Documentation
Ostorlab - Application Security Testing
Initializing search
Login
Demo
Home
Getting Started
Scanning
Attack Surface
Remediation
Policies
Integrations
Organisation
Plans
Privacy
Security
API
FAQ
Ostorlab Docs
A comprehensive guide to using Ostorlab.
Getting Started
Getting Started
Dashboard
Scanning
Run a scan
Manage Scans
Report
View more...
Attack Surface
Discovery
Data
Monitoring
View more...
Remediation
Ticketing
Views
Policies
Automation Rules
Integrations
CI/CD
Ticketing
SSO
Organisation
Setup
Users
Settings
Plans
Add Plan
Transfer plans
Privacy
Privacy Policy Analysis
Security
Mobile App Security Testing
Streamlining Mobile App Security in the SDLC with Ostorlab
Detection
View more...
API
GraphQl API
FAQ
FAQ
Documentation
Home
Getting Started
Getting Started
Getting Started
Dashboard
Dashboard
Overview
Scans & Risk
Remediation
Inventory & Attack Surface
Remediation Calendar
Scanning
Scanning
Run a scan
Run a scan
Scan a Mobile Application from the Store
Scan an iOS Mobile Application using TestFlight
Scan a Web Application
Authenticated Web Application Scan
Authenticated Scans
Scans with SBOM or Lockfile
Scan Networks
Scan Assets from the inventory
Scan with custom config
Scan Web App with Chrome's Recorder Puppeteer Script
Scan with extra custom Agents
How to add a new agent with a private repository
Manage Scans
Manage Scans
Stop Scan
Archive Scan
Report
Report
Generate PDF report
Risk Rating
Change Risk Rating
Analysis
Analysis
IDE
Check Call Coverage
Monitoring
Monitoring
Monitoring
Create Monitoring Rule
On-prem Scanners
On-prem Scanners
Run a scan
Attack Surface
Attack Surface
Discovery
Data
Monitoring
Search and Navigation
Inventory
Inventory
Add Assets
Discover Assets
Edit Potential Owners
Bulk Import Assets
Edit Assets
Delete Asset
Filter by Asset
Exclude Asset
Graph
Graph
Share a Graph
Location
Location
Add Location
Owners
Owners
Add Owner
Remediation
Remediation
Ticketing
Ticketing
Guide
Create Ticket
Comment on Ticket
Add a Checklist to a Ticket
Configure Patching Policy
Vulnerabilities and Tickets Management
Views
Views
Kanban
Timeline
Policies
Policies
Automation Rules
Integrations
Integrations
CI/CD
CI/CD
GitHub
GitLab
Jenkins
Azure DevOps
App Center
CircleCI
Bitbucket
GoCD
TeamCity
Slack
Ticketing
Ticketing
Jira
SSO
SSO
Guide
Saml with Azure Active Directory
Saml with Google Workspace (formerly G Suite)
Saml with Okta
Saml with OneLogin
Organisation
Organisation
Setup
Setup
Create Organisation
Users
Users
User Roles
Add Users
Switch Organisation
Modify User Permissions
Disable email notifications
Settings
Settings
Add Two-factor authentication device to your account
Plans
Plans
Add Plan
Transfer plans
Privacy
Privacy
Privacy Policy Analysis
Security
Security
Mobile App Security Testing
Streamlining Mobile App Security in the SDLC with Ostorlab
Detection
Platform Support
Security at Ostorlab
Vulnerability Disclosure
Knowledge Base
Knowledge Base
Debug mode enabled
Debug Symbols Present in the Application
ELF binaries do not enforce secure binary properties
Facebook React development settings exposed
Attribute hasFragileUserData not set
Insecure Network Configuration Settings
Unused permissions (overprivileged)
Application code not obfuscated
Command Injection
Notification Spoofing
Use of Wifi API that contains or leaks sensitive PII
Android Package Context created without security restrictions
Exported activites, services and broadcast receivers list
Application prevents taking screenshots
List of JNI methods
APK attack surface
Application certificate information
Classes list
Hardcoded strings list
Recorded calls to dynamic code loading API
Recorded calls to command execution API
Recorded calls to Crypto API
Recorded calls to FileSystem API
Recorded calls to Hash API
Recorded calls to HTTP API
Recorded calls to Intent API
Recorded calls to Inter-Process-Communication (IPC) API
Recorded calls to logging API
Recorded calls to Process API
Recorded calls to Serialization API
Recorded calls to Shared Preferences API
Recorded calls to SQLite query API
Recorded calls to TLS Pinning API
Recorded calls to TLS API
Recorded calls to dangerous WebView settings API
Implementation of a FileObserver
APK files list
Hardcoded SQL queries list
Hardcoded urls list
Declared permissions list
Android Manifest
Obfuscated methods
Implementation of a WebViewClient
Broadcast receiver dynamic registration
Call to Android Security API
Call to Bluetooth and BLE API
Call to Crypto API
Call to delete file API
Call to dynamic code loading API
Call to command execution API
Call to External Storage API
Call to Inter-Process-Communication (IPC) API
Call to logging API
Call to native methods
Call to Random API
Call to Reflection API
Call to Socket API
Call to SQLite query API
Call to TLS API
Call to dangerous WebView settings API
Call to XML parsing API
Call to ZIP API
Expansion APK enabled
Attribute requestLegacyExternalStorage set
Task Hijacking
Undeclared Permissions
Attribute usesCleartextTraffic set
Deprecated Target API Version
Intent Spoofing
Android Sensitive data stored in keyboard cache
Application signed with an expired certificate
Facebook SDK debug mode enabled
Insecure File Provider Paths Setting
Abuse of mobile network connection
Android Class Load Hijacking
addJavaScriptInterface Remote Code Execution.
