Released AI-automated Attack Surface feature, leveraging artificial intelligence for more comprehensive asset discovery and analysis.
The new implementation allows:
- Automatically seed the attack surface discovery using a simple prompt for example "Find all Microsoft and its acquisitions".
- Automatically confirm/exclude the potential assets based on their connections and extracted contexts.
- Allow the user to reconfigure the initial prompt to enrich the discovered assets.
Scans & IDE
Enhanced function calls performance in the analysis environment for improved efficiency.
The optimization was done by switching the function call extraction to a graph database, which retrieves the results in less than 200ms.
Added the ability to notify a single user by email for new vulnerabilities.
The automation rules action supports now notifying specific users for the remediation context. This answers for example the request
Notify user X when there is a new vulnerability in asset Y.
OXO
Added option to change scan timeout in local scans, providing more flexibility for users. The default value is 48 hours.
Example command to run with a custom value:
Updated vulnerability reporting to include exploitation and post-exploitation details, offering more comprehensive security insights.
The vulnerabilities report will include a section about the exploitation and post-exploitation details of the findings.
Detection 🔍
Secret Detection
Added detection for Branch.io secrets
Implemented IMEI Detection to identify potential privacy concerns.
Added capability to detect the use of insecure UUID versions.
WordPress Agent
Added WordPress Agent to perform automated security checks on WordPress installations, identifying potential weaknesses and vulnerabilities.
The scan covers the known vulnerabilities in the WordPress version, plugins and themes.
The Privacy profile was released expanding access to privacy-focused detections.
The privacy profile fetches the privacy ploicy from the store (Apple store or Play store) and analyzes the following:
The content of the privacy policu and its conformity against the compliance standards (GDPR, CCPA, CPRA, HIPAA, LGPD).
Analyzes statically the application and validates the used permissions and methods agains the privacy policy statements.
Analyzes dynamically the application and validates the used permissions and methods agains the privacy policy statements.
Added Privacy link to support packages not available in the store, improving transparency. If the application id is different then the one in the store, you can set the privacy link to fecth during the analysis.
Added advanced search in the Inventory. The advanced Language offers users a flexible, python-like syntax for querying and filtering assets with precision and
efficiency. The language uses a key/value structure to construct search expressions, enabling advanced asset
discovery capabilities, and provides autocompletion. Learn more about the advanced search from our documentation.
Asset Status Filter
Added a new search filter for assets based on their status. The filter has three possible values:
Live: Shows assets with fingerprints.
Dead: Shows assets without fingerprints.
All: Shows assets with or without fingerprints.
When no filter is specified, all assets are shown.
Other changes
Added support for showing a summary of the changes to be applied when modifying assets.
Improved the performance of the Attack Surface. Loading of assets is now faster.
Fixed a bug where service protocols were always reported as UPD/TCP. Services are now displayed with the correct
value for the protocol, such as http or ssh.
Improved the speed at which targets are scanned without compromising on the quality of the scan.
Scans & IDE
API Endpoints
Added autodiscovery and detection of various aspects of API endpoints during a scan.
This feature enables extraction of endpoints information such as:
Technology: The API technology used, such as GraphQL, REST, or SOAP.
Host: The hostname of the API endpoint.
Port: The port number of the API endpoint.
Path: The specific URL path of the API endpoint.
Method: The HTTP method used (GET, POST, etc.).
Function Name: The function associated with an API endpoint, e.g., in the case of microservices or serverless
functions. Indexed for efficient search.
Schemas: Associated requests and responses payload schemas.
Each endpoint can be clicked to see all the information extracted from it:
The overall UI and performance of the IDE has also been massively improved.
Scan Summary
Deprecated the AI scan summary and introduced a much more comprehensive and actionable scan summary. The new summary
includes which tests were covered during the scan and which ones were not, as well has recommendations to improve testing.
Full Scan Example
Fast Scan Example
OXO
Added support for scanning web apps from the CI/CD, with support for using custom test credentials, API schema, proxy,
SBOM files, plus much more.
Example command to run a web scan:
Added detection for vulnerabilities and misconfigurations in GraphQL endpoints. These include HTTP Method Manipulation,
Request Complexity and DoS Potential (Circular references & Circular Fragments), Field Duplication, Alias Overloading,
Directive Overloading Detection, Object Limit Overriding Detection and Array-Based Batch Queries.
This feature aims to help developers and security professionals identify potential risks in their GraphQL APIs.
Domain & Subdomain Takeover
Added detection for domain and subdomain takeover. Domain and subdomain takeover is a type of cyber-attack where
adversaries exploit misconfigured or unmonitored DNS records to assume control over a domain or subdomain associated
with an organization.
This feature's key features include Advanced DNS Matching (CNAME, A, and AAAA records), dynamic takeover validation
beyond fingerprints, and domain registration checks.
Threat Center
Added detection of several fingerprints:
Zyxel Devices - Zyxel provides a wide range of networking solutions, including Unified Security Gateways (USG) and USG FLEX series devices.
D-Link DNS ShareCenter - This ShareCenter™ Cloud Storage device enables you to share documents and media content such as photos, music and videos on a home network or over the Internet.
ProjectSend - ProjectSend is a free, open-source file sharing platform for organizations and teams.
GeoVision - GeoVision specializes in advanced video surveillance solutions, offering state-of-the-art IP cameras, cloud-based surveillance platforms. etc...
Cobbler - Cobbler is a Linux installation server that allows for rapid setup of network installation environments.
PaloAltoNetworks PAN-OS - Palo Alto Networks PAN-OS is a next-generation firewall operating system that delivers advanced security features.
LoadMaster Kemp - Kemp LoadMaster is a load balancer and application delivery controller that optimizes web and application performance.
Cisco ASA - Cisco ASA Software delivers enterprise-class security capabilities for the ASA security family in a variety of form factors.
Symfony - Symfony is a PHP framework for web applications and a set of reusable PHP components.
Aruba Networks Access Points - Aruba Networks Access Points provide secure Wi-Fi solutions for enterprises, and this fingerprint matches the login page for Aruba Access Points.
