This update improves the user interface of the platform, adds new detection for Webview-related vulnerabilities, and ships multiple bug fixes.

📦 Detection

• Added detection for CVE-2023-50969, CVE-2024-2879, CVE-2024-3273, CVE-2024-29269, CVE-2024-3400, and CVE-2023-24955.
• Added detection capabilities to identify insecure Webview practices in iOS applications.
• Added a concise and relevant detection for the use of dangerous deprecated APIs.

🛠️ Platform Improvements

• Added Compact view to the call coverage:

  

• Added the ability to specify relevant standards when generating scan reports:

  

• Improvement to the graph node appearance:

  

• Added the ability to search by Objective-C runtime in the ide:

  

• Added filtering for potential nodes:

🐞 Bug Fixes & Small improvements

• Defaulting new user role to Reader instead of the more privileged User. The change affects SSO / SAML access configuration and UI default.
• Improve OXO usage documentation.

This update significantly improves objective-C instrumentation, adds new detection for insecure data storage and Regex DoS, and ships multiple bug fixes.

📦 Detection & Knowledge Base

• Improve dynamic instrumentation for objective-C and persist collected stack traces in the Analysis Dynamic section.
• Added detection capabilities to identify insecure data storage practices in iOS applications. This includes identifying the use of potentially vulnerable storage mechanisms such as UserDefaults and UIPasteboard.
• Added detection for Regular Expression Denial of Service (ReDoS) vulnerabilities. This new feature identifies sinks that use user input to create regular expressions, which can lead to potential ReDoS attacks.
• Refined all KB recommendations to be actionable, so now we have a step-by-step process to solve vulnerabilities.

  

Frontend Enhancement

• Added table of contents to Blogs:

  

• Added highlighting to the Tips section:

  

• Added a button to download all PCAP files at once as a ZIP archive:

  

• Show graph edge & node labels in a card:

  

🐞 Bug Fixes

• Fixed the generation of rules for iOS to take init function into consideration.

This update introduces fixes for the Attack Surface, detection for the liblzma backdoor, and a public store for agents.

📦 Detection

• Added detection for Apple's Privacy Manifest files. A Privacy Manifest describes the data an app or third-party SDK collects and the reasons required APIs it uses. Developers are required to include it in their apps before May 1st, 2024. The detection rule checks that apps are compliant with the new requirement, and whether their implementation is secure or not.
• Added detection for Django DEBUG mode enabled.
• Added detection for leaking secrets in Web Apps.
• Added detection for liblzma backdoor.
• Added detection for CVE-2023-48788, CVE-2021-44529, CVE-2019-7256, CVE-2022-20767, CVE-2022-0412, and CVE-2024-1212.
• Improved detection for Personally Identifiable Information (PII). The rule now detects way more vulnerable methods that leak PII data. PII leaking is now also done using a static rule.
• Improved detection for Mixed content WebView settings by analyzing and detecting more dangerous WebView settings.

🤖 Open Source

• Made the OXO agent store public.

  

🐞 Bug Fixes

• Fixed confirming assets defaulting to red as the custom color.
• Fixed Android and iOS search filters not working for potential assets.
• Fixed the CVE matcher DNA to take into account the latest CVEs.

This update introduces fixes for the Attack Surface, migration of Agent's Docker Images to Docker Hub, enhanced detection capabilities for vulnerabilities, and support for ARM64 architecture in OSS.

🕸️ Attack Surface

• Addressed issue with Attack Surface creating non-confirmed assets from detected vulnerabilities. Users now have the ability to only collect metrics of confirmed and maintained attack surface assets without issues related to non-validated assets from scans.

🛠️ Infrastructure

• Migrated Agent's Docker Images to Docker Hub for improved visibility and speed into open-source OXO agents.

📦 Detection

• Added detection for aiohttp path traversal vulnerability actively getting exploited.
• Added detection of CSS injection vulnerabilities leading to application takeover, keylogging and defacement.

🤖 Open Source

• Added support for ARM64 architecture, enabling running the venerable OXO on Mac Machines with native speed.

This update introduces a series of new features related to the IDE, Jira integration, OXO, and many improvements to the platform.

📄 PCAP files exposed in the IDE.

• Designed for security teams looking to push the analysis even deeper, now you can download all raw PCAP for your mobile full scan.

  

🤖 Open Source

• Binaries for the OXO scanning orchestrator are available with every new release for Ubuntu, macOS, and Windows.

  

• Added agent key shortcuts: Instead of

oxo scan run --agent agent/ostorlab/nmap ip 8.8.8.8

You can now simply run:

oxo scan run --agent nmap ip 8.8.8.8

Or

oxo scan run --agent @your-org/nmap ip 8.8.8.8

• Added support for scanning Network ranges and IP addresses in the cloud runtime.

oxo scan --runtime=cloud run -g network_agent_group.yaml ip  8.8.8.8/30

📑 Jira custom fields mapping

• If you have Jira integration enabled on Ostorlab, you can now map custom fields from your tickets with Ostorlab fields.

  

• Syncing the fields and values can be done from your JIRA project to Ostorlab and vice-versa.

🕸️ Attack surface refinements

• Added ability to edit potential nodes, specifying a custom potential owner.

