Changelog

Stay up-to-date with the latest updates and enhancements! Explore our Changelog to stay informed about all the exciting changes we've made.

~ pip install -U ostorlab

~ oxoauth login

~ oxoscan run --install --agent agent/ostorlab/dast ipa myapple.ipa

🍏 Scan created successfully

~ oxoscan list

mdi-source-commit

iOS TestFlight scan, Slack Integrations and other improvements

Mon 10 June 2024

This update introduces support for scanning apps using iOS TestFlight, Slack Integrations, support for scanning web apps with an SBOM, and other improvements.

πŸ›‘οΈ Scanning

  • Added support for iOS TestFlight.
    iOS TestFlight
    Ability to scan iOS apps using TestFlight
  • Added support for SBOM to web scans for extended dependency detection.
    Web Scan SBOM
    Web scan with an optional SBOM

πŸ“„ CI/CD Integrations

  • Added integration of Slack for ticket notifications. See the documentation on how to configure the integration.
    Slack Integration

πŸ› οΈ Remediation

  • Show tickets linked to vulnerabilities in the scan page, with support for filtering the tickets by risk rating.
    Vulnerability tickets
    List of vulnerabilities with their related tickets
  • Added support for configuring automation rules to change the priority of the selected tickets to the specified value.
    Automation Rules - Ticket Priority
    Automation Rule to change the ticket priority
  • Added ticket link to the Jira integration report.

πŸ“¦ Detection

  • Improved detection of Amazon secrets.
  • Added detection for CVE-2024-24919, CVE-2024-23917, CVE-2024-27348, CVE-2024-4956, CVE-2021-40655, CVE-2024-29895, CVE-2024-4956, and CVE-2023-43208.

🐞 Bug Fixes & Improvements

  • Reduced the loading time of the scan page by over 93%.
mdi-source-commit

Integrations, Dynamic analysis improvements, and a new standard support

Mon 27 May 2024

This update introduces multiple new integrations with CI/CD pipelines, improvements to dynamic traces interception & analysis, support for the MASVS standard, and many bug fixes.

πŸ“„ CI/CD Integrations

  • Add integration of TeamCity CI/CD pipelines for automated scanning.
    TeamCity integration
  • Add integration of GoCD build processes.
    GoCD integration

πŸ€– Dynamic traces interception & analysis

  • Add extraction of Dictionary arguments of Objective-C methods, this allows for improved detection of numerous vulnerabilities, like insecure data storage.
  • Add support for dynamic instrumentation of Objective-C static methods, this improves the detection of over 250 rules.
  • Add extraction & analysis of sockaddr C-structures to extract IP address and port.

sockaddr extraction

πŸ“‘ MASVS v2.0.0 standard

  • MASV 2.0 is here, Ostorlab has support for it :+1:

OWASP MASVS-v2

πŸ› οΈ Remediation

  • Added a due date field to the tickets and the ability to re-open all exception tickets after that period.
  • Added a finished time field to the scan API.

🐞 Misc & Bug Fixes

  • Fixed Tree-Like representation of organisations on the plans page.
    orgs-tree
  • Fixed social authentication username conflict.
mdi-source-commit

Discovery of hidden web paths, detection of libwebp vulnerability, and new CVE detections.

Mon 06 May 2024

This update adds the discovery of hidden web paths, detection of libwebp vulnerability, and new CVE detections.

πŸ€– Open Source

OXO version 1.0 was released. It is 10x times faster, supports ARM64 architectures, and is packed with improved capabilities like scanning multiple assets, simpler and powerful CLI.

  • Start a scan is now x10 times faster: In previous versions, starting a scan took almost 3 minutes. With OXO v1, it is now 10 times faster, starting a scan in just 16.5 seconds.
  • Standalone Binary: OXO is now available as a standalone binary for macOS, Linux, and Windows.
  • Support for macOS and ARM64 architecture for agents: If you're a macOS user with an ARM64 processor, we've got some great news for you! OXO can now support ARM64 agents natively.
  • Scan an Inventory file: OXO added scanning multiple assets using an asset definition YAML file. This gives you the possibility to scan a large number of different types of assets at the same time.
  • Friendlier CLI: As of OXO version 1, you can now specify the agent key in a concise way when running scans. Instead of using the full agent key, you can use the shorthand <org>@<name> format.
  • New Documentation Website: OXO now has its dedicated documentation website, packed with tutorials and numerous examples.
  • Agent Store: OXO now has a public agent store. You can publish your agent to the OXO store by simply following this tutorial.
  • Follow scan progress by Default: Starting from the version v1, --follow is the default mode when you start a scan. OXO will keep you updated on the scan's progress.
  • Pass Arguments to agents directly from the CLI: Agents can be fine-tuned using arguments which give you more control and flexibility. Passing arguments is now available throughout the CLI.
  • Add the ability to persist messages: You can now persist any type of message you wish, such as IP, domain, link, and exposed services through the new OXO Open Source agent Nebula.

To read more about OXO v1.0, read the full blog post.

πŸ“¦ Detection

  • Added discovery of hidden web paths in agent hubble using Google Search and Wayback.
  • Added detection of libwebp vulnerability.
  • Added detection for CVE-2024-4040, CVE-2024-31461, CVE-2024-2389, CVE-2024-32764, CVE-2024-27956, CVE-2024-28890, CVE-2024-28255, and CVE-2024-26331.

🐞 Bug Fixes & Small improvements

  • Fixed bug with CSV import of IPs not updating existing IP assets.
  • Fixed bug with Jira Sync Fields.
mdi-source-commit

Better UI, more concise scan report, improved detection of insecure webview usage, and multiple bug fixes.

Tue 23 April 2024

This update improves the user interface of the platform, adds new detection for Webview-related vulnerabilities, and ships multiple bug fixes.

πŸ“¦ Detection

  • Added detection for CVE-2023-50969, CVE-2024-2879, CVE-2024-3273, CVE-2024-29269, CVE-2024-3400, and CVE-2023-24955.
  • Added detection capabilities to identify insecure Webview practices in iOS applications.
  • Added a concise and relevant detection for the use of dangerous deprecated APIs.

πŸ› οΈ Platform Improvements

  • Added Compact view to the call coverage:
    compact_callcoverage.png
  • Added the ability to specify relevant standards when generating scan reports:
    standars_pdf.png
  • Improvement to the graph node appearance:
    graph_appearance.png
  • Added the ability to search by Objective-C runtime in the ide:
    objc_runtime_filter.png
  • Added filtering for potential nodes:

🐞 Bug Fixes & Small improvements

  • Defaulting new user role to Reader instead of the more privileged User. The change affects SSO / SAML access configuration and UI default.
  • Improve OXO usage documentation.
mdi-source-commit

Objetive C instrumentation, detection of insecure data storage, Regex DoS, and multiple bug fixes.

Mon 15 April 2024

This update significantly improves objective-C instrumentation, adds new detection for insecure data storage and Regex DoS, and ships multiple bug fixes.