Webview Remote Debugging Enabled
Implicit PendingIntent
Use of an insecure Bluetooth connection
Android Class Loading Hijacking
Insecure Shared Preferences Permissions
Insecure Register Receiver Flag
Intent Redirection
File Path Traversal
Redis Library detected
Webview loadurl injection
Backup mode enabled
Services declared without permissions
Source to Sink
Backup mode disabled
Application checks rooted device
Debug mode disabled
Secure Network Configuration Settings
Dependency Confusion
Use of Deprecated Component
Memory Leak
Format String Vulnerability
Insecure JWT Signature Validation
Domain name and IP address reputation report
VirusTotal scan flagged malicious asset(s) (MD5 based search)
Tapjacking Vulnerability
Template Injection
XPath Injection Vulnerability
Obfuscated Flutter code
List of calls to dangerous low-level C functions
Calls to Privacy API
Cryptographic Vulnerability: Insecure Algorithm
Cryptographic Vulnerability: Insecure mode
Use non-random initialization vector (IV)
Insecure Random Seed
Use of Outdated Vulnerable Component
Process crashes
Regular expression denial of service
Biometric Authentication Bypass
Collection of Users' Crash Logs without Consent
Collection of Users' Purchase History in Privacy Policy
Collection of Users' Text Messages in Privacy Policy
Contacts Data Type Declaration Mismatch
Contact Information missing in Privacy Policy
Cryptographic Vulnerability: Hardcoded Key
Device ID Data Type Declaration Mismatch
Health and Biometric Data Type Declaration Mismatch
HTML Injection Vulnerability
In-App Search History Collection in Privacy Policy
Insecure Dynamic Library Loading
Insecure hostname validation check
Insecure password storage
Insecure Filesystem Access
Insecure Storage of Application Data
Credentials exposed in logs
Credentials exposed in URLs
Personally Identifiable Information (PII) Leakage
Missing Declaration of Approximate Location Collection in Privacy Policy
Missing Declaration of Contact Collection in Privacy Policy
Missing Declaration of Device or Other IDs Collection in Privacy Policy
Missing Declaration of Email Address Collection in Privacy Policy
Missing Declaration of Email Collection in Privacy Policy
Missing Declaration of Health Info Collection in Privacy Policy
Missing Declaration of Installed Apps Collection in Privacy Policy
Missing Declaration of Phone Number Collection in Privacy Policy
Missing Declaration of Photo Collection in Privacy Policy
Missing Declaration of Precise Location Collection in Privacy Policy
Missing Declaration of User Files Collection in Privacy Policy
Missing Declaration of Video Collection in Privacy Policy
Missing Declaration of Voice or Sound Recording Collection in Privacy Policy
Missing Declaration of Web Browsing History Collection in Privacy Policy
Missing GDPR Rights Reference in Privacy Policy
Missing Legal Basis in Privacy Policy
Missing Mention of Users' Right to Know in Privacy Policy
Missing Mention of User Data Access in Privacy Policy
Missing Mention of User Data Correction Rights in Privacy Policy
Missing Mention of User Data Deletion in Privacy Policy
Missing Opt-out Information in Privacy Policy
Missing Privacy Policy Disclosure for Calendar Events Collection
Missing Privacy Policy Disclosure for Fitness Info Collection
Missing Privacy Policy Link
Missing Third-Party Sharing Information in Privacy Policy
OAuth Account Takeover by hijacking custom schemes
Phone Number Data Type Declaration Mismatch
PII Categories Data Type Declaration Mismatch
PII Data Type Declaration Mismatch
Precise Location Data Type Declaration Mismatch
Privacy Policy CCPA Rights Reference missing
Privacy Policy Data Retention Description
Privacy Policy Personal Data Categories Disclosure mismatch
Sensitive Information Data Type Declaration missing
Mobile SQL Injection Vulnerability
Text Messages Data Type Declaration Mismatch
User Account Info Data Type Declaration Mismatch
User ID Collection in Privacy Policy
Cryptographic Vulnerability: Weak Hashing Algorithm
XML Injection
ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip Extension Spoofing
Port open on device
Continuous collection of GPS location
Secret information stored in the application
URL Manipulation
Collection of Users' Crash Logs without Consent
Collection of Users' Purchase History in Privacy Policy
Collection of Users' Text Messages in Privacy Policy
Contacts Data Type Declaration Mismatch
Contact Information missing in Privacy Policy
Missing Declaration of Approximate Location Collection in Privacy Policy
Missing Declaration of Contact Collection in Privacy Policy
Missing Declaration of Device or Other IDs Collection in Privacy Policy
Missing Declaration of Email Address Collection in Privacy Policy
