Improved Attack Surface Discovery, Mobile and Web Security Scanning

We are proud to announce the largest release packed with features touching Open-Source, Mobile Scanning, Web Scanning, a brand new exceptional attack surface capability, improvement to Jira integrations, analysis environment search, remediation engine and plans management for large teams.

Open-Source: Out-of-the-box instrumentation and more detectors.

Ostorlab open-source engine has added an out-of-box instrumentation capability based on opentelemtry offering an unparalleled view into what is happening inside a scan.

The instrumentation is accessible by adding a simple flag --tracing and all agents built with the latest version will automatically have instrumentation enabled once that flag is passed.

alt text

We have also added a set of features to help develop new agents, like exposing RabbitMQ UI, and improved fixtures that can be used with the existing --debug and --follow <agent_key> flags.

We have also released more open-source agents and detectors and added several improvements to existing ones.

Say you want to detect Domain hijackings for all subdomains of a particular domain, use subdomains tools like amass and subfinder to list them, and use DNS bruteforcing tools like DNSx to lookup for more, with ostorlab, chaining these tools is as simple as:

ostorlab scan run –agent agent/ostorlab/subfinder –agent agent/ostorlab/amass –agent agent/ostorlab/dnsx –agent agent/mohsinenar/subjack domain-name <target-domain>

If you are unfamiliar with Ostorlab open-source, check out the first scan tutorial here

Attack Surface: Find unknown assets and track their changes over time.

The newly released attack surface comes with incredible capabilities that are part of all our customer's plans, with no extra charges whatsoever.

The new attack surface allows for powerful external asset detection powered by graph-based algorithms to detect new potential assets. The new approach allows for the detection of more assets and even provides an understanding of how an asset connects to the rest of the infrastructure.

alt text

The attack surface also introduces a new inventory system with asset ownership. Owners help identify the responsible person or team to handle fixes. Owners respect a hierarchical representation to align with internal organization structures.

In addition to defining an asset owner, you may define asset risk rating for improved vulnerability rating. The new risk rating respects the CVSSv3 standard. You can also add tags, and notes, customize asset color in the graph, and even define a hierarchical logical location.

This information helps provide more context on the asset and also eases searching and tracking.

Assets' historical information is now stored, and indexed for searching and offers a powerful user interface to understand what has changed, be it DNS information, whois data, geolocation, open ports and services, fingerprints, certificates, screenshots,s and much much more.

alt text

This information can help answer questions like:

  • What services have recently opened port 443 or 80?
  • What domains host an open Jira?
  • What services have a PHP version older than 4.5?

While already offering powerful features, the attack surface is still in its infancy as we have a roadmap of features to add.

Mobile: Store country search and certificate based-authentication

Ostorlab has improved scanning from the store with the ability to customize your search by country. This really makes it much easier to find applications restricted to a particular country.

alt text

We have also added support for certificate-based authentication. PEM certificates can now be installed before a scan start, a common feature used by enterprise applications.

Ostorlab analysis environment has also seen a major improvement in its search thanks to improved data indexing. Search in decompiled code, decompiled configuration or even binaries files is now milliseconds away and highly accurate. This makes manual analysis work a joyful experience.

Web: Script-based authentication and the ability to view crawling and HTTP requests and responses

The Ostorlab web scanner has also seen major improvements, we have added support for script-based authentication. You can now record your flow using chrome recorder and upload it to Ostorlab’s scanner. This helps with complex authentication flows and avoids the hassle of writing buggy and hard-to-maintain test scripts.

You can also now view all crawling action in the analysis call coverage menu and see all traffic in the API calls menu. This greatly helps with validating coverage and ensuring authentication has succeeded during testing.

alt text

We have also added support for maintaining sessions managed on local storage vs. cookies. Storing sessions in local storage is a common practice for JWT or Token based authentication. This is due to the need for access to the token from javascript, and developers preferring avoiding sending it session tokens automatically with cookies.

Localstorage support is critical to ensure authenticated parts of the application are covered during testing.

Monitoring: time-based monitoring with cron rules

Ostorolab supported continuous monitoring from the mobile store, we now support continuous monitoring for all asset types (web apps, IP addresses) and have added cron-based monitoring to define the frequency at which you would like to run your scans.

Cron-based monitoring is flexible and simple and helps address compliance requirements to run scans at a particular frequency.

Plans: Improved management across organizations

As we continue to enroll larger organizations into our platform, we have added a set of requested features to ease the management of plans across multiple organizations. You can now centrally manage them and transfer them from one org to the other. You may also change your plans at any time with extreme ease.

Jira Integration: Easier configuration and customization

Jira integration has gone through multiple improvements to help configure and customize it. We have reworked the documentation to explain all the new and exciting features, which you can find here:

alt text

We have also added better field synchronization and the ability to define what risk rating must be synched. You can also now test a configuration and debug what is not working with clearer settings.

Remediation: Improved search and edition

The remediation engine has also undergone minor improvements, from a reworked search with improved field recommendations to UI changes to spot changes easily.