πŸ“¦ Detection & Knowledge Base

  • Improve dynamic instrumentation for objective-C and persist collected stack traces in the Analysis Dynamic section.
  • Added detection capabilities to identify insecure data storage practices in iOS applications. This includes identifying the use of potentially vulnerable storage mechanisms such as UserDefaults and UIPasteboard.
  • Added detection for Regular Expression Denial of Service (ReDoS) vulnerabilities. This new feature identifies sinks that use user input to create regular expressions, which can lead to potential ReDoS attacks.
  • Refined all KB recommendations to be actionable, so now we have a step-by-step process to solve vulnerabilities.
    refined_kbs.png

Frontend Enhancement

  • Added table of contents to Blogs:
    table_of_content.png
  • Added highlighting to the Tips section:
    tips_highlighting.png
  • Added a button to download all PCAP files at once as a ZIP archive:
    download_all_pcaps.png
  • Show graph edge & node labels in a card:
    graph_edge_card.png

🐞 Bug Fixes

  • Fixed the generation of rules for iOS to take init function into consideration.
mdi-source-commit

Detection of Apple's Privacy Manifest, liblzma backdoor, and Attack Surface fixes.

Mon 01 April 2024

This update introduces fixes for the Attack Surface, detection for the liblzma backdoor, and a public store for agents.

πŸ“¦ Detection

  • Added detection for Apple's Privacy Manifest files. A Privacy Manifest describes the data an app or third-party SDK collects and the reasons required APIs it uses. Developers are required to include it in their apps before May 1st, 2024. The detection rule checks that apps are compliant with the new requirement, and whether their implementation is secure or not.
  • Added detection for Django DEBUG mode enabled.
  • Added detection for leaking secrets in Web Apps.
  • Added detection for liblzma backdoor.
  • Added detection for CVE-2023-48788, CVE-2021-44529, CVE-2019-7256, CVE-2022-20767, CVE-2022-0412, and CVE-2024-1212.
  • Improved detection for Personally Identifiable Information (PII). The rule now detects way more vulnerable methods that leak PII data. PII leaking is now also done using a static rule.
  • Improved detection for Mixed content WebView settings by analyzing and detecting more dangerous WebView settings.

πŸ€– Open Source

🐞 Bug Fixes

  • Fixed confirming assets defaulting to red as the custom color.
  • Fixed Android and iOS search filters not working for potential assets.
  • Fixed the CVE matcher DNA to take into account the latest CVEs.
mdi-source-commit

Addition of CSS Injection Detection, ARM64 support, and migration of Agent's Docker Images.

Mon 25 March 2024

This update introduces fixes for the Attack Surface, migration of Agent's Docker Images to Docker Hub, enhanced detection capabilities for vulnerabilities, and support for ARM64 architecture in OSS.

πŸ•ΈοΈ Attack Surface

  • Addressed issue with Attack Surface creating non-confirmed assets from detected vulnerabilities. Users now have the ability to only collect metrics of confirmed and maintained attack surface assets without issues related to non-validated assets from scans.

πŸ› οΈ Infrastructure

  • Migrated Agent's Docker Images to Docker Hub for improved visibility and speed into open-source OXO agents.

πŸ“¦ Detection

  • Added detection for aiohttp path traversal vulnerability actively getting exploited.
  • Added detection of CSS injection vulnerabilities leading to application takeover, keylogging and defacement.

πŸ€– Open Source

  • Added support for ARM64 architecture, enabling running the venerable OXO on Mac Machines with native speed.
mdi-source-commit

Exposed Scan PCAP and JIRA custom Mapping

Mon 18 March 2024

This update introduces a series of new features related to the IDE, Jira integration, OXO, and many improvements to the platform.

πŸ“„ PCAP files exposed in the IDE.

  • Designed for security teams looking to push the analysis even deeper, now you can download all raw PCAP for your mobile full scan.
    PCAP files

πŸ€– Open Source

  • Binaries for the OXO scanning orchestrator are available with every new release for Ubuntu, macOS, and Windows.

    OXO Binaries

  • Added agent key shortcuts: Instead of

oxo scan run --agent agent/ostorlab/nmap ip 8.8.8.8

You can now simply run:

oxo scan run --agent nmap ip 8.8.8.8

Or

oxo scan run --agent @your-org/nmap ip 8.8.8.8
  • Added support for scanning Network ranges and IP addresses in the cloud runtime.
oxo scan --runtime=cloud run -g network_agent_group.yaml ip  8.8.8.8/30

πŸ“‘ Jira custom fields mapping

  • If you have Jira integration enabled on Ostorlab, you can now map custom fields from your tickets with Ostorlab fields.
    Custom mapping
  • Syncing the fields and values can be done from your JIRA project to Ostorlab and vice-versa.

πŸ•ΈοΈ Attack surface refinements

  • Added ability to edit potential nodes, specifying a custom potential owner.

πŸ”¬ XSS detection

  • Improvements to postMessage XSS detection, adding detection of XSS in complex data objects.

🐞 Bug Fixes

  • Fixed segregation and excluded unreliable rules in the VirusTotal agent.
  • Addressed ecosystem confusion for outdated dependencies detection.
mdi-source-commit

Enhancements to the Open Source CLI, Platform, and Detection.

Mon 11 March 2024

This update introduces various improvements to the XSS scanner, the functionality of the open-source CLI, and monitoring rule creation.

πŸ› οΈ Platform Improvements

  • Restructured the new monitoring rule flow to be more user-friendly and intuitive.
    Preview of New monitoring flow

πŸ“¦ Detection & Knowledge Base

  • Added detection for Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability.
  • Improve XSS Agent to detect PostMessage-based XSS.

πŸ€– Open Source

  • Ship the first version of Nebula Agent for persisting messages locally.
  • Added support for primitive arguments of agents in CLI scan run. You can pass arguments using the --arg flag, e.g.:
oxo scan run --agent agent/ostorlab/nmap --follow agent/ostorlab/nmap --arg fast_mode:False ip 8.8.8.8

This command will initiate a scan using the Nmap agent with the fast_mode argument set to False:

Preview of an oxo scan with agent arguments

mdi-source-commit

Attack Surface, Remediation, Automation Rules, and Detection improvements

Mon 04 March 2024

This update introduce a series of updates aimed at enhancing user experience, platform improvements, and bug fixes across various features.

πŸ•ΈοΈ Attack Surface & Inventory Improvements

  • Users can now export inventory assets to a CSV file for easier data manipulation and analysis.
    Export assets
  • The asset owner field is now pre-populated when editing one or more assets as well as when confirming potential nodes.
  • Fixed a bug where assigning attack surface owners to an attack surface auditor failed when users created a new owner within the modal.

πŸ“„ Remediation Enhancements

  • Regular expressions are now supported for filtering data in Remediation, Inventory, and Attack Surface, allowing for more granular searches.
  • Fixed exclusion filter functionality for assigned and self-reported tickets.
  • Fixed ticket metrics to be based on closed time rather than modified time.
  • Users can now open created tickets in new tabs when using the "Save & Add Another" feature for convenient access.