🔬 XSS detection

• Improvements to postMessage XSS detection, adding detection of XSS in complex data objects.

🐞 Bug Fixes

• Fixed segregation and excluded unreliable rules in the VirusTotal agent.
• Addressed ecosystem confusion for outdated dependencies detection.

This update introduces various improvements to the XSS scanner, the functionality of the open-source CLI, and monitoring rule creation.

🛠️ Platform Improvements

• Restructured the new monitoring rule flow to be more user-friendly and intuitive.

  

📦 Detection & Knowledge Base

• Added detection for Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability.
• Improve XSS Agent to detect PostMessage-based XSS.

🤖 Open Source

• Ship the first version of Nebula Agent for persisting messages locally.
• Added support for primitive arguments of agents in CLI scan run. You can pass arguments using the --arg flag, e.g.:

oxo scan run --agent agent/ostorlab/nmap --follow agent/ostorlab/nmap --arg fast_mode:False ip 8.8.8.8

This command will initiate a scan using the Nmap agent with the fast_mode argument set to False:

This update introduce a series of updates aimed at enhancing user experience, platform improvements, and bug fixes across various features.

🕸️ Attack Surface & Inventory Improvements

• Users can now export inventory assets to a CSV file for easier data manipulation and analysis.

  

• The asset owner field is now pre-populated when editing one or more assets as well as when confirming potential nodes.
• Fixed a bug where assigning attack surface owners to an attack surface auditor failed when users created a new owner within the modal.

📄 Remediation Enhancements

• Regular expressions are now supported for filtering data in Remediation, Inventory, and Attack Surface, allowing for more granular searches.
• Fixed exclusion filter functionality for assigned and self-reported tickets.
• Fixed ticket metrics to be based on closed time rather than modified time.
• Users can now open created tickets in new tabs when using the "Save & Add Another" feature for convenient access.

⚙️ Automation Rules Updates

• Introducing a new automation rule action enabling the deletion of tags assigned to selected tickets or assets, enhancing customization and control.
• You can now see a list of items a new rule will apply to before creating the rule.

  

🛡️ Scan Enhancements

• Fixed an issue with multiple downloads of exported scans.
• Mobile scan summaries now display IP addresses within the preview of backend links for better context.

  

📦 Detection & Knowledge Base

• Added detection for Insecure Storage vulnerabilities in mobile applications.
• Enhanced descriptions and recommendations for Personally Identifiable Information (PII) vulnerabilities, complete with insightful code snippets.
• Detections for HTML injection and dynamic code loading have also been refined for increased accuracy.

🤖 Open Source

• Added support for scanning a list of assets using a Yaml asset definition file. You can pass an asset definition file using the -a flag, e.g:

oxo scan run --install -g agent_group.yaml -a assets_group.yaml

🗝️ Improved API Keys page

The API keys page has been redesigned for ease of use.

OXO Open-Source Improving

OXO open-source is coming with new features and enhancements to facilitate its usage:

Enhanced Message Specification in Agent Groups :

• Users can now specify the source of messages within an agent group.
• Users now have the ability to specify the in_selector within the agent group definition. This feature overrides the default configuration set in the agent YAML file, providing more flexibility and customization.

  

Expanded Search Capabilities in the CLI :

• Search by Risk Rating : Users can now search for vulnerabilities based on specific risk ratings or a combination of multiple risk ratings.

  

• Keywords search in different fields : Users can now search for findings that contain a specific text.

  

Performance Enhancement :

• By reducing the health check interval for agents and optimizing the scaling process, users can now experience faster startup and execution times, significantly improving the overall efficiency of OXO open-source.

Security Enhancements

• Enhance the detection capabilities for path traversal vulnerabilities.
• Refine the detection mechanisms for improved identification of intent redirection vulnerabilities.

Test Credential Name

Users can now assign a custom name/label to their test credentials for improved organization and identification. With the help of this optional name/label, users can quickly recognize and manage their test credentials and differentiate between different test configurations.

Attack Surface Discovery Paths

The latest update incorporates attack surface discovery paths, offering detailed insights into how assets were discovered. This addition helps understand from which asset(s) a particular asset came from.

The attack surface discovery path of an asset can be viewed from the asset details page by going to the Inventory and then clicking on the asset.

The discovery path can also be seen from the discovery page and left-clicking on the asset in the graph.

Graph Edge Attributes

Graph edges now show attributes, facilitating a clearer understanding of the relationships between nodes. This is helpful when you want to know which tool discovered the node, when the node was discovered, when it was last 'seen', etc.

These updates collectively contribute to a deeper comprehension of the attack surface discovery.

🛠️ Enhanced Dynamic Analysis

Over the past month, significant advancements have been made in dynamic analysis. We've expanded our capabilities to include instrumentation support for Java, Kotlin, Swift, and Dart 🚀. We've also enhanced our detection mechanisms, identifying over 1,365 new vulnerable patterns in Swift and 846 in Dart.

🗝️ Refined IAM Management

We've fine-tuned IAM management by introducing two new roles: Reader, offering read-only access, and Attack Surface Auditor, designated for conducting thorough audits of the attack surface. This update ensures more tailored and secure access management.

