New Features and Roadmap

The last few months, Ostorlab team has been hard at work adding exciting new features. Some of these have already hit production, or will do so in the upcoming weeks and months.

The most exciting feature we have been busy with is major work on the backend scanning front. Ostorlab is now able to crawl HTML endpoints, supporting JavaScript heavy websites and single page applications (SPA) based on frameworks like Angular, React or Vue.js.

The new backend is augmented with a new Cross Site Scripting (XSS) scanner based on headless Chrome and a new backend scanner using a novel probabilistic approach. The new backend scanner has support for SQL injection in multiple context (where clause, sort clause, group by, string ...), Jinja template Injection and Command Injection and we are planning to add support for over 100 other backend vulnerabilities in the upcoming months, like Mako template injection Spring expression injection, etc.

Ostorlab has also gone through a major rework of its infrastructure, changing its scanning scheduler to offer increased scalability and robustness.

Other changes include multiple bug fixes, UI tweaks, false positives fixes and new detection rules, like network security configuration rules.

In the upcoming months, Ostorlab team will be focused on delivering new features or extending support to the existing ones. All enterprise scans will expose an Artifact section collecting traffic logs, screenshots, decompiled source code, etc. The feature is almost done and will hit production sometimes next week.

Ostorlab team will also be focusing its effort on enhancing support for Xamarin. The taint engine will add support for .Net IL and source code decompilation. The backend scanner will continue its progress adding more rules and enhancing detection of persistent XSS and postMessage XSS.

The Ostorlab team welcomes all feedback and will be happy to answer all your questions.