βš™οΈ Automation Rules Updates

  • Introducing a new automation rule action enabling the deletion of tags assigned to selected tickets or assets, enhancing customization and control.
  • You can now see a list of items a new rule will apply to before creating the rule.
    Preview list of items new rule applies to

πŸ›‘οΈ Scan Enhancements

  • Fixed an issue with multiple downloads of exported scans.
  • Mobile scan summaries now display IP addresses within the preview of backend links for better context.
    Scan summary backend IPs

πŸ“¦ Detection & Knowledge Base

  • Added detection for Insecure Storage vulnerabilities in mobile applications.
  • Enhanced descriptions and recommendations for Personally Identifiable Information (PII) vulnerabilities, complete with insightful code snippets.
  • Detections for HTML injection and dynamic code loading have also been refined for increased accuracy.

πŸ€– Open Source

  • Added support for scanning a list of assets using a Yaml asset definition file. You can pass an asset definition file using the -a flag, e.g:
oxo scan run --install -g agent_group.yaml -a assets_group.yaml

OXO target group definition
- Fixed a bug related to the download progress while installing agents. The bug was a KeyError which usually occurred due to network issues when installing agents. Because of the bug, agent installation would sometimes fail. The error is now gracefully handled so that agent installation does not fail.

πŸ—οΈ Improved API Keys page

The API keys page has been redesigned for ease of use.

mdi-source-commit

OXO Open-Source Improving

Mon 26 February 2024

OXO Open-Source Improving

OXO open-source is coming with new features and enhancements to facilitate its usage:

Enhanced Message Specification in Agent Groups :

  • Users can now specify the source of messages within an agent group.
  • Users now have the ability to specify the in_selector within the agent group definition. This feature overrides the default configuration set in the agent YAML file, providing more flexibility and customization.
    Choose accepted agent
  • Search by Risk Rating : Users can now search for vulnerabilities based on specific risk ratings or a combination of multiple risk ratings.
    Search with keywords
  • Keywords search in different fields : Users can now search for findings that contain a specific text.
    Search with risk_rating

Performance Enhancement :

  • By reducing the health check interval for agents and optimizing the scaling process, users can now experience faster startup and execution times, significantly improving the overall efficiency of OXO open-source.

Security Enhancements

  • Enhance the detection capabilities for path traversal vulnerabilities.
  • Refine the detection mechanisms for improved identification of intent redirection vulnerabilities.
mdi-source-commit

Test Credential Name

Mon 19 February 2024

Test Credential Name

Users can now assign a custom name/label to their test credentials for improved organization and identification. With the help of this optional name/label, users can quickly recognize and manage their test credentials and differentiate between different test configurations.

Test credential name

mdi-source-commit

Attack Surface Discovery paths

Fri 16 February 2024

Attack Surface Discovery Paths

The latest update incorporates attack surface discovery paths, offering detailed insights into how assets were discovered. This addition helps understand from which asset(s) a particular asset came from.

The attack surface discovery path of an asset can be viewed from the asset details page by going to the Inventory and then clicking on the asset.

Attack Surface Discovery Path

The discovery path can also be seen from the discovery page and left-clicking on the asset in the graph.

Attack Surface Discovery Path Menu

Graph Edge Attributes

Graph edges now show attributes, facilitating a clearer understanding of the relationships between nodes. This is helpful when you want to know which tool discovered the node, when the node was discovered, when it was last 'seen', etc.

Attack Surface graph edges attributes

These updates collectively contribute to a deeper comprehension of the attack surface discovery.

mdi-source-commit

IAM, XSS and over 1000 new dynamic rules.

Mon 12 February 2024

πŸ› οΈ Enhanced Dynamic Analysis

Over the past month, significant advancements have been made in dynamic analysis. We've expanded our capabilities to include instrumentation support for Java, Kotlin, Swift, and Dart πŸš€. We've also enhanced our detection mechanisms, identifying over 1,365 new vulnerable patterns in Swift and 846 in Dart.

HTTP Folders

πŸ—οΈ Refined IAM Management

We've fine-tuned IAM management by introducing two new roles: Reader, offering read-only access, and Attack Surface Auditor, designated for conducting thorough audits of the attack surface. This update ensures more tailored and secure access management.

HTTP Folders

πŸ” More Detailed Attack Surface Insights

The Attack Surface feature now provides more detailed access control, tailored per Owner. This update enhances both the precision of discovered asset recommendations and the specificity of access rights, ensuring a more secure and efficient management of assets.

HTTP Folders

πŸ›‘οΈ Enhanced XSS Detection Capabilities

Our XSS Detection capabilities have undergone a significant overhaul, leading to better detection rates and broader coverage. We've added several new payloads and re-engineered our approach to authenticated testing, greatly enhancing the robustness of authentication during tests.

πŸ“¦ Advanced Vulnerable Dependency Detection

We've improved the correlation between application fingerprints and known vulnerabilities searches. This enhancement has led to the detection of over 150% more new packages across various frameworks and languages, significantly boosting our ability to identify and mitigate vulnerabilities.

🐞 Bug Fixes

  • Resolved an issue causing errors in the detection of source map code leaks.
  • Fixed an error encountered when evaluating IP reputation.
  • Addressed a bug that prevented the crawler from collecting request and response headers.
  • Improved handling of large arguments collected during dynamic analysis.
  • Corrected an issue with XSS tab timeouts, ensuring no findings are missed.
  • Updated and clarified descriptions in our knowledge base entries.
  • Fixed CSV validation errors during asset imports.
  • Enhanced the computation of vulnerability DNA in the XSS Agent for more accurate detection.
mdi-source-commit

Support for Basic Authentication, HTTP folders and other improvements

Tue 16 January 2024

HTTP Folders

Introducing HTTP Folders, a new way to navigate your app communication. Easily navigate domains and subdomains for a clear view of requests and responses, gaining valuable insights with streamlined visibility. You can see your app's HTTP folders in the IDE section of your scan report.

HTTP Folders

  • ℹ️ Detailed Information: Each HTTP folder includes detailed information such as the domain, subdomain, and a list of requests and responses.
  • πŸ” Search and Filter: Easily search and filter HTTP folders based on domain, subdomain, or specific requests, facilitating efficient monitoring and analysis.

Basic Authentication

Ostorlab now supports Basic Authentication in Web scans. Test applications seamlessly with Basic Authentication or Composed Authentication (Form-based or Script-based), enabling a more wide-ranging scan.

  • πŸ”’ Various Authentication Methods: Unlock a spectrum of testing possibilities with support for Basic and Composed Authentication.
  • 🌐 Expanded Testing Scope: Ensure wider coverage of your application testing.

Attack Surface Enhancement

We've enhanced the Attack Surface section to streamline navigation. Introducing the new "Nodes" tab, it provides a comprehensive list of all nodes in your attack surface graph, along with a summary of their properties, including type and ownership. You can see your Attack Surface "Nodes" in the Attack Surface section.

Attack Surface

We've made an enhancement to the Stack Traces search in the Dynamic tab of the IDE section. Now, you can conveniently search stack traces by Runtime type, including Flutter, C, Dex, or Swift.

Stack Traces

mdi-source-commit

Introduction of a comprehensive audit logging system

Mon 20 November 2023

Audit Logs

Introducing a comprehensive audit logging system. This new feature allows organization admins to track and monitor various activities and changes within the organization, providing enhanced visibility into user actions. You can see your organization's audit logs in the Audit Logs section of the Library.

