Documentation
Home
Initializing search
Login
Demo
Home
Getting Started
Scanning
Attack Surface
Remediation
Integrations
Organisation
Plans
Tutorials
Security
API
FAQ
Ostorlab Docs
A comprehensive guide to using Ostorlab.
Getting Started
Getting Started
Dashboard
Scanning
Run a scan
Manage Scans
Report
View more...
Attack Surface
Discovery
Data
Monitoring
View more...
Remediation
Ticketing
Views
Integrations
CI/CD
Ticketing
SSO
Organisation
Setup
Users
Settings
Plans
Add Plan
Transfer plans
Tutorials
Run scan with Open-Source scanner
Life of a Scan
Write An Agent
View more...
Security
Mobile App Security Testing
Streamlining Mobile App Security in the SDLC with Ostorlab
Detection
View more...
API
GraphQl API
FAQ
FAQ
Documentation
Home
Getting Started
Getting Started
Getting Started
Dashboard
Dashboard
Overview
Scans & Risk
Remediation
Inventory & Attack Surface
Remediation Calendar
Scanning
Scanning
Run a scan
Run a scan
Scan a Mobile Application from the Store
Scan a Web Application
Authenticated Web Application Scan
Authenticated Scans
Scans with SBOM or Lockfile
Scan Networks
Scan Assets from the inventory
Scan with custom config
Scan Web App with Chrome's Recorder Puppeteer Script
Manage Scans
Manage Scans
Stop Scan
Archive Scan
Report
Report
Generate PDF report
Risk Rating
Analysis
Analysis
IDE
Check Call Coverage
Monitoring
Monitoring
Monitoring
Create Monitoring Rule
On-prem Scanners
On-prem Scanners
Run a scan
Attack Surface
Attack Surface
Discovery
Data
Monitoring
Inventory
Inventory
Add Assets
Discover Assets
Bulk Import Assets
Edit Assets
Delete Asset
Filter by Asset
Exclude Asset
Graph
Graph
Share a Graph
Location
Location
Add Location
Owners
Owners
Add Owner
Remediation
Remediation
Ticketing
Ticketing
Guide
Create Ticket
Comment on Ticket
Configure Patching Policy
Vulnerabilities and Tickets Management
Views
Views
Kanban
Timeline
Integrations
Integrations
CI/CD
CI/CD
GitHub
GitLab
Jenkins
Azure DevOps
Microsoft AppCenter
CircleCI
Bitbucket
Ticketing
Ticketing
Jira
SSO
SSO
Guide
Saml with Azure Active Directory
Saml with Google Workspace (formerly G Suite)
Saml with Okta
Saml with OneLogin
Organisation
Organisation
Setup
Setup
Create Organisation
Users
Users
Add Users
Switch Organisation
Modify User Permissions
Disable email notifications
Settings
Settings
Add Two-factor authentication device to your account
Plans
Plans
Add Plan
Transfer plans
Tutorials
Tutorials
Run scan with Open-Source scanner
Life of a Scan
Write An Agent
Tips for debugging Agents
Security
Security
Mobile App Security Testing
Streamlining Mobile App Security in the SDLC with Ostorlab
Detection
Platform Support
Product
Architecture
Security at Ostorlab
Vulnerability Disclosure
Knowledge Base
Knowledge Base
Debug mode enabled
ELF binaries do not enforce secure binary properties
Insecure Network Configuration Settings
Application code not obfuscated
Insecure File Provider Paths Setting
Command Injection
Notification Spoofing
Use of Wifi API that contains or leaks sensitive PII
Exported activites, services and broadcast receivers list
Exported activites, services and broadcast receivers list
Exported activites, services and broadcast receivers list
List of JNI methods
APK attack surface
Application certificate information
Classes list
Hardcoded strings list
Recorded calls to dynamic code loading API
Recorded calls to command execution API
Recorded calls to Crypto API
Recorded calls to FileSystem API
Recorded calls to Hash API
Recorded calls to HTTP API
Recorded calls to Intent API
Recorded calls to Inter-Process-Communication (IPC) API
Recorded calls to logging API
Recorded calls to Process API
Recorded calls to Serialization API
Recorded calls to Shared Preferences API
Recorded calls to SQLite query API
Recorded calls to TLS Pinning API
Recorded calls to TLS API
Recorded calls to dangerous WebView settings API
Implementation of a FileObserver
APK files list
Hardcoded SQL queries list
Hardcoded urls list
Declared permissions list
Android Manifest
Obfuscated methods
Implementation of a WebViewClient
Broadcast receiver dynamic registration
Call to Android Security API
Call to Bluetooth and BLE API
Call to Crypto API
Call to delete file API
Call to dynamic code loading API
Call to command execution API
Call to External Storage API
Call to Inter-Process-Communication (IPC) API
Call to logging API
Call to native methods
Call to Random API
Call to Reflection API
Call to Socket API
Call to SQLite query API
Call to TLS API
Call to dangerous WebView settings API
Call to XML parsing API
Call to ZIP API
Expansion APK enabled
Attribute hasFragileUserData not set
Unused permissions (overprivileged)
Attribute requestLegacyExternalStorage set
Task Hijacking
Attribute usesCleartextTraffic set
Application signed with an expired certificate
Facebook SDK debug mode enabled
Abuse of mobile network connection
Android Class Load Hijacking
Undeclared Permissions
addJavaScriptInterface Remote Code Execution.