🔍 More Detailed Attack Surface Insights

The Attack Surface feature now provides more detailed access control, tailored per Owner. This update enhances both the precision of discovered asset recommendations and the specificity of access rights, ensuring a more secure and efficient management of assets.

🛡️ Enhanced XSS Detection Capabilities

Our XSS Detection capabilities have undergone a significant overhaul, leading to better detection rates and broader coverage. We've added several new payloads and re-engineered our approach to authenticated testing, greatly enhancing the robustness of authentication during tests.

📦 Advanced Vulnerable Dependency Detection

We've improved the correlation between application fingerprints and known vulnerabilities searches. This enhancement has led to the detection of over 150% more new packages across various frameworks and languages, significantly boosting our ability to identify and mitigate vulnerabilities.

🐞 Bug Fixes

• Resolved an issue causing errors in the detection of source map code leaks.
• Fixed an error encountered when evaluating IP reputation.
• Addressed a bug that prevented the crawler from collecting request and response headers.
• Improved handling of large arguments collected during dynamic analysis.
• Corrected an issue with XSS tab timeouts, ensuring no findings are missed.
• Updated and clarified descriptions in our knowledge base entries.
• Fixed CSV validation errors during asset imports.
• Enhanced the computation of vulnerability DNA in the XSS Agent for more accurate detection.

HTTP Folders

Introducing HTTP Folders, a new way to navigate your app communication. Easily navigate domains and subdomains for a clear view of requests and responses, gaining valuable insights with streamlined visibility. You can see your app's HTTP folders in the IDE section of your scan report.

• ℹ️ Detailed Information: Each HTTP folder includes detailed information such as the domain, subdomain, and a list of requests and responses.
• 🔍 Search and Filter: Easily search and filter HTTP folders based on domain, subdomain, or specific requests, facilitating efficient monitoring and analysis.

Basic Authentication

Ostorlab now supports Basic Authentication in Web scans. Test applications seamlessly with Basic Authentication or Composed Authentication (Form-based or Script-based), enabling a more wide-ranging scan.

• 🔒 Various Authentication Methods: Unlock a spectrum of testing possibilities with support for Basic and Composed Authentication.
• 🌐 Expanded Testing Scope: Ensure wider coverage of your application testing.

Attack Surface Enhancement

We've enhanced the Attack Surface section to streamline navigation. Introducing the new "Nodes" tab, it provides a comprehensive list of all nodes in your attack surface graph, along with a summary of their properties, including type and ownership. You can see your Attack Surface "Nodes" in the Attack Surface section.

Stack Traces Search Enhancement

We've made an enhancement to the Stack Traces search in the Dynamic tab of the IDE section. Now, you can conveniently search stack traces by Runtime type, including Flutter, C, Dex, or Swift.

Audit Logs

Introducing a comprehensive audit logging system. This new feature allows organization admins to track and monitor various activities and changes within the organization, providing enhanced visibility into user actions. You can see your organization's audit logs in the Audit Logs section of the Library.

• 📜 Audit Actions: Auditing a wide range of actions, including user logins, data modifications, configuration changes, and more.
• 🕦 User Activity Tracking: Recording user interactions to assist in maintaining accountability and security.
• ℹ️ Detailed Information: Each audit log entry includes detailed information such as the user responsible, timestamp, and a description of the specific action taken.
• 🔍 Search and Filter: Easily search and filter audit logs based on user, date, or specific activities, facilitating efficient monitoring and analysis.

Bitbucket CI/CD Integration

Seamlessly integrate Ostorlab security scanning into your CI/CD pipelines. Get started with our documentation.

🔐 IDE & Security Improvements

• 📄 Mobile scan logs displayed directly in the IDE.

  

• ⚡ Faster and more responsive IDE.

• 🚫 Critical risk rating added.

  

• 🌐 Reputation report for IP/domains.

• Detect Oauth account takeover from config files
• Not aggregate exception and false positive tickets.

🎨 UI Enhancements & Fixes

• 🛠️ Fix scan summaries for shared scans.
• 🖥️ Distinguish between store and file targets in remediation sections: Scan from the store and file scans are now aggregated separately. This allows you to distinguish between the two types of scans in the remediation section.
• ⚡ Faster ticket page loading.
• Possibility to add titles when creating scans.

  

• New scan events in the ticket page.
• Support for SVG images in organization images.
• In the subscription page: show tag Canceled only if the plan is active.
• When exiting the ticket page in edit mode, a prompt is displayed to save the modifications.
• Rework the organisation settings page.
• Add bulk delete for test credentials.
• Add the ability to disable email notifications.
• Improved function signature presentation with parameter name and type.

🔐 Open Source Updates

• Improved handling of connection issues during agent initiation.
• Improve presentation risk ratings in CLI.

🔐 Security Enhancements:

• 🛡️ Enhanced URL injection detection, added OAuth account takeover detection, and source map leak prevention, with improved dependency confusion vulnerability detection.
• 🌐 PCI and GDPR Compliance Standard Mapping.
• 📊 Separated findings between store and file scans for clearer reporting.
• 🚫 Enhanced CVE vulnerability reporting.

🚀 User Experience Improvements:

• 📄 Improved PDF reports with enhanced graphics and summaries.
• ⚡ Achieved a 10x speedup in secret detection for faster scans.
• 🖥️ Introduced a new ticket/remediation UI for better usability and common actions.
• 🔍 Enhanced scan search functionality for easier information retrieval.