Nostromo Server - Nostromo is a lightweight, open-source web server designed for Unix-based systems, known for its simplicity and minimal resource usage.
ServiceNow - ServiceNow is a cloud computing platform that helps companies manage digital workflows for global enterprises.
ValueHD PTZ Camera - A PTZOptics camera offers a flexible solution for recording and live streaming events due to its pan, tilt, and zoom abilities and high-quality image.
CyberPanel - CyberPanel is a web hosting control panel powered by OpenLiteSpeed with features for managing websites, DNS, and email.
RAVPN - A remote access virtual private network (VPN) enables users to connect to a private network remotely using a VPN.
Roundcube Webmail - Roundcube Webmail is a browser-based IMAP client with a user-friendly interface, providing features for email management.
Fortinet FortiManager - FortiManager, now powered by FortiAI, revolutionizes network management and security operations by automating routine tasks and providing intelligent insights.
Added support for several CVEs:
CVE-2024-8672 - The Widget Options – The #1 WordPress Widget & Block Control Plugin is vulnerable to Authenticated Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders.
CVE-2024-10781 - The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to a missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44.
CVE-2024-10542 - The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2.
CVE-2023-28461 - A critical vulnerability in Array Networks Array AG Series and vxAG SSL VPN gateways allows remote code execution by exploiting an HTTP header with the 'flags' attribute to browse the filesystem without authentication.
CVE-2024-21287 - A vulnerability in Oracle Agile Product Lifecycle Management (PLM) was discovered, allowing remote attackers to exploit a file disclosure issue. This vulnerability can be exploited over the network without authentication, potentially disclosing sensitive files.
CVE-2024-42450 - The Versa Director uses PostgreSQL (Postgres) to store operational and configuration data.
CVE-2024-47533 - Cobbler, a widely used Linux installation server for network installation environments, contains a critical authentication flaw in versions 3.0.0 to 3.2.2 and 3.3.6. This vulnerability is due to a defective function, bypassing authentication checks for the Cobbler XML-RPC interface.
CVE-2024-47575 - A missing authentication for critical function in FortiManager allows attacker to execute arbitrary code or commands via specially crafted requests.
CVE-2014-2120 - Cisco Cisco Adaptive Security Appliance (ASA) SSL VPN is prone to a cross-site scripting (XSS) vulnerability.
CVE-2024-42509 - Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211).
CVE-2019-16278 - Directory Traversal in the function http_verify in nostromo nhttpd through 1.9.6 allows an attacker to achieve remote code execution via a crafted HTTP request.
CVE-2024-8957 - ValueHD PTZ cameras below firmware version 6.3.40 contain a command injection vulnerability via NTP server configuration.
CVE-2024-8956 - ValueHD PTZ cameras contain an authentication bypass vulnerability in the param.cgi endpoint.
CVE-2024-50550 - Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Privilege Escalation. This issue affects LiteSpeed Cache versions before 6.5.2.
CVE-2024-37383 - Roundcube Webmail before version 1.5.7 and versions 1.6.x before 1.6.7 contains a cross-site scripting vulnerability that can be exploited via SVG animate attributes.
Privacy & Compliance
Added detection for Privacy Permission Usage Compliance Between AndroidManifest and Privacy Policy for Android and
Permission Usage Compliance Between Info.plist and Privacy Policy for iOS. This detection checks the app's declared
permissions with the information specified in the app's privacy policy.
The technical details of the reported findings includes the permissions found in the app's AndroidManifest.xml or
Info.plist but are missing in the privacy policy.
This will help ensure developers adhere to acceptable privacy standards.
Integrations
Added support for optionally specifying a parent issue when configuring the Jira integration. If a parent issue is
provided, it's used to create the issue in Jira. This change creates a smooth synchronization between Jira and Ostorlab.
Other changes in this release include the addition of the changelog to the dashboard to help users know and make the best
use of new features and fixes.
Revamped Search: Reworked the search UI to make searching very seamless, without the hassle of having to remember search keywords.
Added support for applying search filters even if Ticket Grouping is used.
Fixed saved rules appearing to the all organisation users. Now, saved rules appear only to the user who saved them.
Remediation
Allow the selection of any issue type available in the JIRA project scope.
Inventory & Attack Surface 🎯
Search Assets using Regular Expressions (RegEx): Added support for advanced search patterns using regular expressions.
Fixed slow loading of impacted assets in the threat center.
Added support to limit assets to the asset owner when exporting potential nodes.
Fixed a bug where in search with multiple fingerprints.
Detection 🔍
New Vulnerabilities
Bleichenbacher vulnerability - Added detection for potential exposure to the Bleichenbacher attack (PKCS#1 v1.5 padding oracle) in SSL/TLS connections. The Bleichenbacher attack allows attackers to exploit weaknesses in RSA-encrypted communications, potentially decrypting sensitive data such as session keys.
Weak Cipher Suites - Added detection for identifying whether a server supports weak cipher suites in its SSL/TLS connections.
Raccoon Attack Implementation - Added detection for Raccoon Attack vulnerabilities in SSL certificates.
ALPACA Attack - Added detection for ALPACA (Application Layer Protocol Confusion) attack vulnerabilities in SSL/TLS certificates.
Backdoored Cryptographic Algorithms - Detection for backdoored cryptographic algorithms in SSL certificates, specifically targeting RC4 and Dual_EC_DRBG.
Lucky Thirteen - The Lucky Thirteen attack targets the TLS (Transport Layer Security) protocol, specifically its handling of padding in encrypted messages. This attack exploits vulnerabilities in certain TLS implementations with block ciphers like AES.
SSL/TLS Protocol - Added detection to identify outdated and potentially vulnerable SSL/TLS protocols such as SSLv3, TLSv1, and TLSv1.1, which are known to have security vulnerabilities.
SSL Certificate - This check assesses the security and validity of SSL/TLS certificates by analyzing the certificate's attributes and ensuring compliance with modern best practices. Additionally, the check supports both domain names and IP addresses as targets for validation.
Forward Secrecy in SSL/TLS connections - Checks if the server does not support Forward Secrecy (FS), which is vital for protecting session keys.