Audit Logs

  • πŸ“œ Audit Actions: Auditing a wide range of actions, including user logins, data modifications, configuration changes, and more.
  • πŸ•¦ User Activity Tracking: Recording user interactions to assist in maintaining accountability and security.
  • ℹ️ Detailed Information: Each audit log entry includes detailed information such as the user responsible, timestamp, and a description of the specific action taken.
  • πŸ” Search and Filter: Easily search and filter audit logs based on user, date, or specific activities, facilitating efficient monitoring and analysis.
mdi-source-commit

Support for Bitbucket CI/CD integration, IDE Enhancements

Tue 14 November 2023

Bitbucket CI/CD Integration

Seamlessly integrate Ostorlab security scanning into your CI/CD pipelines. Get started with our documentation.

πŸ” IDE & Security Improvements

  • πŸ“„ Mobile scan logs displayed directly in the IDE.
    IdeLogs
  • ⚑ Faster and more responsive IDE.
  • 🚫 Critical risk rating added.

    Critical-risk-rating

  • 🌐 Reputation report for IP/domains.

  • Detect Oauth account takeover from config files
  • Not aggregate exception and false positive tickets.

🎨 UI Enhancements & Fixes

  • πŸ› οΈ Fix scan summaries for shared scans.
  • πŸ–₯️ Distinguish between store and file targets in remediation sections: Scan from the store and file scans are now aggregated separately. This allows you to distinguish between the two types of scans in the remediation section.
  • ⚑ Faster ticket page loading.
  • Possibility to add titles when creating scans.
    Critical-risk-rating
  • New scan events in the ticket page.
  • Support for SVG images in organization images.
  • In the subscription page: show tag Canceled only if the plan is active.
  • When exiting the ticket page in edit mode, a prompt is displayed to save the modifications.
  • Rework the organisation settings page.
  • Add bulk delete for test credentials.
  • Add the ability to disable email notifications.
  • Improved function signature presentation with parameter name and type.

πŸ” Open Source Updates

  • Improved handling of connection issues during agent initiation.
  • Improve presentation risk ratings in CLI.
mdi-source-commit

Security Enhancements, Compliance Mapping, and User Experience Upgrades

Fri 13 October 2023

πŸ” Security Enhancements:

  • πŸ›‘οΈ Enhanced URL injection detection, added OAuth account takeover detection, and source map leak prevention, with improved dependency confusion vulnerability detection.
  • 🌐 PCI and GDPR Compliance Standard Mapping.
  • πŸ“Š Separated findings between store and file scans for clearer reporting.
  • 🚫 Enhanced CVE vulnerability reporting.

πŸš€ User Experience Improvements:

  • πŸ“„ Improved PDF reports with enhanced graphics and summaries.
  • ⚑ Achieved a 10x speedup in secret detection for faster scans.
  • πŸ–₯️ Introduced a new ticket/remediation UI for better usability and common actions.
  • πŸ” Enhanced scan search functionality for easier information retrieval.
mdi-source-commit

Support for SBOM scan in Circleci, AzureDevOps and GitHub pipelines & support for Multi-SBOM scanning

Tue 29 August 2023

Added support for multi-SBOM Scanning and the ability to scan SBOM files through CI/CD integrations.

πŸ“’ CI/CD support SBOM

πŸ”„πŸ› οΈ ️Now it's possible to run the scan for SBOM files through the ostorlab CI/CD integrations, for more info refer to Github Integration, Azure-Devops Integration, CircleCi Integration

CircleCi

πŸ“’ Multi-SBOM

Multi-Sbom

Ostorlab now supports the simultaneous scanning of multiple Software Bill of Materials (SBOM) files πŸ“πŸ“ Documentation.

mdi-source-commit

PDF report items filtering by both risk rating and ticket status

Wed 09 August 2023

Ostorlab now supports filtering PDF report items by both risk rating and ticket status.

Modal to filter PDF report items by both risk rating and ticket status

Ticket statuses are now also included in the report for better understanding:

PDF report showing both risk rating and ticket status

mdi-source-commit

August Fix-it!

Tue 08 August 2023

During our recent Fix-It Week πŸ› οΈπŸ˜ƒ, our dedicated team put in a tremendous effort to address and resolve over 107 issues affecting our systems. This action-packed week led to numerous improvements in functionality, stability, and security across various components of our application. πŸš€πŸ”§πŸ”’ Below is a highlight of the most notable fixes: πŸ“‹πŸ”

Security:

  • Improve brute force attack detection and remediation, particularly credential stuffing πŸ”πŸ’ͺ
  • Improve XSS handling of form input fuzzing πŸ›‘οΈπŸ”
  • Improve description and recommendation of several common vulnerabilities πŸ“πŸ”’
  • Improve fingerprint detection of Xamarin dependencies πŸ§πŸ”

Attack Surface:

  • Improve handling of edge case TLD values πŸ”„πŸ”

UI:

  • Add item filtering in the ticket edit mode πŸ”πŸŽ«
  • UI improvements 🎨✨

Production:

  • Series of bug fixes, dead code deletion, and version upgrades, some with their fair share of breakages, pain, sweat, and tears πŸ˜…πŸš‘πŸ”§
  • Add support for download geofencing in more countries 🌍πŸ“₯πŸ”’

Monkey Tester:

  • Address navigation issues in some edge cases using image detection and OCR reading πŸ’πŸ”πŸ“–

Jira:

  • Updated Jira Projects API to fetch projects in real mode πŸ“ŠπŸ”„
  • Add backporting of tickets in case Jira project settings are changed ↩️🎫

Mobile: * Support for Different Regions in iOS Downloader: Added support for downloading iOS applications in Japan, Russia, UK, Germany, and China πŸŒπŸ“±πŸ‡―πŸ‡΅πŸ‡·πŸ‡ΊπŸ‡¬πŸ‡§πŸ‡©πŸ‡ͺπŸ‡¨πŸ‡³.

mdi-source-commit

Extended Dependency Detection

Tue 18 July 2023

We are excited to announce that Ostorlab now supports uploading an SBOM or Lockfile for extended dependency detection.

Create a scan with an SBOM or Lockfile

Supported Files

The platform supports an extensive list of SBOM and Lockfiles.

  • SPDX
  • CycloneDX
  • gradle.lockfile
  • pubspec.lock
  • buildscript-gradle.lockfile
  • pnpm-lock.yaml
  • package-lock.json
  • packages.lock.json
  • pom.xml
  • Gemfile.lock
  • yarn.lock
  • Cargo.lock
  • composer.lock
  • conan.lock
  • mix.lock
  • go.mod
  • requirements.txt
  • Pipfile.lock
  • poetry.lock

To get started, refer to the detailed steps provided in our integration documentation here.

mdi-source-commit

CircleCI and AppCenter CI/CD integrations

Tue 11 July 2023

We are excited to announce the addition of CircleCI and AppCenter CI/CD integrations.