Added support for multi-SBOM Scanning and the ability to scan SBOM files through CI/CD integrations.

📢 CI/CD support SBOM

🔄🛠️ ️Now it's possible to run the scan for SBOM files through the ostorlab CI/CD integrations, for more info refer to Github Integration, Azure-Devops Integration, CircleCi Integration

📢 Multi-SBOM

Ostorlab now supports the simultaneous scanning of multiple Software Bill of Materials (SBOM) files 📁📝 Documentation.

Ostorlab now supports filtering PDF report items by both risk rating and ticket status.

Ticket statuses are now also included in the report for better understanding:

During our recent Fix-It Week 🛠️😃, our dedicated team put in a tremendous effort to address and resolve over 107 issues affecting our systems. This action-packed week led to numerous improvements in functionality, stability, and security across various components of our application. 🚀🔧🔒 Below is a highlight of the most notable fixes: 📋🔍

Security:

• Improve brute force attack detection and remediation, particularly credential stuffing 🔐💪
• Improve XSS handling of form input fuzzing 🛡️🔍
• Improve description and recommendation of several common vulnerabilities 📝🔒
• Improve fingerprint detection of Xamarin dependencies 🧐🔍

Attack Surface:

• Improve handling of edge case TLD values 🔄🔍

UI:

• Add item filtering in the ticket edit mode 🔍🎫
• UI improvements 🎨✨

Production:

• Series of bug fixes, dead code deletion, and version upgrades, some with their fair share of breakages, pain, sweat, and tears 😅🚑🔧
• Add support for download geofencing in more countries 🌍📥🔒

Monkey Tester:

• Address navigation issues in some edge cases using image detection and OCR reading 🐒🔍📖

Jira:

• Updated Jira Projects API to fetch projects in real mode 📊🔄
• Add backporting of tickets in case Jira project settings are changed ↩️🎫

Mobile: * Support for Different Regions in iOS Downloader: Added support for downloading iOS applications in Japan, Russia, UK, Germany, and China 🌏📱🇯🇵🇷🇺🇬🇧🇩🇪🇨🇳.

We are excited to announce that Ostorlab now supports uploading an SBOM or Lockfile for extended dependency detection.

Supported Files

The platform supports an extensive list of SBOM and Lockfiles.

• SPDX
• CycloneDX
• gradle.lockfile
• pubspec.lock
• buildscript-gradle.lockfile
• pnpm-lock.yaml
• package-lock.json
• packages.lock.json
• pom.xml
• Gemfile.lock
• yarn.lock
• Cargo.lock
• composer.lock
• conan.lock
• mix.lock
• go.mod
• requirements.txt
• Pipfile.lock
• poetry.lock

To get started, refer to the detailed steps provided in our integration documentation here.

We are excited to announce the addition of CircleCI and AppCenter CI/CD integrations.

📢 Circleci

With CircleCI orb, you can integrate security scanning into your deployment pipeline. With this integration, you can enhance the security of your applications during the deployment process.

To get started, refer to the detailed steps provided in our integration documentation here.

📢 AppCenter

With AppCenter integration, you are able to incorporate Ostorlab security scanning into your CI/CD pipelines.

For more information and instructions, please refer to the documentation here.

We're excited to announce a series of updates and improvements designed to enhance your experience and security. Here's what's new:

🔐 Security Enhancements

• Added over 200 Flutter-specific detection rules for increased vulnerability spotting.🎯
• Improved vulnerability entries for various issues, including template injection, XML injection, ZIP path traversal, and more.🔧
• Addressed insecure biometric authentication and client-side XSS among new vulnerabilities.🛡️
• Launched an open-source Flutter vulnerable module for community contribution.🚀
• Rolled out a detection feature for Facebook insecure devsettings.🔍
• Minor bug fixes and improvements in our PDF generation process.📝

🔄 Authentication Improvements

• Social authentication now supports Google and Github providers, allowing for seamless and secure sign-in experiences.🔑

🧠 AI and Analysis Updates

• Introduced an AI Enhanced summary and recommendation system for better decision-making.🤖
• Added dynamic call listing to the analysis environment, allowing for more comprehensive exploration.🔎
• Deprecated some iOS findings for more accurate results.❌

🖥️ UI & UX Upgrades

• Revamped the notification UI for a more streamlined user experience.🔔
• Added ticket count in the remediation menu for better task management.📊
• Rolled out duration-based search filters to refine your search results.⏱️
• Slots counts are now visible on the payment page for improved transparency.💳
• We've also given our blog a fresh, new look!🌐

🤝 Integration and Support

• Minor bug fixes in Jira integration support for smoother collaboration.🔧
• Improved geofencing support for several countries, including India and UK.🌍
• Bettered Monkey Tester support for Webview based navigation on both Android and iOS platforms.📱

🐛 Bug Fixes & Open-Source Contributions

• Fixed bugs in AAB file support for a smoother app experience.🛠️
• Fixed multiple issues in open-source agents like Truffle Hog and Semgrep.🐞
• Released an open-source OSV agent for broader community collaboration.👥
• Addressed minor bugs to improve Automation Rules functioning.🔄

Our latest release is packed with numerous enhancements, designed to elevate your security experience with Ostorlab. From attack surface discovery to vulnerability detection and reporting, we have made significant strides to make your security journey smoother than ever before.