Webview Remote Debugging Enabled
Use of an insecure Bluetooth connection
Android Class Loading Hijacking
Insecure Shared Preferences Permissions
Redis Library detected
Stack traces reveal technical information
Untrusted External Storage File Access
Webview loadurl injection
Backup mode enabled
Services declared without permissions
Intent Spoofing
Source to Sink
Backup mode disabled
Application checks rooted device
Debug mode disabled
Secure Network Configuration Settings
Dependency Confusion
Use of Deprecated Component
Insecure hostname validation check
Protected Health Information were detected on the system
Personally Information were detected on the system
List of calls to dangerous low-level C functions
Calls to Privacy API
Virustotal malware analysis (MD5 based search)
Use of Outdated Vulnerable Component
Process crashes
Cryptographic Vulnerability: Insecure Algorithm
Cryptographic Vulnerability: Hardcoded Key
Cryptographic Vulnerability: Insecure mode
Use non-random initialization vector (IV)
Insecure password storage
Insecure Filesystem Access
Insecure Random Seed
Credentials exposed in logs
Credentials exposed in URLs
Memory Leak
port open on localhost
Continuous collection of GPS location
Sensitive data stored in keyboard cache
Secret information stored in the application
Automatic Reference Counting (ARC) not enforced
Stack smashing protection not enforced
iOS URL Scheme Injection
IPA contains only bitcode
Mach-O encrypted
Mach-O entitlements
IPA files list
IPA Frameworks list
IPA Plist files
IPA symbol table
URL Scheme list
Strings Bplist files
Debug Symbols Present in the Application
Sensitive data stored in keyboard cache
iTunes UI File Sharing Enabled
Address Space Layout Randomization (ASLR) not enforced
Insecure App Transport Security (ATS) Settings
iOS URL Scheme Hijacking
Application implements anti-debug techniques
No sensitive data stored outside App
Insecure whitelist configuration
Source Map Code Leak
Cordova debug mode enabled
Cordova Cross-Site Scripting (XSS)
Insecure whitelist
Public AWS S3 bucket with file listing enabled
Secure Firebase Database Permissions
Subdomain Takeover
External DNS interaction
Network Port Scan
Cookie missing security attributes
Insecure HTTP Header Setting: Content Security Policy (CSP)
Insecure HTTP Header Setting: Content-Type
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: Insecure Referrer Policy
Insecure HTTP Header Setting: X-Frame-Options
Insecure HTTP Header Setting: X-XSS-Protection Header
Strict-Transport-Security (HSTS) not enforced
Insecure Direct Object Reference
Heartbleed (CVE-2014-0160)
Insecure TLS certificate validation (accept self-signed certificate)
Insecure Object Serialization
TLS/SSL Server Configuration Settings
Interesting response
Username enumeration
Generic Web Entry
Insecure HTTP Header Setting
Insecure Cross-Origin Resource Sharing (CORS) policy
SQL injection
Anonymous unauthenticated server accepted
Use of deprecated TLS/SSL protocol version
Clear text HTTP request
Insecure TLS Ciphers supported
Insecure TLS certificate domain name validation
Insecure TLS Ciphers supported
HTTP Host Header Poisoning
Insecure Direct Object Reference (IDOR)
Insecure Access Control
Unrestricted file upload
Cross-Site Scripting (XSS)
Secret information transmitted over the network
Enforcer proper authentication
Secure TLS certificate validation
Assign a unique name and/or number for identifying and tracking user identity
API
API
GraphQl API
FAQ