CVEs & Fingerprinting
Add Jetpack version based detection - This implementation introduces detection for vulnerable Jetpack plugin actively exploited in the wild.
CVE-2024-9634 - Detection of the GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in versions up to 3.16.3.
CVE-2024-9487 - Detection of a cryptographic signature verification flaw in GitHub Enterprise Server allowed bypassing SAML SSO authentication leading to unauthorized user access.
CVE-2024-23113 - Detection of a critical format string vulnerability affecting various Fortinet devices, including FortiOS, FortiProxy, FortiPAM, and FortiSwitchManage.
CVE-2024-47374 - LiteSpeed Cache plugin for WordPress is vulnerable to a stored cross-site scripting (XSS) vulnerability in versions up to and including 6.5.0.2.
CVE-2024-28987 - The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
CVE-2024-9463 - An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in the disclosure of usernames, clear-text passwords, device configurations, and device API keys of PAN-OS firewalls.
Authorization Bypass 🔐
Fixes to 4xx Bypass Detection to Remediate False Positives: Improved detection accuracy to reduce false positives in 4xx bypass scenarios.
Add HTTP2 Support: Implemented support for HTTP2 traffic extraction. HTTP2 is more powerful than HTTP1 but comes with increased complexity to reconstruct traffic.
Fix HTTP1 Handling: Resolved issues with handling requests under the HTTP1 protocol to maintain compatibility.
UI 🎨
Improve Reporting of Outdated Dependencies: Enhanced reporting of vulnerabilities due to outdated dependencies to offer a clearer understanding of the issue and where it is.
Improve Privacy Issues Detection: Upgraded detection mechanisms to better identify and manage privacy-related issues.
Fix to Oxotitan UI: Addressed UI glitches and improved overall user interface consistency for a smoother user experience.
Add Sorting of Findings by Risk: Introduced sorting capabilities for findings based on risk, making prioritization more efficient.
Improvement to Tags Listing and Autocomplete: Enhanced tags listing and autocomplete features to improve usability and user interaction.
Detection 🔍
Add Support for More Scalar Types in API Autodiscovery: Extended support for additional scalar types, enhancing compatibility with diverse API schemas.
Add Detection and Fingerprinting of Several CVEs: Implemented mechanisms for detecting and fingerprinting multiple CVEs, strengthening security posture, specifically:
CVE-2024-47176 - This vulnerability involves the CUPS (Common UNIX Printing System), allowing potential remote execution of arbitrary code by exploiting improper input validation and binding to an unrestricted IP address [1][2].
CVE-2024-8963 - A path traversal vulnerability in Ivanti Cloud Services Appliance versions before 4.6 Patch 519, allowing unauthorized remote access to restricted functionality [1].
CVE-2024-8522 - A SQL Injection vulnerability in the LearnPress WordPress plugin allows unauthenticated attackers to execute arbitrary SQL queries via the '/wp-json/learnpress/v1/courses' API endpoint, potentially extracting sensitive data.
CVE-2024-45409 - A vulnerability in the Ruby SAML library improperly verifies the signature of SAML responses, allowing unauthenticated attackers to forge SAML assertions and potentially log in as arbitrary users [1][2].
CVE-2024-40711 - An out-of-bounds write vulnerability in the ImageMagick software suite allows attackers to trigger the issue via specially crafted image files, potentially leading to arbitrary code execution.
Custom Checks ✔️
Add Support for Private Repos: Enabled functionality to work with private repositories securely.
Use Deploy SSH Keys: Introduced use of deploy SSH keys for secure operations in private environments.
Add Support for Custom Agent Logs: Facilitated the generation and management of custom logs for monitoring agent activities.
Analysis Environment 🧩
Add API Endpoints to Scans Analysis Environment: Added new API endpoints to enhance scans analysis and improve investigation processes.
Improve Request-Response Research: Optimized methodologies for analyzing request-response interactions for better performance.
Add Mixing of Java and C Stack Traces: Enhanced debugging capabilities by enabling mixed Java and C stack trace analysis.
Attack Surface 🎯
Fix Grouping of Fingerprints in Attack Surface by Adding OS: Improved fingerprint grouping to include OS data, optimizing analysis and identification.
Fix Fingerprint Collection for IP Assets: Enhanced processes for collecting fingerprints related to IP assets for more accurate assessments.
Instrumentation 📏
Fix Parsing of Integer Arguments in Flutter/Dart Apps: Corrected parsing logic for integer arguments within Flutter/Dart applications to ensure accuracy.
Authorization Bypass 🔐
Fixes to 4xx Bypass Detection to Remediate False Positives: Improved detection accuracy to reduce false positives in 4xx bypass scenarios.
Support for Archived Pages Detection: Implemented support to identify and handle archived pages, aiding historical data analysis.
RSS Feed 📡
Add RSS Feed: Introduced an RSS feed to keep users updated on the latest changes. Access it https://blog.ostorlab.co/feed/rss.xml or https://blog.ostorlab.co/feed/atom.xml
Added notification when triggering the discovery phase. This helps inform users about the discovery process, which may take time on large organizations.
New Tags menu with an autocomplete feature for easier navigation and centralized management. All tags are now grouped in a single page and can be centrally edited on all tickets or assets.
CVSSv4 support in PDF exports for clearer representation of vulnerabilities. The new visualisation makes it easier to understand each element, from vector, complexity to the need for authentication.
Grouped vulnerabilities by risk rating in tables, making it easier to differentiate between confirmed and potential findings of the same category.
Enhanced speed of fetching threat center counts for impacted assets.
🤖 AI:
Improved AI model for generating vulnerability recommendations. New findings are now reported with increased accuracy.
🔍 API Autodiscovery:
Added support for scanning schema files, including GraphQL, OpenAPI, WSDL, and XML.
🛠️ OXO:
Fixed issue where new agent groups were incompatible with all asset types.
Added multi-select for asset types during agent group creation.
💻 Flutter:
Support added for the latest Flutter version 3.24.
🔐 Network Interception:
Multiple bug fixes to prevent missed clear traffic.
Improved interception of TLS traffic in native code.
