security
Introducing Ostorlab Security Testing Benchmarks: Real Vulnerabilities, Real Impact
The first open-source benchmark suite featuring 93 realistic vulnerable mobile apps that mirror actual CVE and bug bounty findings - not theoretical textbook examples.
Mon 22 September 2025
Banking Report 2025: Security at the Core of Mobile Finance
Large-scale security analysis of 500+ top mobile banking apps reveals widespread vulnerabilities,...
Mon 15 September 2025
Automating Security Research: AI Engine Exploits Complex Blind Code Injection
Precision beats payload spray using Ostorlab's AI engine to systematically land RCE on Titiler an...
Thu 04 September 2025
AI-Powered Pentesting: A Deep Dive into Android Intent Redirection
This article showcases Ostorlab's AI Pentest Engine's process for analyzing an Android applicatio...
Sun 31 August 2025
Automating Security Research: AI Engine Exploits GCP Service Account Secret
This article presents a thorough, hands-on analysis and real-world exploitation of a hardcoded GCP service account with overprivileged Pub/Sub access discovered in a HackerOne mobile app. It details how Ostorlab’s AI-powered pentesting engine automated the full cycle—from authentication and permission enumeration to end-to-end message injection/interception—enabling remediation within four days.
From Signal to the Android SDK: Chaining Path Traversal, Mimetype Confusion, Security Check Bypass and File Descriptor Bruteforce for Arbitrary File Access
This technical analysis reveals how sophisticated attack chains—combining path traversal, symbolic link manipulation, and Android SDK quirks—can breach Signal Android's defenses to extract sensitive internal files, despite its legendary encryption remaining intact. While Signal patched these vulnerabilities within days, the discoveries offer crucial lessons about how seemingly minor bugs can be chained into powerful exploits, and why even the best security architecture needs multiple layers of defense
Latest posts
Automating Security Research: AI Engine Exploits Report Portal XXE (CVE-2021-29620)
This article presents a thorough, hands-on analysis and proof of concept for exploiting an OOB XXE vulnerability CVE-2021-29620 in Report Portal. It details how Ostorlab's AI-powered pentesting engine was used to automate the full cycle.
Thu 07 August 2025
Automating Security Research: AI Engine Exploits Zulip Stored XSS (CVE-2025-52559)
This article presents a thorough, hands-on analysis and proof of concept for exploiting the stored XSS vulnerability CVE-2025-52559 in Zulip. It details how Ostorlab's AI-powered pentesting engine was used to automate the full cycle.
Mon 28 July 2025
Know Your App's Data Habits: A Deep Dive into Our Comprehensive Privacy Analysis
Ostorlab's Privacy Scan automatically detects mismatches between what your app's privacy policy says and what it actually does. This comprehensive analysis of policy text, permissions, code, and UI elements helps mobile developers avoid compliance violations and build user trust through accurate privacy practices.
Tue 27 May 2025
Ostorlab Security Scanner GitHub Integration
The Ostorlab Security Scanner GitHub Integration enhances mobile app development workflows by embedding automated security directly into the CI/CD pipeline. It offers a GitHub Action for scanning mobile application on every code push. It adds inline vulnerability insights directly to pull requests, highlighting the exact code changes that introduced issues and suggesting one-click fixes developers can apply without leaving GitHub.
Wed 21 May 2025
Scan, Sync, Remediate: Ostorlab Meets Vanta for Faster Audits
This article announces the new integration between Ostorlab and Vanta, explains how it works, outlines the setup process, and highlights the key benefits for security and compliance teams.
Tue 20 May 2025
Expanded Privacy Analysis, Attack Surface Profiling, and GitHub Source Mapping Improvements
Ostorlab's May 2025 update delivers comprehensive privacy analysis capabilities with 21 new data collection categories and enhanced verification tools. This release introduces specialized Attack Surface scan profiles for optimized security assessments, adds GitHub source code integration for precise vulnerability mapping, and implements QPS rate limiting for controlled scanning. Additional improvements include mobile scan URL regex controls, streamlined Jira integration, and expanded fingerprinting capabilities for improved detection accuracy.
Mon 12 May 2025
Pre-Auth Root RCE Vulnerability in CyberPanel: Deep Dive Exploit Analysis
A technical analysis of a vulnerability in CyberPanel, a Pre-Auth Root RCE, including confirmed exploitation paths, investigated components, and research methodology findings.
Wed 30 October 2024
Defending Against GraphQL Attacks: A Deep Dive into Common Vulnerabilities
This article is an in-depth look at the most common GraphQL vulnerabilities, why they occur, and how they can be mitigated.
Mon 21 October 2024
Changelog
View all changesiOS TestFlight scan, Slack Integrations and other improvements
Mon 10 June 2024
Security Enhancements, Compliance Mapping, and User Experience Upgrades
Fri 13 October 2023