πŸ“’ Circleci

With CircleCI orb, you can integrate security scanning into your deployment pipeline. With this integration, you can enhance the security of your applications during the deployment process.

CircleCi

To get started, refer to the detailed steps provided in our integration documentation here.

πŸ“’ AppCenter

With AppCenter integration, you are able to incorporate Ostorlab security scanning into your CI/CD pipelines.

CircleCi

For more information and instructions, please refer to the documentation here.

mdi-source-commit

New Features & Fixes in July 2023

Sat 01 July 2023

We're excited to announce a series of updates and improvements designed to enhance your experience and security. Here's what's new:

πŸ” Security Enhancements

  • Added over 200 Flutter-specific detection rules for increased vulnerability spotting.🎯
  • Improved vulnerability entries for various issues, including template injection, XML injection, ZIP path traversal, and more.πŸ”§
  • Addressed insecure biometric authentication and client-side XSS among new vulnerabilities.πŸ›‘οΈ
  • Launched an open-source Flutter vulnerable module for community contribution.πŸš€
  • Rolled out a detection feature for Facebook insecure devsettings.πŸ”
  • Minor bug fixes and improvements in our PDF generation process.πŸ“

πŸ”„ Authentication Improvements

  • Social authentication now supports Google and Github providers, allowing for seamless and secure sign-in experiences.πŸ”‘

🧠 AI and Analysis Updates

  • Introduced an AI Enhanced summary and recommendation system for better decision-making.πŸ€–
  • Added dynamic call listing to the analysis environment, allowing for more comprehensive exploration.πŸ”Ž
  • Deprecated some iOS findings for more accurate results.❌

πŸ–₯️ UI & UX Upgrades

  • Revamped the notification UI for a more streamlined user experience.πŸ””
  • Added ticket count in the remediation menu for better task management.πŸ“Š
  • Rolled out duration-based search filters to refine your search results.⏱️
  • Slots counts are now visible on the payment page for improved transparency.πŸ’³
  • We've also given our blog a fresh, new look!🌐

🀝 Integration and Support

  • Minor bug fixes in Jira integration support for smoother collaboration.πŸ”§
  • Improved geofencing support for several countries, including India and UK.🌍
  • Bettered Monkey Tester support for Webview based navigation on both Android and iOS platforms.πŸ“±

πŸ› Bug Fixes & Open-Source Contributions

  • Fixed bugs in AAB file support for a smoother app experience.πŸ› οΈ
  • Fixed multiple issues in open-source agents like Truffle Hog and Semgrep.🐞
  • Released an open-source OSV agent for broader community collaboration.πŸ‘₯
  • Addressed minor bugs to improve Automation Rules functioning.πŸ”„
mdi-source-commit

Enhanced Security Features, New Automation Rules, and Flexible Yearly Plans for Improved User Experience

Mon 01 May 2023

Our latest release is packed with numerous enhancements, designed to elevate your security experience with Ostorlab. From attack surface discovery to vulnerability detection and reporting, we have made significant strides to make your security journey smoother than ever before.

Here are some of the highlights of our latest release:

  • Faster and easier navigation of artifacts and scan coverage;
  • Weekly reporting that provides valuable insights into trends and patterns;
  • Export button to CSV from both scan and tickets menus for enhanced convenience;
  • Over 50 new vulnerability detections, further improving the quality of our security assessments;
  • Improved SMS 2-FA based authentication, providing an added layer of security;
  • Extraction of dynamic routing from popular web frameworks like Next.js and Nuxt.js, helping you identify potential vulnerabilities in your web applications more efficiently.

New Automation Rules

We are excited to announce the release of our new automation rules features, designed to streamline your workflow and simplify your security management. With these new features, you can now automatically assign owners, set tags, send email notifications, and more.

Here are a few examples of how the new automation rules can come in handy:

  • Automatically assign vulnerabilities to a user for remediation;
  • Confirm discovered assets and assign an owner automatically;
  • Apply specific tags to assets that match certain filters;
  • Receive email notifications when assets match a specific pattern, such as when a potential service has SSH exposed on a non-default port.

Flexible Yearly Plans: Use Your Testing Slots Anytime, Anywhere

We are thrilled to announce that we have made some significant changes to our yearly plans based on your feedback. One of the most requested features from our users has been the ability to adjust the usage of their yearly plans to meet spikes in testing needs, without losing testing slots during periods of inactivity or development.

We are delighted to inform you that we have taken note of your feedback, and have made necessary adjustments to our yearly plans, allowing access to all testing slots at any time. Additionally, you can now rest easy knowing that unused testing slots will not be lost during a particular month.

These updates are already available to our existing users with an active plan, and for those who wish to subscribe to a yearly plan.

We hope these changes will enable you to maximize the value of our service and meet your testing requirements without any hassle.

mdi-source-commit

Enhanced Attack Surface Detection: Introducing Faster Scans, Mobile App Attack Surface, and Improved Navigation Features

Sat 01 April 2023

Attack Surface Enhancements

We've made a long list of changes to improve the experience of detecting and navigating your attack surface.

Here are just some of the cool new features:

  • Narrow down on any asset using the filter button and access its direct asset connections or even its 2nd and 3rd connections. This feature helps us understand how the attack surface discovery detects new assets. A great example is a user with his work email registering multiple new domains that weren't tracked anywhere before. You know yourself, John from Marketing πŸ™‚.
  • Addition of powerful new search features like searching by multiple ownership types or excluding assets matching a search pattern.
  • Convenient quick action buttons to trigger a scan or add a monitoring rule. If you are curious about that asset's vulnerabilities, just hit "Quick Scan".
  • Bulk asset import makes it a breeze to add many assets by simply uploading a CSV file.
  • Access asset data directly from the attack surface graph with information such as DNS Records, open services, used libraries, Whois data, in-use certificates, and much more.

A deeper look at your Mobile Applications Attack Surface.

Attack surface is not just about domain names and IP addresses, especially if you are a mobile-first company.

Ostorlab’s attack surface now detects and tracks mobile applications' attack surface, be it what is the app exposing, what dangerous features is it using, what libraries are used and most importantly tracking their changes and when they are changed. It will even list all backend systems and indicate their geographical location.

Mobile Scan Summary

Our latest work includes a new scan insights feature with a summary of scan reports and actionable feedback on how to improve the security of your app. Augmented with attack surface data, the report provides useful insight into the impact of the identified issues.

Faster Scans 🏎🏎🏎

If you have been using the platform for a while, you might have noticed that scans run faster, much faster. This has required a substantial amount of engineering effort to increase speed without sacrificing quality. This is only the first step toward achieving a full scan completion in under an hour which we aim to achieve before the end of this year.

mdi-source-commit

Improved automation rules, export options, UI, and support.