We are happy to announce the release of OXO Titan, an intuitive User Interface (UI) to transform user interaction with
OXO, a vulnerability scanning orchestrator that automatically binds tools together allowing for rapid scale.
This OnPrem UI encapsulates OXO's capabilities within an accessible interface, democratizing advanced security
scanning techniques. By bridging the gap between the myriad of complex tools and a simple UI, OXO Titan streamlines
operations and enhances the user experience.
The OXO scan process now exits automatically once completed, streamlining your workflow.
To learn more about OXO Titan, read the full article.
📊 PDF Reports
Track Vulnerability Trends: Easily monitor your asset's vulnerability trends over the last 6 months with our new
graph that breaks down vulnerabilities by risk rating.
See Open vs. Closed Vulnerabilities: Quickly understand the state of your vulnerabilities with a new graph
summarizing open and closed issues.
Identify Critical Issues Faster: A new graph now highlights the top 10 most severe vulnerabilities, helping you
prioritize critical issues.
⚡📡 Attack Surface
Added support for running an autodiscovery scan. Autodiscovery enables continuous monitoring of an organization's
infrastructure to detect missing and rogue assets. This helps with finding blind spots like forgotten or missing
acquisition infrastructure, unaccounted-for dev and production machines, or lost assets during internal restructuring
and staff change. To run an autodiscovery scan, go to the new scan page and
select Attack Surface.
Improved Asset Filtering: Filter assets more effectively by certificate details, including serial number, subject,
issuer, and validity dates.
Enhanced Search Functionality: Search more accurately with the fixed exclusion search feature, ensuring you find
exactly what you need.
🔍 Detection
Enhanced vulnerability assessment with support for the Common Vulnerability Scoring System Version 4.0 (CVSSv4). This
can be accessed on the details page of a vulnerability.
Known Exploitable Vulnerabilities: Enhanced security tracking by adding new CVEs - CVE-2024-38077,
CVE-2021-33044, CVE-2024-5932, CVE-2024-28986, and CVE-2022-31814.
Added support for patched versions, minimizing false positives and ensuring your vulnerabilities are
accurately reported.
Fixed an OpenSSH False Positive, ensuring only relevant vulnerabilities are reported.
Fixed a bug where invalid targets were scanned due to incomplete URL configuration
(missing port, scheme, or host). This fix ensures that no inaccurate results are reported.
Added support for exposing the OS from scans, helping you gain more precise fingerprinting details.
Fixed a bug where Microsoft authentication was not working, improving the call coverage of web scans.
⚠️ Threat Center
Support for Dahua network IP cameras, pfSense open-source firewall and router software, and Traccar GPS tracking.
The addition of these targets will help flag assets that are affected by high-severity threats with active exploitation.
More Accurate Vulnerability Scores: We've fixed the CVSSv3 Vector for the
Django Debug Mode to provide more precise information.
Improved Technical Details: The
Insecure Register Receiver Flag Technical
details have been fixed so that they're correctly rendering, giving you better clarity on a vulnerability's details.
We added a new type of scan, Privacy Compliance Testing, which is available for all asset types. The Privacy
Compliance Testing identifies privacy concerns by analyzing the application's data collection, usage practices, and
compliance with privacy policies.
OFBiz plugin: An open-source enterprise resource planning (ERP) system.
Cisco Smart Software Manager On-Prem (SSM On-Prem): A Smart Licensing solution that enables customers to
administer products and licenses on their premises.
Raisecom: A global leading vendor providing comprehensive access solutions and network devices.
Acronis cyber infrastructure plugin: A multi-tenant, hyper-converged infrastructure solution for cyber protection.
The agent was also fixed to not scan non HTTP services.
Known Exploitable Vulnerabilities: Enhanced security tracking by adding new CVEs - CVE-2024-5217,
CVE-2024-38856, CVE-2024-43044, CVE-2024-7120, and CVE-2024-20419.
🛡️ OXO
Fixed a crash when OXO is run with no asset (--no-asset).
🎨 User Experience Enhancements
In order to provide more clarity on what each type of scan does, all scan profiles are now visible, even if they're
inactive.
Fixed a bug when confirming an asset without selecting an owner.
Fixed a bug which was causing some fingerprints not to show.
We are excited to introduce the Threat Center, a dedicated hub for viewing the latest security alerts and
understanding which of your assets are affected. With this new feature, you can easily scan affected assets directly
from the Threat Center, ensuring you stay on top of potential threats. Access the Threat Center
here.
🛡️ Improved Detection
Detection for Exposed Docker Registry API vulnerability.
🔒 Security Enhancements
To bolster account security, we now require users to verify their password before making any changes to Two-Factor
Authentication settings. This additional step adds an extra layer of protection to your account..
🎨 User Interface Enhancements
We've reworked the Call Coverage interface to improve usability. In compact mode, dynamic analysis scenarios are now
only displayed on hover, providing a cleaner and more streamlined user experience.
Enhanced XSS Detection: Improved detection capabilities for XSS vulnerabilities and improved vulnerability reporting.
Error Handling: Refined error management by properly catching and handling Browser exceptions.
Agent Reporting Engine 📊
Reporting Enhancements: Updated documentation for deploying scanners and enhanced error handling.
Alert System Improvements: Revised the conditions for app download failure alerts for application continuous monitoring.
Agent Asteroid 🌌
Known Exploitable Vulnerabilities: Enhanced security tracking by adding new CVEs (CVE-2024-33544, CVE-2024-40725, CVE-2024-6745, CVE-2024-34102, CVE-2024-5315, CVE-2024-31982, CVE-2024-23692, CVE-2024-6387, CVE-2024-36401, CVE-2024-36991, CVE-2024-37032, CVE-2023-52251, CVE-2024-28995, CVE 2024 29973, CVE-2024-4879).
CircleCI Integration 🔄
Continuous Integration Enhancements: Significantly improved the CircleCI configuration across all projects, optimizing build times, and ensuring more reliable build outcomes. Enhanced pipeline automation to include automatic testing and quality checks.
User Interface Enhancements 🎨
UI Improvements: Introduced enhancements to user interface improving dashboard performance for large organisations.