Here are some of the highlights of our latest release:

• Faster and easier navigation of artifacts and scan coverage;
• Weekly reporting that provides valuable insights into trends and patterns;
• Export button to CSV from both scan and tickets menus for enhanced convenience;
• Over 50 new vulnerability detections, further improving the quality of our security assessments;
• Improved SMS 2-FA based authentication, providing an added layer of security;
• Extraction of dynamic routing from popular web frameworks like Next.js and Nuxt.js, helping you identify potential vulnerabilities in your web applications more efficiently.

New Automation Rules

We are excited to announce the release of our new automation rules features, designed to streamline your workflow and simplify your security management. With these new features, you can now automatically assign owners, set tags, send email notifications, and more.

Here are a few examples of how the new automation rules can come in handy:

• Automatically assign vulnerabilities to a user for remediation;
• Confirm discovered assets and assign an owner automatically;
• Apply specific tags to assets that match certain filters;
• Receive email notifications when assets match a specific pattern, such as when a potential service has SSH exposed on a non-default port.

Flexible Yearly Plans: Use Your Testing Slots Anytime, Anywhere

We are thrilled to announce that we have made some significant changes to our yearly plans based on your feedback. One of the most requested features from our users has been the ability to adjust the usage of their yearly plans to meet spikes in testing needs, without losing testing slots during periods of inactivity or development.

We are delighted to inform you that we have taken note of your feedback, and have made necessary adjustments to our yearly plans, allowing access to all testing slots at any time. Additionally, you can now rest easy knowing that unused testing slots will not be lost during a particular month.

These updates are already available to our existing users with an active plan, and for those who wish to subscribe to a yearly plan.

We hope these changes will enable you to maximize the value of our service and meet your testing requirements without any hassle.

Attack Surface Enhancements

We've made a long list of changes to improve the experience of detecting and navigating your attack surface.

Here are just some of the cool new features:

• Narrow down on any asset using the filter button and access its direct asset connections or even its 2nd and 3rd connections. This feature helps us understand how the attack surface discovery detects new assets. A great example is a user with his work email registering multiple new domains that weren't tracked anywhere before. You know yourself, John from Marketing 🙂.
• Addition of powerful new search features like searching by multiple ownership types or excluding assets matching a search pattern.
• Convenient quick action buttons to trigger a scan or add a monitoring rule. If you are curious about that asset's vulnerabilities, just hit "Quick Scan".
• Bulk asset import makes it a breeze to add many assets by simply uploading a CSV file.
• Access asset data directly from the attack surface graph with information such as DNS Records, open services, used libraries, Whois data, in-use certificates, and much more.

A deeper look at your Mobile Applications Attack Surface.

Attack surface is not just about domain names and IP addresses, especially if you are a mobile-first company.

Ostorlab’s attack surface now detects and tracks mobile applications' attack surface, be it what is the app exposing, what dangerous features is it using, what libraries are used and most importantly tracking their changes and when they are changed. It will even list all backend systems and indicate their geographical location.

Mobile Scan Summary

Our latest work includes a new scan insights feature with a summary of scan reports and actionable feedback on how to improve the security of your app. Augmented with attack surface data, the report provides useful insight into the impact of the identified issues.

Faster Scans 🏎🏎🏎

If you have been using the platform for a while, you might have noticed that scans run faster, much faster. This has required a substantial amount of engineering effort to increase speed without sacrificing quality. This is only the first step toward achieving a full scan completion in under an hour which we aim to achieve before the end of this year.

• 🆕 Release of new automation rules to auto-assign owners, set tag, notify results, etc.
• 🆕 Added new export options to CSV and a copy of ticket.
• ⬆ Improved the UI of the attack surface adding search capabilities.
• 🆕 Added details to the Plans page on exact history usage.
• ⬆ Improved the speed and UI of scan artifacts and call coverage.
• 🆕 Added Jenkins support for remote build nodes.
• 🆕 Released weekly organisation summary email with collection of last scans, last findings and items requiring attention.
• 🆕 Added ability to save searches.
• 🐛 Multiple fixes to Jira ticket creation.
• ⬆ Added new search to the monitoring page.
• 🐛 Fixed handling of XAPK files.
• 🆕 Add scan summary new feature to the PDF reports.
• ⬆ Improved coverage of Web Authentication recorder to support new cases.
• 🆕 Added support in the crawler for path extraction of dynamically routed web frameworks like Next.js and Nuxt.js.
• 🆕 Release of new open-source agent for trufflehog.
• 🆕 Added Wireguard VPN support to several open-source agents like nmap, tsunami, nuclei ...
• 🆕 Improve Monkey tester support for SMS based 2-FA .
• ⬆ Improved reporting of public firebase databases.
• ⬆ Added detection of insecure biometric authentication implementation on Android.
• ⬆ Improved reporting of clear text traffic vulnerabilities.
• ⬆ Improved the backend vulnerability fuzzer and productionization of learning pipeline and addition of new test cases for SQL injection.
• 🆕 Improved PII detection in logs.
• 🐛 Deployed multiple fixes and improvements to secret detection.
• ⬆ Improved over 50 knowledge base entries like hasFragileUserData for better description and recommendation.
• ⬆ Improved detection of insecure file provider path settings.
• 🐛 Optimized the performance of several queries improving performance by 86%.

