🔍 Detection of facebook SDK debug mode
• 🔍 Detection of GPS location tracking impacting privacy
• 🪲 Fix insufficient sink default taint and missing propagation for Array and Const

• 📢 Store search and scan feature
• 📢 Deep 3rd party dependencies fingerprinting
• 💐 Markdown vulnerability text and description support

• 📢 Extend 3rd party dependencies rules
• 🚀 Creation of database of unreported vulnerabilities

• 💐 Report libraries and 3rd party dependencies
• 🔍 Fingerprinting of Native Android libs, iOS Frameworks, Cordova plugins, Javascript libraries, Xamarin libs and OpenSSL
• 🚀 Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
• 🚀 Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
• 🔍 Detect calls to dangerous Bluetooth API

• 📢 Exposure of CVSSv3 score
• 🤖 Alpha support for UI Automation rules
• 🎁 Add Xamarin decompiled source code to the list of artifacts
• 🔍 Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
• 🔍 Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)

• 📊 Add generation of executive summary PDF report
• 📢 New Secure risk rating to denote secure implementation
• 📢 New Hardening risk rating to differentiate between actual vulnerability and missing hardening mechanism
• 📢 Add support for archiving scans
• 📢 Add support for exporting scans
• 🔍 Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
• 🚀 Enhance performance of taint analysis and increase coverage
• 💐 Enhanced representation of taint information
• 💐 Enhanced representation of stack traces collected in dynamic analysis
• ⚠ Fix inconsistency in risk rating
• 🪲 Fix false positive in iOS detection for missing ARC and Stack Guard protections

• Support for streaming API to create and stops scans
• Subscription support
• New KB entry for Webview LoadURL injection
• Bug fixes to JDWP Hooking engine
• Dashboard update showing scan plan
• Support for stopping and archiving scans

• API for scheduling rules
• Migration to Kubernetes
• Initial support for streaming API to create scans

• API to manage Inventory (mobile apps, urls, domains, ...)
• UI to list, create and update Inventory and Assets
• CI/CD pipeline integration
• Deprecate old UIs

• Release of the alpha version of the new reporting front end
• API naming fixes
• Fix submission of the test credentials
• New Google Play client to support scanning from the Play Store directly
• Several New APIs move to GraphQL (Account and Password Management, Artifcats)
• Worker to handle long-running jobs (PDF generation and Scan Export)

• Progress on the new reporting front end
• Bug fixes in public website
• Simplified pagination support in all APIs
• Experimental API to create Web Scans

• Release of an open source Android application to benchmark vulnerability scanners
• Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
• Progress on the new reporting front end

• Release of a new documentation website docs.ostorlab.co
• Release of a new website www.ostorlab.co using material design

• Major migration of all existing infra and data to the new backends.

• Infra refactoring into a micro-service architecture.
• Separation of user portal and public website to prepare moving to serverless.
• Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.

• Refactoring of API adding support for GraphQL.
• Migration of website, user portal and orchestrator to GraphQL.

• Extending vulnerability test bed.
• Add support for template injection of 4 new Java template engines.
• Add support detection of Ruby code injection.
• Add support detection of Node.js code injection.

• Multiple bug fixes and performance enhancements.
• Fix false positive detection of Template Injection.
• Add support detection of python code injection.
• Add support detection of pickle deserialization injection.

• Multiple bug fixes and performance enhancements.
• Enhance detection of XSS adding support for multiple callbacks vectors.

• New alpha system to detect vulnerabilities in backends from previously collected ones.
• Creation of a new vulnerability test bed.

• Add support for detection of stored XSS.
• Complete rework of the scan authentication module. It works well and sends fewer requests.
• Brand new subscription menu.
• Bug cleaning season.

• Add support for multi-step submitting of Forms.
• Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
• Alpha version of Fingerprinting agents.

• Major enhancement coverage of XSS contexts, long live Polyglot payloads.

• Enhance CSRF handling for web scanning.
• Add scan export and import feature for on-premise scanning support.
• Implementation of ADB Proxy agent for on-premise scanning support.
• Add collection of screenshots and logcat traffic during dynamic analysis.
• New security rules for Android Network Security Configuration.
• Fix false positives in Cryptography rules using static taint.
• Rework of all rules formatting.
• Fix PDF generation and add support for code highlighting.
• Add support for kown pathes crawling
• Add Artifact panel to store extracted source code, screenshots and traffic logs.
• Add Xamarin source code decompilation.
• Fix duplicate request testing by backend and XSS scanner.
• Initial work on CSRF token detection and generation for POST request fuzzing.
• Add support for inserting payloads in sub-pathes.

• Extensive bug fixes month of all core components.
• Enhance testability of the scanning engine.
• Enhance reporting features.

• Enhanced detection of template injection vulnerabilities.
• New scanner for detecting XSS vulnerabilities.
• Ehanced supported for nested serialization formats.
• Major rework for scan scheduling engine for increased scalability.

• New backend scanning engine with beta support for SQL injection and XXE
• Adding beta support for crawling of HTML content.

• Bumping free scanner coverage limit from 100 to 300.
• New detector for encrypted IPA.
• Fix false positive in dynamic rules detecting weak encryption.

• Porting LLDB for iOS to work on Linux.
• New backend scan engine.
• New experimental crawler.

• Adding Support for authenticated scan.
• Final version of Java hook engine with stack trace support and full context inspection.
• Major enhancement to the taint engine reducing false positives.
• Multiple bug fixes affecting PDF generation and false positive declaration.
• Adding feature to report false positives and remove them from the final report.
• Multiple new dynamic rules to trace sensitive function call.
• New agent to detect sensitive material files, like private encryption keys.

• Surface static taint analysis coverage in the scan report.

• Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
• Performance enhancement for the support of large multidex files.
• Bug fix in method xref for multidex files.
• Enhance vulnerability de-duplication.
• Multiple bug fixes for iOS scan rules.

• Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
• Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
• Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
• Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
• Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
• Advanced option to support download PDF report.

• Stabilizing unlimited scan feature with bug fixes.
• Correction of false positives in Insecure Encryption Mode.
• Correction of false positives in ASLR detection for iOS Apps.
• Move to a clustered architecture to support increase scan load.
• Final version to support dedicated unlimited scans.

• New feature to support dedicated scans.
• Tweaks and updates to the user interface to support fast uploading.

• New backend system to support the increased load.
• Major code refactoring of all agents to support the new backend system.
• Multiple bug fixes.

• New static taint engine for Android Bytecode.
• Multiple bug fixes and performance tweaks.