Security and Workflow Enhancements 🔒
Codecov Integration: Implemented Codecov across all repositories to monitor code coverage, ensuring comprehensive testing and higher code quality.
UV Workflow Updates: Transitioned development pipelines to UV, standardizing build processes and improving deployment efficiency across projects.
This update introduces new detection capabilities, new data & privacy controls, improved user experience across the platform, and bug fixes.
🛡️ Detection
CocoaPods Supply Chain Vulnerability: We added detection for critical vulnerabilities in CocoaPods. One Key
Vulnerability is CVE-2024-38368. This vulnerability allowed
attackers to claim unclaimed CocoaPods packages and insert malicious code. The potential for widespread damage was
immense, affecting both individual developers and large organizations relying on CocoaPods for dependency management.
We go over this vulnerability in-depth in our recent article.
CVE_2024_2194: We added detection for the WP Statistics plugin for WordPress,
which is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5.
Insecure Crypto Mode: A fix was made to improve the rules used to detect Insecure Crypto Mode.
🤝 Compliance
California Consumer Privacy Act Controls: New support for the California Consumer Privacy Act (CCPA), a
comprehensive data privacy law that grants California residents new rights regarding their personal information.
To check your app's compliance with the CCPA, click on a scan, scroll down, and then click on the 'Standards' tab.
Secure Privacy Findings: Added support for reporting privacy issues, such as insecure collection of users' crash
logs without consent, improper usage of contacts data, undeclared collection of users' health information, etc.
🙂 UX
Search History: The search history is now kept in the search bar every time you navigate between pages, or
forward/backward on the same page.
🕸️ Attack Surface
Bulk Actions: We added support to run bulk actions (automation rules) directly from the Attack Surface.
This update introduces bug fixes, detection improvements, and attack surface enhancements to provide a more seamless user experience.
🛡️ Scanning
Show source code for the detected vulnerabilities in the vulnerability details page.
🛠️ Remediation
Customized the weekly email for attack surface auditors to only contain their data.
🕸️ Attack Surface & Inventory
Added autocomplete for tags in assets.
Enabled filtering of assets by ownership type.
📦 Detection
Added detection for CVE-2022-24816 : A remote code execution vulnerability in the JT-JIFFLE extension of Geoserver allows remote attackers to execute arbitrary code.
Added detection for CVE-2024-34470 : An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18.
An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server.
🐞 Bug Fixes
Fixed the search function with inputs that included a schema.
Fixed the iOS search issue when searching for common apps like Facebook.
Fixed the issue where excluded values were still appearing in the graph during PDF generation.
This update introduces support for scanning apps using iOS TestFlight, Slack Integrations, support for scanning web apps with an SBOM, and other improvements.
This update introduces multiple new integrations with CI/CD pipelines, improvements to dynamic traces interception & analysis, support for the MASVS standard, and many bug fixes.
📄 CI/CD Integrations
Add integration of TeamCity CI/CD pipelines for automated scanning.
Add integration of GoCD build processes.
🤖 Dynamic traces interception & analysis
Add extraction of Dictionary arguments of Objective-C methods, this allows for improved detection of numerous vulnerabilities, like insecure data storage.
Add support for dynamic instrumentation of Objective-C static methods, this improves the detection of over 250 rules.
Add extraction & analysis of sockaddr C-structures to extract IP address and port.
📑 MASVS v2.0.0 standard
MASV 2.0 is here, Ostorlab has support for it :+1:
🛠️ Remediation
Added a due date field to the tickets and the ability to re-open all exception tickets after that period.
Added a finished time field to the scan API.
🐞 Misc & Bug Fixes
Fixed Tree-Like representation of organisations on the plans page.
This update adds the discovery of hidden web paths, detection of libwebp vulnerability, and new CVE detections.
🤖 Open Source
OXO version 1.0 was released. It is 10x times faster, supports ARM64 architectures, and is packed with improved capabilities like scanning multiple assets, simpler and powerful CLI.
Start a scan is now x10 times faster: In previous versions, starting a scan took almost 3 minutes. With OXO v1, it is now 10 times faster, starting a scan in just 16.5 seconds.
Standalone Binary: OXO is now available as a standalone binary for macOS, Linux, and Windows.
Support for macOS and ARM64 architecture for agents: If you're a macOS user with an ARM64 processor, we've got some great news for you! OXO can now support ARM64 agents natively.
Scan an Inventory file: OXO added scanning multiple assets using an asset definition YAML file. This gives you the possibility to scan a large number of different types of assets at the same time.
Friendlier CLI: As of OXO version 1, you can now specify the agent key in a concise way when running scans. Instead of using the full agent key, you can use the shorthand <org>@<name> format.
New Documentation Website: OXO now has its dedicated documentation website, packed with tutorials and numerous examples.
Agent Store: OXO now has a public agent store. You can publish your agent to the OXO store by simply following this tutorial.
Follow scan progress by Default: Starting from the version v1, --follow is the default mode when you start a scan. OXO will keep you updated on the scan's progress.
Pass Arguments to agents directly from the CLI: Agents can be fine-tuned using arguments which give you more control and flexibility. Passing arguments is now available throughout the CLI.
Add the ability to persist messages: You can now persist any type of message you wish, such as IP, domain, link, and exposed services through the new OXO Open Source agent Nebula.
To read more about OXO v1.0, read the full blog post.
📦 Detection
Added discovery of hidden web paths in agent hubble using Google Search and Wayback.
Added detection of libwebp vulnerability.
Added detection for CVE-2024-4040, CVE-2024-31461, CVE-2024-2389, CVE-2024-32764, CVE-2024-27956, CVE-2024-28890, CVE-2024-28255, and CVE-2024-26331.
🐞 Bug Fixes & Small improvements
Fixed bug with CSV import of IPs not updating existing IP assets.
This update significantly improves objective-C instrumentation, adds new detection for insecure data storage and Regex DoS, and ships multiple bug fixes.
📦 Detection & Knowledge Base
Improve dynamic instrumentation for objective-C and persist collected stack traces in the Analysis Dynamic section.
Added detection capabilities to identify insecure data storage practices in iOS applications. This includes identifying the use of potentially vulnerable storage mechanisms such as UserDefaults and UIPasteboard.