• 🎉 Faster scan and improved scan reliability
• 🚀 Mobile Attack surface tracking and historization
• ⚡ Improved backend detection and geographic location reporting

• 🎉 Improved metrics with over new 100 metrics collected and new dashboard showing both scanning health, remediation improvement and attack surface evolution.
• 🔒 Attack surface tracking and historization allowing for known what services and libraries are present and when they were introduced.

• 🚀 Release of Attack Surface asset discovery, a graph-based approach with improved coverage for better asset detection.
• ⚡ Ability to configure assets with owners, color, notes, tags, location, and risk rating to ease adding context and influence vulnerability risk rating.
• 📘 Collection of asset history with information like DNS, open services and ports, tech stacks, whois. This offers the ability to track changes and monitor evolution over time.
• 🔬 Out-of-the-box scan instrumentation with opentelemetry and improved debugging of Ostorlab's open-source engine.
• 💻 Open-sourcing of several new detectors for domain hijacking, recon, fingerprinting ...
• 🎌 Ability to search applications on the store by country.
• 📄 Certificate-based authentication for Mobile Scans and script-based authentication for web scans.
• 🐒 New analysis environment for web applications with intercepted traffic and visualization of crawl coverage (this one looks awesome).
• 📝 Improved plans management for large organizations with the ability to transfer subscriptions and resize them on the fly.
• 🎩 Improved Jira integrations with configuration test, risk rating selection, and improved information synchronization.

• 💎 New Attack Surface Discovery to discover known and unknown owned assets and schedule continuous monitoring
• 🔒 Add support for using Chrome Recorder script for Authentication
• 🎉 Add support for CRON based monitoring with defined schedules
• 🔨 Github Actions integrations
• 🎉 Open-sourcing of over 20 security testing agents (Zap, Whatweb, Whois IP, Whois Domain, Wappalyzer, Virus Total, Tsunami, Tracker, Subfinder, Openvas, Nuclei, Nmap ...)
• 🚀 Performance and resilience improvement to Ostorlab Agent Builder

• 👾 Improve detection of Flutter and React-Native vulnerabilities
• 👾 Add detection of several new classes of vulnerabilities, including Log4J
• 🎉 Open-Sourcing of Ostorlab scanning engine adding support for local runtime and Windows-based environment Adding Ostorlab Agent store to easily access and publish scan agent
• 🚀 New agent-group definition to define composable scan agent
• 🚀 New agent-group UI builder and YAML definition file generation
• 🚀 Automated agent builder from repo that automatically detects and builds new releases
• 🏫 New learning center exposing documentation, videos, scan sample and vulnerability knowledge base
• 🎉 Open-Sourcing Ostorlab knowledge base
• 🎉 Open-Sourcing agents for popular tools Nmap, Tsunami, Nuclei and Virustotal
• 🎉 Open-Sourcing agents for improved vulnerability tracking (Tracker, Persist Vulnz, Inject Asset and Debug)
• 🔐 Improve account security with OTP (One-Time-Password) support
• 🔨Add integrations portal to configure newly support integrations
• 🔨 Add Jira, Gitlab and Jenkins for CI/CD and ticketing integration
• 🔐 Add SAML-based authentication for SSO enterprise access

• Release of the Remediation API with better vulnerability lifecycle management, allowing detection of fixed vulnerabilities, re-opens and maintain status of exception and false positives
• New dashboard offering a glass box view into security posture and urgent tasks
• Management of patching and priority policies with SLO and tools to track and measure fix performance
• 3rd Party integrations with Jira
• Add Ticket timeline to with dynamic setting of start and end time
• Add grouping of ticket by status, priority and tag
• Add Ticket bulk edit mode

Focus on improving the Monkey Tester to improve coverage adding support for more strategies and advanced test case generation. Work also included better handling of Application packaging and management of our fleet of mobile devices.

• 🤖 An all improved Monkey Tester with highly improved code coverage
• 💐 UI Call coverage visualisation to understand what has been done

Focus on improving Web Scanner detection, adding several features, like Backend fingerprinting, adding more vulnerabilities and improving Backend Vulnerability representation model. Work also included improving Monkey Tester to support more advanced testing strategies. Key updates:

• 🤖 Adding support for multiple strategies to Monkey Tester
• 🪲 Multiple bug fixes and improvements to Backend Scanner, XSS Scanner, Fingerprint detections
• 🤖 Scale search indexing infrastructure to handle the increase in covered assets

• 🤖 Support of new backend vulnerabilities, like SQL with JDBC escape sequence, Jinja template injection, Python Object serialisation ...
• 🤖 Support of new backend vulnerabilities, like XXE, XSLT injection, Fastjson serialisation, PHP RCE ...
• 🪲 Tweaks to the JDWP Android monitor for coverage and performance.
• 🚀 Parallelization and backend vulnerability model generation to improve false positive confidence to 6*9 (99.9999%).