Wed 01 March 2023
  • πŸ†• Release of new automation rules to auto-assign owners, set tag, notify results, etc.
  • πŸ†• Added new export options to CSV and a copy of ticket.
  • ⬆ Improved the UI of the attack surface adding search capabilities.
  • πŸ†• Added details to the Plans page on exact history usage.
  • ⬆ Improved the speed and UI of scan artifacts and call coverage.
  • πŸ†• Added Jenkins support for remote build nodes.
  • πŸ†• Released weekly organisation summary email with collection of last scans, last findings and items requiring attention.
  • πŸ†• Added ability to save searches.
  • πŸ› Multiple fixes to Jira ticket creation.
  • ⬆ Added new search to the monitoring page.
  • πŸ› Fixed handling of XAPK files.
  • πŸ†• Add scan summary new feature to the PDF reports.
  • ⬆ Improved coverage of Web Authentication recorder to support new cases.
  • πŸ†• Added support in the crawler for path extraction of dynamically routed web frameworks like Next.js and Nuxt.js.
  • πŸ†• Release of new open-source agent for trufflehog.
  • πŸ†• Added Wireguard VPN support to several open-source agents like nmap, tsunami, nuclei ...
  • πŸ†• Improve Monkey tester support for SMS based 2-FA .
  • ⬆ Improved reporting of public firebase databases.
  • ⬆ Added detection of insecure biometric authentication implementation on Android.
  • ⬆ Improved reporting of clear text traffic vulnerabilities.
  • ⬆ Improved the backend vulnerability fuzzer and productionization of learning pipeline and addition of new test cases for SQL injection.
  • πŸ†• Improved PII detection in logs.
  • πŸ› Deployed multiple fixes and improvements to secret detection.
  • ⬆ Improved over 50 knowledge base entries like hasFragileUserData for better description and recommendation.
  • ⬆ Improved detection of insecure file provider path settings.
  • πŸ› Optimized the performance of several queries improving performance by 86%.
mdi-source-commit

Enhanced scan speed and reliability, and other improvements.

Sun 01 January 2023
  • πŸŽ‰ Faster scan and improved scan reliability
  • πŸš€ Mobile Attack surface tracking and historization
  • ⚑ Improved backend detection and geographic location reporting
mdi-source-commit

Enhanced metrics for improved scanning health, remediation, and attack surface

Tue 01 November 2022
  • πŸŽ‰ Improved metrics with over new 100 metrics collected and new dashboard showing both scanning health, remediation improvement and attack surface evolution.
  • πŸ”’ Attack surface tracking and historization allowing for known what services and libraries are present and when they were introduced.
mdi-source-commit

Release of Attack Surface asset discovery

Mon 01 August 2022
  • πŸš€ Release of Attack Surface asset discovery, a graph-based approach with improved coverage for better asset detection.
  • ⚑ Ability to configure assets with owners, color, notes, tags, location, and risk rating to ease adding context and influence vulnerability risk rating.
  • πŸ“˜ Collection of asset history with information like DNS, open services and ports, tech stacks, whois. This offers the ability to track changes and monitor evolution over time.
  • πŸ”¬ Out-of-the-box scan instrumentation with opentelemetry and improved debugging of Ostorlab's open-source engine.
  • πŸ’» Open-sourcing of several new detectors for domain hijacking, recon, fingerprinting ...
  • 🎌 Ability to search applications on the store by country.
  • πŸ“„ Certificate-based authentication for Mobile Scans and script-based authentication for web scans.
  • πŸ’ New analysis environment for web applications with intercepted traffic and visualization of crawl coverage (this one looks awesome).
  • πŸ“ Improved plans management for large organizations with the ability to transfer subscriptions and resize them on the fly.
  • 🎩 Improved Jira integrations with configuration test, risk rating selection, and improved information synchronization.
mdi-source-commit

March-April-May 2022

Sun 01 May 2022
  • πŸ’Ž New Attack Surface Discovery to discover known and unknown owned assets and schedule continuous monitoring
  • πŸ”’ Add support for using Chrome Recorder script for Authentication
  • πŸŽ‰ Add support for CRON based monitoring with defined schedules
  • πŸ”¨ Github Actions integrations
  • πŸŽ‰ Open-sourcing of over 20 security testing agents (Zap, Whatweb, Whois IP, Whois Domain, Wappalyzer, Virus Total, Tsunami, Tracker, Subfinder, Openvas, Nuclei, Nmap ...)
  • πŸš€ Performance and resilience improvement to Ostorlab Agent Builder
mdi-source-commit

November-December 2021 / January-February 2022

Tue 01 February 2022
  • πŸ‘Ύ Improve detection of Flutter and React-Native vulnerabilities
  • πŸ‘Ύ Add detection of several new classes of vulnerabilities, including Log4J
  • πŸŽ‰ Open-Sourcing of Ostorlab scanning engine adding support for local runtime and Windows-based environment Adding Ostorlab Agent store to easily access and publish scan agent
  • πŸš€ New agent-group definition to define composable scan agent
  • πŸš€ New agent-group UI builder and YAML definition file generation
  • πŸš€ Automated agent builder from repo that automatically detects and builds new releases
  • 🏫 New learning center exposing documentation, videos, scan sample and vulnerability knowledge base
  • πŸŽ‰ Open-Sourcing Ostorlab knowledge base
  • πŸŽ‰ Open-Sourcing agents for popular tools Nmap, Tsunami, Nuclei and Virustotal
  • πŸŽ‰ Open-Sourcing agents for improved vulnerability tracking (Tracker, Persist Vulnz, Inject Asset and Debug)
  • πŸ” Improve account security with OTP (One-Time-Password) support
  • πŸ”¨Add integrations portal to configure newly support integrations
  • πŸ”¨ Add Jira, Gitlab and Jenkins for CI/CD and ticketing integration
  • πŸ” Add SAML-based authentication for SSO enterprise access
mdi-source-commit

September-October 2021

Fri 01 October 2021
  • Release of the Remediation API with better vulnerability lifecycle management, allowing detection of fixed vulnerabilities, re-opens and maintain status of exception and false positives
  • New dashboard offering a glass box view into security posture and urgent tasks
  • Management of patching and priority policies with SLO and tools to track and measure fix performance
  • 3rd Party integrations with Jira
  • Add Ticket timeline to with dynamic setting of start and end time
  • Add grouping of ticket by status, priority and tag
  • Add Ticket bulk edit mode
mdi-source-commit

August 2021

Sun 01 August 2021

Focus on improving the Monkey Tester to improve coverage adding support for more strategies and advanced test case generation. Work also included better handling of Application packaging and management of our fleet of mobile devices.