Added detection for Regular Expression Denial of Service (ReDoS) vulnerabilities. This new feature identifies sinks that use user input to create regular expressions, which can lead to potential ReDoS attacks.
Refined all KB recommendations to be actionable, so now we have a step-by-step process to solve vulnerabilities.
Frontend Enhancement
Added table of contents to Blogs:
Added highlighting to the Tips section:
Added a button to download all PCAP files at once as a ZIP archive:
Show graph edge & node labels in a card:
🐞 Bug Fixes
Fixed the generation of rules for iOS to take init function into consideration.
This update introduces fixes for the Attack Surface, detection for the liblzma backdoor, and a public store for agents.
📦 Detection
Added detection for Apple's Privacy Manifest
files. A Privacy Manifest describes the data an app or third-party SDK collects and the reasons required APIs it uses.
Developers are required to include it in their apps before May 1st, 2024. The detection rule checks that apps are
compliant with the new requirement, and whether their implementation is secure or not.
Added detection for Django DEBUG mode enabled.
Added detection for leaking secrets in Web Apps.
Added detection for liblzma backdoor.
Added detection for CVE-2023-48788, CVE-2021-44529, CVE-2019-7256, CVE-2022-20767, CVE-2022-0412, and CVE-2024-1212.
Improved detection for Personally Identifiable Information (PII). The rule now detects way more vulnerable methods that leak PII data.
PII leaking is now also done using a static rule.
Improved detection for Mixed content WebView settings by analyzing and detecting more dangerous WebView settings.
This update introduces fixes for the Attack Surface, migration of Agent's Docker Images to Docker Hub, enhanced detection capabilities for vulnerabilities, and support for ARM64 architecture in OSS.
🕸️ Attack Surface
Addressed issue with Attack Surface creating non-confirmed assets from detected vulnerabilities. Users now have the ability to only collect metrics of confirmed and maintained attack surface assets without issues related to non-validated assets from scans.
🛠️ Infrastructure
Migrated Agent's Docker Images to Docker Hub for improved visibility and speed into open-source OXO agents.
📦 Detection
Added detection for aiohttp path traversal vulnerability actively getting exploited.
Added detection of CSS injection vulnerabilities leading to application takeover, keylogging and defacement.
🤖 Open Source
Added support for ARM64 architecture, enabling running the venerable OXO on Mac Machines with native speed.
- Fixed a bug related to the download progress while installing agents. The bug was a KeyError which usually occurred
due to network issues when installing agents. Because of the bug, agent installation would sometimes fail. The error is
now gracefully handled so that agent installation does not fail.
🗝️ Improved API Keys page
The API keys page has been redesigned for ease of use.
OXO open-source is coming with new features and enhancements to facilitate its usage:
Enhanced Message Specification in Agent Groups :
Users can now specify the source of messages within an agent group.
Users now have the ability to specify the in_selector within the agent group definition.
This feature overrides the default configuration set in the agent YAML file, providing more flexibility and customization.
Expanded Search Capabilities in the CLI :
Search by Risk Rating : Users can now search for vulnerabilities based on specific risk ratings or a combination of multiple risk ratings.
Keywords search in different fields : Users can now search for findings that contain a specific text.
Performance Enhancement :
By reducing the health check interval for agents and optimizing the scaling process, users can now experience faster startup and execution times, significantly improving the overall efficiency of OXO open-source.
Security Enhancements
Enhance the detection capabilities for path traversal vulnerabilities.
Refine the detection mechanisms for improved identification of intent redirection vulnerabilities.
Users can now assign a custom name/label to their test credentials for improved organization and identification.
With the help of this optional name/label, users can quickly recognize and manage their test credentials and differentiate between different test configurations.
The latest update incorporates attack surface discovery paths, offering detailed insights into how assets were discovered. This addition helps understand from which asset(s) a particular asset came from.
The attack surface discovery path of an asset can be viewed from the asset details page by going to the Inventory and then clicking on the asset.
The discovery path can also be seen from the discovery page and left-clicking on the asset in the graph.
Graph Edge Attributes
Graph edges now show attributes, facilitating a clearer understanding of the relationships between nodes. This is helpful when you want to know which tool discovered the node, when the node was discovered, when it was last 'seen', etc.
These updates collectively contribute to a deeper comprehension of the attack surface discovery.
Over the past month, significant advancements have been made in dynamic analysis. We've expanded our capabilities to include instrumentation support for Java, Kotlin, Swift, and Dart 🚀. We've also enhanced our detection mechanisms, identifying over 1,365 new vulnerable patterns in Swift and 846 in Dart.
🗝️ Refined IAM Management
We've fine-tuned IAM management by introducing two new roles: Reader, offering read-only access, and Attack Surface Auditor, designated for conducting thorough audits of the attack surface. This update ensures more tailored and secure access management.
🔍 More Detailed Attack Surface Insights
The Attack Surface feature now provides more detailed access control, tailored per Owner. This update enhances both the precision of discovered asset recommendations and the specificity of access rights, ensuring a more secure and efficient management of assets.
🛡️ Enhanced XSS Detection Capabilities
Our XSS Detection capabilities have undergone a significant overhaul, leading to better detection rates and broader coverage. We've added several new payloads and re-engineered our approach to authenticated testing, greatly enhancing the robustness of authentication during tests.
📦 Advanced Vulnerable Dependency Detection
We've improved the correlation between application fingerprints and known vulnerabilities searches. This enhancement has led to the detection of over 150% more new packages across various frameworks and languages, significantly boosting our ability to identify and mitigate vulnerabilities.
🐞 Bug Fixes
Resolved an issue causing errors in the detection of source map code leaks.
Fixed an error encountered when evaluating IP reputation.
Addressed a bug that prevented the crawler from collecting request and response headers.
Improved handling of large arguments collected during dynamic analysis.
Corrected an issue with XSS tab timeouts, ensuring no findings are missed.
Updated and clarified descriptions in our knowledge base entries.
Fixed CSV validation errors during asset imports.
Enhanced the computation of vulnerability DNA in the XSS Agent for more accurate detection.