• 🪲 API traffic improvement and bug fixes
• 🔍 Multiple performance and enhanced result for the new search feature
• 🤖 New dynamic instrumentation engine for iOS based on LLDB
• 🤖 Improve iOS instrumentation to capture SQL, Crypto, Keychain, Zip, Wifi, Webkit, Biometric, Filesystem, HTTP, Preferences dangerous API
• 🤖 Enable backtracing of dangerous API to track their usage
• 🤖 Support of credential authentication in Web Scan
• 🤖 Improved Web Crawling to support mutated html

• 🔍 New rules to detect insecure javascript patterns and new insecure secret usage.
• 💐 Add search, tagging and call trace of extern functions, like JNI.
• 🔍 New scan search capability to search across all analysis asset types.
• 💐 API traffic IDE capability.
• 🤖 API to persist taint graph from scan.

• 🪲 Fixes to the Analysis Environment indexing to enable code and file search
• 📢 Deprecate Free+Analysis scan type in a revamp of the analysis environment
• 🚀 Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
• 🤖 Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
• 💐 Support for tagging of native function in IDE
• 🔍 Add multiple new sinks methods
• 🪲 Remove false positive in detection of RSA/ECB weak encryption
• 🪲 Bug fixes to taint analysis leading missing detections
• 🤖 Detection of valid Sendgrid API keys
• 🤖 Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
• 🤖 Detection of insecure Zip leading to path traversal arbitrary file overwrite
• 🪲 Fix Twitter API detection

• 🪲 Fixes to the Analysis Environment indexing to enable code and file search
• 📢 Deprecate Free+Analysis scan type in a revamp of the analysis environment
• 🚀 Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
• 🤖 Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
• 💐 Support for tagging of native function in IDE
• 🔍 Add multiple new sinks methods
• 🪲 Remove false positive in detection of RSA/ECB weak encryption
• 🪲 Bug fixes to taint analysis leading missing detections
• 🤖 Detection of valid Sendgrid API keys
• 🤖 Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
• 🤖 Detection of insecure Zip leading to path traversal arbitrary file overwrite
• 🪲 Fix Twitter API detection

• 🤖 Switch API encoding from JSON to UBJSON to add support for binary format
• 💐 Analysis Env javascript formatting
• 💐 Analysis Env detection of new file formats
• 💐 Analysis Env call trace node coloring to match function and method tagging
• 🪲 Multiple bug fixes and performance optimization of the Analysis Env
• 📢 Support for sharing report access using a shareable link
• 📢 Add edit mode to vulnerabilities to change risk rating or mark as a false positive
• 🚀 Detection of new secrets keys and dangerous functions

• 📢 Release of Android and iOS application analysis environment
• 🚀 Analysis Env support for APK and IPA file listing with content access
• 🚀 Analysis Env support for Code highlighting for HTML, Javascript, XML, Java, C++
• 🚀 Analysis Env support for Binary plist extraction
• 🚀 Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
• 🚀 Analysis Env support for Macho and ELF string listing
• 🚀 Analysis Env support for DEX classes listing
• 🚀 Analysis Env support for DEX smali listing and java decompilation
• 🚀 Analysis Env support for Android resource extraction
• 🚀 Analysis Env support for Android manifest extraction
• 🚀 Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
• 🚀 Analysis Env support for Dangerous functions tagging to identify security hotspots.
• 🚀 Analysis Env support for Contextual call trace generation.

• 📢 Release of continuous application monitoring from the store
• 🔍 Detection of weak Bluetooth connection
• 🔍 Detection of dynamic broadcast receiver with no permissions
• 📢 New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab
• 💐 Email and UI notification to inform of key events (scan completion, password change ...)
• 💐 Expose API key generation and management from the UI

• 📢 Release of Ostorlab lighthouse continuously scanning public applications
• 📢 Release of Ostorlab VulnDB UI to access internal known vulnz database
• 💐 Vulnerability tagged as affecting security and privacy, security only or privacy only
• 🔍 Detection of several privacy settings in Android manifest
• 🔍 Detection of facebook SDK debug mode
• 🔍 Detection of GPS location tracking impacting privacy
• 🪲 Fix insufficient sink default taint and missing propagation for Array and Const

• 📢 Store search and scan feature
• 📢 Deep 3rd party dependencies fingerprinting
• 💐 Markdown vulnerability text and description support

• 📢 Extend 3rd party dependencies rules
• 🚀 Creation of database of unreported vulnerabilities

• 💐 Report libraries and 3rd party dependencies
• 🔍 Fingerprinting of Native Android libs, iOS Frameworks, Cordova plugins, Javascript libraries, Xamarin libs and OpenSSL
• 🚀 Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
• 🚀 Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
• 🔍 Detect calls to dangerous Bluetooth API

• 📢 Exposure of CVSSv3 score
• 🤖 Alpha support for UI Automation rules
• 🎁 Add Xamarin decompiled source code to the list of artifacts
• 🔍 Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
• 🔍 Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)

• 📊 Add generation of executive summary PDF report
• 📢 New Secure risk rating to denote secure implementation
• 📢 New Hardening risk rating to differentiate between actual vulnerability and missing hardening mechanism
• 📢 Add support for archiving scans
• 📢 Add support for exporting scans
• 🔍 Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
• 🚀 Enhance performance of taint analysis and increase coverage
• 💐 Enhanced representation of taint information
• 💐 Enhanced representation of stack traces collected in dynamic analysis
• ⚠ Fix inconsistency in risk rating
• 🪲 Fix false positive in iOS detection for missing ARC and Stack Guard protections