Missing Declaration of Email Collection in Privacy Policy
Missing Declaration of Health Info Collection in Privacy Policy
Missing Declaration of Installed Apps Collection in Privacy Policy
Missing Declaration of Phone Number Collection in Privacy Policy
Missing Declaration of Photo Collection in Privacy Policy
Missing Declaration of Precise Location Collection in Privacy Policy
Missing Declaration of User Files Collection in Privacy Policy
Missing Declaration of Video Collection in Privacy Policy
Missing Declaration of Voice or Sound Recording Collection in Privacy Policy
Missing Declaration of Web Browsing History Collection in Privacy Policy
Device ID Data Type Declaration Mismatch
Missing GDPR Rights Reference in Privacy Policy
Health and Biometric Data Type Declaration Mismatch
In-App Search History Collection in Privacy Policy
Missing Legal Basis in Privacy Policy
Missing Mention of Users' Right to Know in Privacy Policy
Missing Mention of User Data Access in Privacy Policy
Missing Mention of User Data Correction Rights in Privacy Policy
Missing Mention of User Data Deletion in Privacy Policy
Missing Opt-out Information in Privacy Policy
Phone Number Data Type Declaration Mismatch
PII Categories Data Type Declaration Mismatch
PII Data Type Declaration Mismatch
Precise Location Data Type Declaration Mismatch
Privacy Policy CCPA Rights Reference missing
Privacy Policy Data Retention Description
Missing Privacy Policy Disclosure for Calendar Events Collection
Missing Privacy Policy Disclosure for Fitness Info Collection
Missing Privacy Policy Link
Privacy Policy Personal Data Categories Disclosure mismatch
Domain name and IP address reputation report
Secure Virustotal malware analysis (MD5 based search)
Sensitive Information Data Type Declaration missing
Text Messages Data Type Declaration Mismatch
Missing Third-Party Sharing Information in Privacy Policy
User Account Info Data Type Declaration Mismatch
User ID Collection in Privacy Policy
Unclaimed Cocoapods Vulnerability
Malformed ATS Configuration
Automatic Reference Counting (ARC) not enforced
Address Space Layout Randomization (ASLR) not enforced
Stack smashing protection not enforced
iOS URL Scheme Injection
IPA contains only bitcode
Mach-O encrypted
Mach-O entitlements
IPA files list
IPA Frameworks list
IPA Plist files
IPA symbol table
URL Scheme list
Strings Bplist files
Debug Symbols Present in the Application
iOS Sensitive data stored in keyboard cache
iTunes UI File Sharing Enabled
Insecure Keychain Storage
Missing privacy manifest file
Insecure App Transport Security (ATS) Settings
iOS URL Scheme Hijacking
Application implements anti-debug techniques
Privacy manifest files
No sensitive data stored outside App
Insecure whitelist configuration
Source Map Code Leak
Cordova debug mode enabled
Cordova Cross-Site Scripting (XSS)
Insecure whitelist
Public AWS S3 bucket with file listing enabled
Secure Firebase Database Permissions
Subdomain Takeover
External DNS interaction
Network Port Scan
Account Takeover Vulnerability
Code Injection
Command Injection
Expression Language (EL) Injection
File inclusion vulnerability
NoSQL Injection
Server-side template injection (SSTI)
Server Side Inclusion
SQL injection
Unrestricted file upload
XPath Injection
XML External Entity (XXE) Injection
Cookie missing security attributes
Insecure HTTP Header Setting: Content Security Policy (CSP)
Insecure HTTP Header Setting: Content-Type
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: Insecure Referrer Policy
Insecure HTTP Header Setting: X-Frame-Options
Insecure HTTP Header Setting: X-XSS-Protection Header
Strict-Transport-Security (HSTS) not enforced
CRLF Injection
Publicly exposed Firebase Database
Insecure Authorization Restriction
Insecure Direct Object Reference
LDAP Injection
Heartbleed (CVE-2014-0160)
Insecure TLS certificate validation (accept self-signed certificate)
Insecure Object Serialization
Path Traversal
XML Injection
Cross-Site Scripting (XSS)
TLS/SSL Server Configuration Settings
Generic Web Entry
Interesting response
Django Debug Mode Enabled
Username enumeration
Insecure HTTP Header Setting
CORS Misconfiguration Vulnerability
Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure TLS Certificate Validation
Anonymous unauthenticated server accepted
Use of deprecated TLS/SSL protocol version
Clear text HTTP request
Insecure TLS Ciphers supported
Insecure TLS certificate domain name validation
HTTP Host Header Poisoning
Insecure Access Control
Secret information transmitted over the network
Enforcer proper authentication
Secure TLS certificate validation
Assign a unique name and/or number for identifying and tracking user identity
API
API
GraphQl API
FAQ