Introducing HTTP Folders, a new way to navigate your app communication.
Easily navigate domains and subdomains for a clear view of requests and responses,
gaining valuable insights with streamlined visibility.
You can see your app's HTTP folders in the IDE section of your scan report.
ℹ️ Detailed Information: Each HTTP folder includes detailed information such as the domain, subdomain, and a list of requests and responses.
🔍 Search and Filter: Easily search and filter HTTP folders based on domain, subdomain, or specific requests, facilitating efficient monitoring and analysis.
Basic Authentication
Ostorlab now supports Basic Authentication in Web scans.
Test applications seamlessly with Basic Authentication or Composed Authentication (Form-based or Script-based), enabling a more wide-ranging scan.
🔒 Various Authentication Methods: Unlock a spectrum of testing possibilities with support for Basic and Composed Authentication.
🌐 Expanded Testing Scope: Ensure wider coverage of your application testing.
Attack Surface Enhancement
We've enhanced the Attack Surface section to streamline navigation. Introducing the new "Nodes" tab,
it provides a comprehensive list of all nodes in your attack surface graph, along with a summary of their properties, including type and ownership.
You can see your Attack Surface "Nodes" in the Attack Surface section.
Stack Traces Search Enhancement
We've made an enhancement to the Stack Traces search in the Dynamic tab of the IDE section.
Now, you can conveniently search stack traces by Runtime type, including Flutter, C, Dex, or Swift.
Introducing a comprehensive audit logging system. This new feature allows organization admins to track and
monitor various activities and changes within the organization, providing enhanced visibility into user actions.
You can see your organization's audit logs in the Audit Logs section of the Library.
📜 Audit Actions: Auditing a wide range of actions, including user logins, data modifications, configuration changes, and more.
🕦 User Activity Tracking: Recording user interactions to assist in maintaining accountability and security.
ℹ️ Detailed Information: Each audit log entry includes detailed information such as the user responsible, timestamp, and a description of the specific action taken.
🔍 Search and Filter: Easily search and filter audit logs based on user, date, or specific activities, facilitating efficient monitoring and analysis.
Seamlessly integrate Ostorlab security scanning into your CI/CD pipelines. Get started with our documentation.
🔐 IDE & Security Improvements
📄 Mobile scan logs displayed directly in the IDE.
⚡ Faster and more responsive IDE.
🚫 Critical risk rating added.
🌐 Reputation report for IP/domains.
Detect Oauth account takeover from config files
Not aggregate exception and false positive tickets.
🎨 UI Enhancements & Fixes
🛠️ Fix scan summaries for shared scans.
🖥️ Distinguish between store and file targets in remediation sections:
Scan from the store and file scans are now aggregated separately. This allows you to distinguish between the two types of scans in the remediation section.
⚡ Faster ticket page loading.
Possibility to add titles when creating scans.
New scan events in the ticket page.
Support for SVG images in organization images.
In the subscription page: show tag Canceled only if the plan is active.
When exiting the ticket page in edit mode, a prompt is displayed to save the modifications.
Rework the organisation settings page.
Add bulk delete for test credentials.
Add the ability to disable email notifications.
Improved function signature presentation with parameter name and type.
🔐 Open Source Updates
Improved handling of connection issues during agent initiation.
During our recent Fix-It Week 🛠️😃, our dedicated team put in a tremendous effort to address and resolve over 107 issues affecting our systems. This action-packed week led to numerous improvements in functionality, stability, and security across various components of our application. 🚀🔧🔒
Below is a highlight of the most notable fixes: 📋🔍
Security:
Improve brute force attack detection and remediation, particularly credential stuffing 🔐💪
Improve XSS handling of form input fuzzing 🛡️🔍
Improve description and recommendation of several common vulnerabilities 📝🔒
Improve fingerprint detection of Xamarin dependencies 🧐🔍
Attack Surface:
Improve handling of edge case TLD values 🔄🔍
UI:
Add item filtering in the ticket edit mode 🔍🎫
UI improvements 🎨✨
Production:
Series of bug fixes, dead code deletion, and version upgrades, some with their fair share of breakages, pain, sweat, and tears 😅🚑🔧
Add support for download geofencing in more countries 🌍📥🔒
Monkey Tester:
Address navigation issues in some edge cases using image detection and OCR reading 🐒🔍📖
Jira:
Updated Jira Projects API to fetch projects in real mode 📊🔄
Add backporting of tickets in case Jira project settings are changed ↩️🎫
Mobile:
* Support for Different Regions in iOS Downloader: Added support for downloading iOS applications in Japan, Russia, UK, Germany, and China 🌏📱🇯🇵🇷🇺🇬🇧🇩🇪🇨🇳.
We are excited to announce the addition of CircleCI and AppCenter CI/CD integrations.
📢 Circleci
With CircleCI orb, you can integrate security scanning into your deployment
pipeline. With this integration, you can enhance the security of your applications during the deployment process.
To get started, refer to the detailed steps provided in our integration documentation here.
📢 AppCenter
With AppCenter integration, you are able to incorporate Ostorlab security scanning
into your CI/CD pipelines.
For more information and instructions, please refer to the
documentation here.
Our latest release is packed with numerous enhancements, designed to elevate your security experience with Ostorlab.
From attack surface discovery to vulnerability detection and reporting, we have made significant strides to make your
security journey smoother than ever before.
Here are some of the highlights of our latest release:
Faster and easier navigation of artifacts and scan coverage;
Weekly reporting that provides valuable insights into trends and patterns;
Export button to CSV from both scan and tickets menus for enhanced convenience;
Over 50 new vulnerability detections, further improving the quality of our security assessments;
Improved SMS 2-FA based authentication, providing an added layer of security;
Extraction of dynamic routing from popular web frameworks like Next.js and Nuxt.js, helping you identify potential
vulnerabilities in your web applications more efficiently.
New Automation Rules
We are excited to announce the release of our new automation rules features, designed to streamline your workflow and
simplify your security management. With these new features, you can now automatically assign owners, set tags, send
email notifications, and more.