  • πŸ€– An all improved Monkey Tester with highly improved code coverage
  • πŸ’ UI Call coverage visualisation to understand what has been done
mdi-source-commit

July 2021

Thu 01 July 2021

Focus on improving Web Scanner detection, adding several features, like Backend fingerprinting, adding more vulnerabilities and improving Backend Vulnerability representation model. Work also included improving Monkey Tester to support more advanced testing strategies. Key updates:

  • πŸ€– Adding support for multiple strategies to Monkey Tester
  • πŸͺ² Multiple bug fixes and improvements to Backend Scanner, XSS Scanner, Fingerprint detections
  • πŸ€– Scale search indexing infrastructure to handle the increase in covered assets
mdi-source-commit

June 2021

Tue 01 June 2021
  • πŸ€– Support of new backend vulnerabilities, like SQL with JDBC escape sequence, Jinja template injection, Python Object serialisation ...
  • πŸ€– Support of new backend vulnerabilities, like XXE, XSLT injection, Fastjson serialisation, PHP RCE ...
  • πŸͺ² Tweaks to the JDWP Android monitor for coverage and performance.
  • πŸš€ Parallelization and backend vulnerability model generation to improve false positive confidence to 6*9 (99.9999%).
mdi-source-commit

May 2021

Sat 01 May 2021
  • πŸͺ² API traffic improvement and bug fixes
  • πŸ” Multiple performance and enhanced result for the new search feature
  • πŸ€– New dynamic instrumentation engine for iOS based on LLDB
  • πŸ€– Improve iOS instrumentation to capture SQL, Crypto, Keychain, Zip, Wifi, Webkit, Biometric, Filesystem, HTTP, Preferences dangerous API
  • πŸ€– Enable backtracing of dangerous API to track their usage
  • πŸ€– Support of credential authentication in Web Scan
  • πŸ€– Improved Web Crawling to support mutated html
mdi-source-commit

April 2021

Thu 01 April 2021
  • πŸ” New rules to detect insecure javascript patterns and new insecure secret usage.
  • πŸ’ Add search, tagging and call trace of extern functions, like JNI.
  • πŸ” New scan search capability to search across all analysis asset types.
  • πŸ’ API traffic IDE capability.
  • πŸ€– API to persist taint graph from scan.
mdi-source-commit

March 2021

Mon 01 March 2021
  • πŸͺ² Fixes to the Analysis Environment indexing to enable code and file search
  • πŸ“’ Deprecate Free+Analysis scan type in a revamp of the analysis environment
  • πŸš€ Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
  • πŸ€– Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
  • πŸ’ Support for tagging of native function in IDE
  • πŸ” Add multiple new sinks methods
  • πŸͺ² Remove false positive in detection of RSA/ECB weak encryption
  • πŸͺ² Bug fixes to taint analysis leading missing detections
  • πŸ€– Detection of valid Sendgrid API keys
  • πŸ€– Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
  • πŸ€– Detection of insecure Zip leading to path traversal arbitrary file overwrite
  • πŸͺ² Fix Twitter API detection
mdi-source-commit

February 2021

Mon 01 February 2021
  • πŸͺ² Fixes to the Analysis Environment indexing to enable code and file search
  • πŸ“’ Deprecate Free+Analysis scan type in a revamp of the analysis environment
  • πŸš€ Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
  • πŸ€– Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
  • πŸ’ Support for tagging of native function in IDE
  • πŸ” Add multiple new sinks methods
  • πŸͺ² Remove false positive in detection of RSA/ECB weak encryption
  • πŸͺ² Bug fixes to taint analysis leading missing detections
  • πŸ€– Detection of valid Sendgrid API keys
  • πŸ€– Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
  • πŸ€– Detection of insecure Zip leading to path traversal arbitrary file overwrite
  • πŸͺ² Fix Twitter API detection
mdi-source-commit

January 2021

Fri 01 January 2021
  • πŸ€– Switch API encoding from JSON to UBJSON to add support for binary format
  • πŸ’ Analysis Env javascript formatting
  • πŸ’ Analysis Env detection of new file formats
  • πŸ’ Analysis Env call trace node coloring to match function and method tagging
  • πŸͺ² Multiple bug fixes and performance optimization of the Analysis Env
  • πŸ“’ Support for sharing report access using a shareable link
  • πŸ“’ Add edit mode to vulnerabilities to change risk rating or mark as a false positive
  • πŸš€ Detection of new secrets keys and dangerous functions
mdi-source-commit

December 2020

Tue 01 December 2020
  • πŸ“’ Release of Android and iOS application analysis environment
  • πŸš€ Analysis Env support for APK and IPA file listing with content access
  • πŸš€ Analysis Env support for Code highlighting for HTML, Javascript, XML, Java, C++
  • πŸš€ Analysis Env support for Binary plist extraction
  • πŸš€ Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
  • πŸš€ Analysis Env support for Macho and ELF string listing
  • πŸš€ Analysis Env support for DEX classes listing
  • πŸš€ Analysis Env support for DEX smali listing and java decompilation
  • πŸš€ Analysis Env support for Android resource extraction
  • πŸš€ Analysis Env support for Android manifest extraction
  • πŸš€ Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
  • πŸš€ Analysis Env support for Dangerous functions tagging to identify security hotspots.
  • πŸš€ Analysis Env support for Contextual call trace generation.
mdi-source-commit

October 2020

Thu 01 October 2020
  • πŸ“’ Release of continuous application monitoring from the store
  • πŸ” Detection of weak Bluetooth connection
  • πŸ” Detection of dynamic broadcast receiver with no permissions
  • πŸ“’ New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab
  • πŸ’ Email and UI notification to inform of key events (scan completion, password change ...)
  • πŸ’ Expose API key generation and management from the UI
mdi-source-commit

September 2020

Tue 01 September 2020
  • πŸ“’ Release of Ostorlab lighthouse continuously scanning public applications
  • πŸ“’ Release of Ostorlab VulnDB UI to access internal known vulnz database
  • πŸ’ Vulnerability tagged as affecting security and privacy, security only or privacy only
  • πŸ” Detection of several privacy settings in Android manifest
  • πŸ” Detection of facebook SDK debug mode
  • πŸ” Detection of GPS location tracking impacting privacy
  • πŸͺ² Fix insufficient sink default taint and missing propagation for Array and Const
mdi-source-commit

August 2020

Sat 01 August 2020
  • πŸ“’ Store search and scan feature
  • πŸ“’ Deep 3rd party dependencies fingerprinting
  • πŸ’ Markdown vulnerability text and description support
mdi-source-commit

July 2020

Wed 01 July 2020
  • πŸ“’ Extend 3rd party dependencies rules
  • πŸš€ Creation of database of unreported vulnerabilities
mdi-source-commit

June 2020

Mon 01 June 2020
  • πŸ’ Report libraries and 3rd party dependencies
  • πŸ” Fingerprinting of Native Android libs, iOS Frameworks, Cordova plugins, Javascript libraries, Xamarin libs and OpenSSL
  • πŸš€ Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
  • πŸš€ Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
  • πŸ” Detect calls to dangerous Bluetooth API
mdi-source-commit

May 2020

Fri 01 May 2020
  • πŸ“’ Exposure of CVSSv3 score
  • πŸ€– Alpha support for UI Automation rules
  • 🎁 Add Xamarin decompiled source code to the list of artifacts
  • πŸ” Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
  • πŸ” Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)
mdi-source-commit

April 2020

Wed 01 April 2020
  • πŸ“Š Add generation of executive summary PDF report
  • πŸ“’ New Secure risk rating to denote secure implementation
  • πŸ“’ New Hardening risk rating to differentiate between actual vulnerability and missing hardening mechanism
  • πŸ“’ Add support for archiving scans
  • πŸ“’ Add support for exporting scans
  • πŸ” Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
  • πŸš€ Enhance performance of taint analysis and increase coverage
  • πŸ’ Enhanced representation of taint information
  • πŸ’ Enhanced representation of stack traces collected in dynamic analysis
  • ⚠ Fix inconsistency in risk rating
  • πŸͺ² Fix false positive in iOS detection for missing ARC and Stack Guard protections
mdi-source-commit