• Support for streaming API to create and stops scans
• Subscription support
• New KB entry for Webview LoadURL injection
• Bug fixes to JDWP Hooking engine
• Dashboard update showing scan plan
• Support for stopping and archiving scans

• API for scheduling rules
• Migration to Kubernetes
• Initial support for streaming API to create scans

• API to manage Inventory (mobile apps, urls, domains, ...)
• UI to list, create and update Inventory and Assets
• CI/CD pipeline integration
• Deprecate old UIs

• Release of the alpha version of the new reporting front end
• API naming fixes
• Fix submission of the test credentials
• New Google Play client to support scanning from the Play Store directly
• Several New APIs move to GraphQL (Account and Password Management, Artifcats)
• Worker to handle long-running jobs (PDF generation and Scan Export)

• Progress on the new reporting front end
• Bug fixes in public website
• Simplified pagination support in all APIs
• Experimental API to create Web Scans

• Release of an open source Android application to benchmark vulnerability scanners
• Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
• Progress on the new reporting front end

• Release of a new documentation website docs.ostorlab.co
• Release of a new website www.ostorlab.co using material design

• Major migration of all existing infra and data to the new backends.

• Infra refactoring into a micro-service architecture.
• Separation of user portal and public website to prepare moving to serverless.
• Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.

• Refactoring of API adding support for GraphQL.
• Migration of website, user portal and orchestrator to GraphQL.

• Extending vulnerability test bed.
• Add support for template injection of 4 new Java template engines.
• Add support detection of Ruby code injection.
• Add support detection of Node.js code injection.

• Multiple bug fixes and performance enhancements.
• Fix false positive detection of Template Injection.
• Add support detection of python code injection.
• Add support detection of pickle deserialization injection.

• Multiple bug fixes and performance enhancements.
• Enhance detection of XSS adding support for multiple callbacks vectors.

• New alpha system to detect vulnerabilities in backends from previously collected ones.
• Creation of a new vulnerability test bed.

• Add support for detection of stored XSS.
• Complete rework of the scan authentication module. It works well and sends fewer requests.
• Brand new subscription menu.
• Bug cleaning season.

• Add support for multi-step submitting of Forms.
• Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
• Alpha version of Fingerprinting agents.

• Major enhancement coverage of XSS contexts, long live Polyglot payloads.

• Enhance CSRF handling for web scanning.
• Add scan export and import feature for on-premise scanning support.
• Implementation of ADB Proxy agent for on-premise scanning support.
• Add collection of screenshots and logcat traffic during dynamic analysis.
• New security rules for Android Network Security Configuration.
• Fix false positives in Cryptography rules using static taint.
• Rework of all rules formatting.
• Fix PDF generation and add support for code highlighting.
• Add support for kown pathes crawling
• Add Artifact panel to store extracted source code, screenshots and traffic logs.
• Add Xamarin source code decompilation.
• Fix duplicate request testing by backend and XSS scanner.
• Initial work on CSRF token detection and generation for POST request fuzzing.
• Add support for inserting payloads in sub-pathes.

• Extensive bug fixes month of all core components.
• Enhance testability of the scanning engine.
• Enhance reporting features.

• Enhanced detection of template injection vulnerabilities.
• New scanner for detecting XSS vulnerabilities.
• Ehanced supported for nested serialization formats.
• Major rework for scan scheduling engine for increased scalability.

• New backend scanning engine with beta support for SQL injection and XXE
• Adding beta support for crawling of HTML content.

• Bumping free scanner coverage limit from 100 to 300.
• New detector for encrypted IPA.
• Fix false positive in dynamic rules detecting weak encryption.

• Porting LLDB for iOS to work on Linux.
• New backend scan engine.
• New experimental crawler.

• Adding Support for authenticated scan.
• Final version of Java hook engine with stack trace support and full context inspection.
• Major enhancement to the taint engine reducing false positives.
• Multiple bug fixes affecting PDF generation and false positive declaration.
• Adding feature to report false positives and remove them from the final report.
• Multiple new dynamic rules to trace sensitive function call.
• New agent to detect sensitive material files, like private encryption keys.

• Surface static taint analysis coverage in the scan report.

• Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
• Performance enhancement for the support of large multidex files.
• Bug fix in method xref for multidex files.
• Enhance vulnerability de-duplication.
• Multiple bug fixes for iOS scan rules.

• Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
• Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
• Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
• Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
• Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
• Advanced option to support download PDF report.

• Stabilizing unlimited scan feature with bug fixes.
• Correction of false positives in Insecure Encryption Mode.
• Correction of false positives in ASLR detection for iOS Apps.
• Move to a clustered architecture to support increase scan load.
• Final version to support dedicated unlimited scans.

• New feature to support dedicated scans.
• Tweaks and updates to the user interface to support fast uploading.

• New backend system to support the increased load.
• Major code refactoring of all agents to support the new backend system.
• Multiple bug fixes.

• New static taint engine for Android Bytecode.
• Multiple bug fixes and performance tweaks.