Here are a few examples of how the new automation rules can come in handy:
Automatically assign vulnerabilities to a user for remediation;
Confirm discovered assets and assign an owner automatically;
Apply specific tags to assets that match certain filters;
Receive email notifications when assets match a specific pattern, such as when a potential service has SSH exposed on
a non-default port.
Flexible Yearly Plans: Use Your Testing Slots Anytime, Anywhere
We are thrilled to announce that we have made some significant changes to our yearly plans based on your feedback. One
of the most requested features from our users has been the ability to adjust the usage of their yearly plans to meet
spikes in testing needs, without losing testing slots during periods of inactivity or development.
We are delighted to inform you that we have taken note of your feedback, and have made necessary adjustments to our
yearly plans, allowing access to all testing slots at any time. Additionally, you can now rest easy knowing that unused
testing slots will not be lost during a particular month.
These updates are already available to our existing users with an active plan, and for those who wish to subscribe to a
yearly plan.
We hope these changes will enable you to maximize the value of our service and meet your testing requirements without
any hassle.
We've made a long list of changes to improve the experience of detecting and navigating your attack surface.
Here are just some of the cool new features:
Narrow down on any asset using the filter button and access its direct asset connections or even its 2nd and 3rd
connections. This feature helps us understand how the attack surface discovery detects new assets. A great example is
a user with his work email registering multiple new domains that weren't tracked anywhere before. You know yourself,
John from Marketing 🙂.
Addition of powerful new search features like searching by multiple ownership types or excluding assets matching a
search pattern.
Convenient quick action buttons to trigger a scan or add a monitoring rule. If you are curious about that asset's
vulnerabilities, just hit "Quick Scan".
Bulk asset import makes it a breeze to add many assets by simply uploading a CSV file.
Access asset data directly from the attack surface graph with information such as DNS Records, open services, used
libraries, Whois data, in-use certificates, and much more.
A deeper look at your Mobile Applications Attack Surface.
Attack surface is not just about domain names and IP addresses, especially if you are a mobile-first company.
Ostorlab’s attack surface now detects and tracks mobile applications' attack surface, be it what is the app exposing,
what dangerous features is it using, what libraries are used and most importantly tracking their changes and when they
are changed. It will even list all backend systems and indicate their geographical location.
Mobile Scan Summary
Our latest work includes a new scan insights feature with a summary of scan reports and actionable feedback on how to
improve the security of your app. Augmented with attack surface data, the report provides useful insight into the impact
of the identified issues.
Faster Scans 🏎🏎🏎
If you have been using the platform for a while, you might have noticed that scans run faster, much faster. This has
required a substantial amount of engineering effort to increase speed without sacrificing quality. This is only the
first step toward achieving a full scan completion in under an hour which we aim to achieve before the end of this year.
🎉 Improved metrics with over new 100 metrics collected and new dashboard showing both scanning health, remediation improvement and attack surface evolution.
🔒 Attack surface tracking and historization allowing for known what services and libraries are present and when they were introduced.
🚀 Release of Attack Surface asset discovery, a graph-based approach with improved coverage for better asset detection.
⚡ Ability to configure assets with owners, color, notes, tags, location, and risk rating to ease adding context and influence vulnerability risk rating.
📘 Collection of asset history with information like DNS, open services and ports, tech stacks, whois. This offers the ability to track changes and monitor evolution over time.
🔬 Out-of-the-box scan instrumentation with opentelemetry and improved debugging of Ostorlab's open-source engine.
💻 Open-sourcing of several new detectors for domain hijacking, recon, fingerprinting ...
🎌 Ability to search applications on the store by country.
📄 Certificate-based authentication for Mobile Scans and script-based authentication for web scans.
🐒 New analysis environment for web applications with intercepted traffic and visualization of crawl coverage (this one looks awesome).
📝 Improved plans management for large organizations with the ability to transfer subscriptions and resize them on the fly.
🎩 Improved Jira integrations with configuration test, risk rating selection, and improved information synchronization.
👾 Improve detection of Flutter and React-Native vulnerabilities
👾 Add detection of several new classes of vulnerabilities, including Log4J
🎉 Open-Sourcing of Ostorlab scanning engine adding support for local runtime and Windows-based environment
Adding Ostorlab Agent store to easily access and publish scan agent
🚀 New agent-group definition to define composable scan agent
🚀 New agent-group UI builder and YAML definition file generation
🚀 Automated agent builder from repo that automatically detects and builds new releases
🏫 New learning center exposing documentation, videos, scan sample and vulnerability knowledge base
🎉 Open-Sourcing Ostorlab knowledge base
🎉 Open-Sourcing agents for popular tools Nmap, Tsunami, Nuclei and Virustotal
🎉 Open-Sourcing agents for improved vulnerability tracking (Tracker, Persist Vulnz, Inject Asset and Debug)
🔐 Improve account security with OTP (One-Time-Password) support
🔨Add integrations portal to configure newly support integrations
🔨 Add Jira, Gitlab and Jenkins for CI/CD and ticketing integration
🔐 Add SAML-based authentication for SSO enterprise access
Release of the Remediation API with better vulnerability lifecycle management, allowing detection of fixed vulnerabilities, re-opens and maintain status of exception and false positives
New dashboard offering a glass box view into security posture and urgent tasks
Management of patching and priority policies with SLO and tools to track and measure fix performance
3rd Party integrations with Jira
Add Ticket timeline to with dynamic setting of start and end time
Add grouping of ticket by status, priority and tag
Focus on improving the Monkey Tester to improve coverage adding support for more strategies and advanced test case generation. Work also included better handling of Application packaging and management of our fleet of mobile devices.
🤖 An all improved Monkey Tester with highly improved code coverage
💐 UI Call coverage visualisation to understand what has been done
Focus on improving Web Scanner detection, adding several features, like Backend fingerprinting, adding more vulnerabilities and improving Backend Vulnerability representation model. Work also included improving Monkey Tester to support more advanced testing strategies. Key updates:
🤖 Adding support for multiple strategies to Monkey Tester
🪲 Multiple bug fixes and improvements to Backend Scanner, XSS Scanner, Fingerprint detections
🤖 Scale search indexing infrastructure to handle the increase in covered assets