March 2020

Sun 01 March 2020
  • Support for streaming API to create and stops scans
  • Subscription support
  • New KB entry for Webview LoadURL injection
  • Bug fixes to JDWP Hooking engine
  • Dashboard update showing scan plan
  • Support for stopping and archiving scans
mdi-source-commit

February 2020

Sat 01 February 2020
  • API for scheduling rules
  • Migration to Kubernetes
  • Initial support for streaming API to create scans
mdi-source-commit

January 2020

Wed 01 January 2020
  • API to manage Inventory (mobile apps, urls, domains, ...)
  • UI to list, create and update Inventory and Assets
  • CI/CD pipeline integration
  • Deprecate old UIs
mdi-source-commit

December 2019

Sun 01 December 2019
  • Release of the alpha version of the new reporting front end
  • API naming fixes
  • Fix submission of the test credentials
  • New Google Play client to support scanning from the Play Store directly
  • Several New APIs move to GraphQL (Account and Password Management, Artifcats)
  • Worker to handle long-running jobs (PDF generation and Scan Export)
mdi-source-commit

November 2019

Fri 01 November 2019
  • Progress on the new reporting front end
  • Bug fixes in public website
  • Simplified pagination support in all APIs
  • Experimental API to create Web Scans
mdi-source-commit

October 2019

Tue 01 October 2019
  • Release of an open source Android application to benchmark vulnerability scanners
  • Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
  • Progress on the new reporting front end
mdi-source-commit

September 2019

Sun 01 September 2019
mdi-source-commit

August 2019

Thu 01 August 2019
  • Major migration of all existing infra and data to the new backends.
mdi-source-commit

June 2019

Sat 01 June 2019
  • Infra refactoring into a micro-service architecture.
  • Separation of user portal and public website to prepare moving to serverless.
  • Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.
mdi-source-commit

May 2019

Wed 01 May 2019
  • Refactoring of API adding support for GraphQL.
  • Migration of website, user portal and orchestrator to GraphQL.
mdi-source-commit

April 2019

Mon 01 April 2019
  • Extending vulnerability test bed.
  • Add support for template injection of 4 new Java template engines.
  • Add support detection of Ruby code injection.
  • Add support detection of Node.js code injection.
mdi-source-commit

March 2019

Fri 01 March 2019
  • Multiple bug fixes and performance enhancements.
  • Fix false positive detection of Template Injection.
  • Add support detection of python code injection.
  • Add support detection of pickle deserialization injection.
mdi-source-commit

February 2019

Fri 01 February 2019
  • Multiple bug fixes and performance enhancements.
  • Enhance detection of XSS adding support for multiple callbacks vectors.
mdi-source-commit

January 2019

Tue 01 January 2019
  • New alpha system to detect vulnerabilities in backends from previously collected ones.
  • Creation of a new vulnerability test bed.
mdi-source-commit

December 2018

Sat 01 December 2018
  • Add support for detection of stored XSS.
  • Complete rework of the scan authentication module. It works well and sends fewer requests.
  • Brand new subscription menu.
  • Bug cleaning season.
mdi-source-commit

November 2018

Thu 01 November 2018
  • Add support for multi-step submitting of Forms.
  • Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
  • Alpha version of Fingerprinting agents.
mdi-source-commit

October 2018

Mon 01 October 2018
  • Major enhancement coverage of XSS contexts, long live Polyglot payloads.
mdi-source-commit

September 2018

Sat 01 September 2018
  • Enhance CSRF handling for web scanning.
  • Add scan export and import feature for on-premise scanning support.
  • Implementation of ADB Proxy agent for on-premise scanning support.
  • Add collection of screenshots and logcat traffic during dynamic analysis.
  • New security rules for Android Network Security Configuration.
  • Fix false positives in Cryptography rules using static taint.
  • Rework of all rules formatting.
  • Fix PDF generation and add support for code highlighting.
  • Add support for kown pathes crawling
  • Add Artifact panel to store extracted source code, screenshots and traffic logs.
  • Add Xamarin source code decompilation.
  • Fix duplicate request testing by backend and XSS scanner.
  • Initial work on CSRF token detection and generation for POST request fuzzing.
  • Add support for inserting payloads in sub-pathes.
mdi-source-commit

August 2018

Wed 01 August 2018
  • Extensive bug fixes month of all core components.
  • Enhance testability of the scanning engine.
  • Enhance reporting features.
mdi-source-commit

July 2018

Sun 01 July 2018
  • Enhanced detection of template injection vulnerabilities.
  • New scanner for detecting XSS vulnerabilities.
  • Ehanced supported for nested serialization formats.
  • Major rework for scan scheduling engine for increased scalability.
mdi-source-commit

June 2018

Fri 01 June 2018
  • New backend scanning engine with beta support for SQL injection and XXE
  • Adding beta support for crawling of HTML content.
mdi-source-commit

May 2018

Tue 01 May 2018
  • Bumping free scanner coverage limit from 100 to 300.
  • New detector for encrypted IPA.
  • Fix false positive in dynamic rules detecting weak encryption.
mdi-source-commit

April 2018

Sun 01 April 2018
  • Porting LLDB for iOS to work on Linux.
  • New backend scan engine.
  • New experimental crawler.
mdi-source-commit

February 2018

Thu 01 February 2018
  • Adding Support for authenticated scan.
  • Final version of Java hook engine with stack trace support and full context inspection.
  • Major enhancement to the taint engine reducing false positives.
  • Multiple bug fixes affecting PDF generation and false positive declaration.
  • Adding feature to report false positives and remove them from the final report.
  • Multiple new dynamic rules to trace sensitive function call.
  • New agent to detect sensitive material files, like private encryption keys.
mdi-source-commit

January 2018

Mon 01 January 2018
  • Surface static taint analysis coverage in the scan report.
mdi-source-commit

December 2017

Fri 01 December 2017
  • Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
  • Performance enhancement for the support of large multidex files.
  • Bug fix in method xref for multidex files.
  • Enhance vulnerability de-duplication.
  • Multiple bug fixes for iOS scan rules.
mdi-source-commit

November 2017

Wed 01 November 2017
  • Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
  • Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
  • Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
  • Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
  • Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
  • Advanced option to support download PDF report.
mdi-source-commit

September 2017

Fri 01 September 2017
  • Stabilizing unlimited scan feature with bug fixes.
  • Correction of false positives in Insecure Encryption Mode.
  • Correction of false positives in ASLR detection for iOS Apps.
  • Move to a clustered architecture to support increase scan load.
  • Final version to support dedicated unlimited scans.
mdi-source-commit

August 2017

Tue 01 August 2017
  • New feature to support dedicated scans.
  • Tweaks and updates to the user interface to support fast uploading.
mdi-source-commit

July 2017

Sat 01 July 2017
  • New backend system to support the increased load.
  • Major code refactoring of all agents to support the new backend system.
  • Multiple bug fixes.
mdi-source-commit

June 2017

Thu 01 June 2017
  • New static taint engine for Android Bytecode.
  • Multiple bug fixes and performance tweaks.