Documentation
Ostorlab - Application Security Testing
English
Français
Español
日本語
简体中文
Initializing search
Login
Demo
Home
Getting Started
Copilot
Scanning
Attack Surface
Policies & Remediation
Integrations & API
Organisation
Plans
Security & Privacy
FAQ
Ostorlab Docs
A comprehensive guide to using Ostorlab.
Getting Started
Getting Started
Dashboard
Copilot
Copilot
Copilot Examples
Copilot FAQ
Scanning
Scan Profiles
Run a scan
Manage Scans
View more...
Attack Surface
Discovery
AI Agent Attack Surface Discovery
Data
View more...
Policies & Remediation
Remediation
Policies
Integrations & API
Integrations
API
Organisation
Setup
Users
Settings
View more...
Plans
Add Plan
Transfer plans
Security & Privacy
Checklists
Security
Privacy
View more...
FAQ
FAQ
Documentation
Home
Getting Started
Getting Started
Getting Started
Dashboard
Dashboard
Overview
Scans & Risk
Remediation
Inventory & Attack Surface
Remediation Calendar
Copilot
Copilot
Copilot
Copilot Examples
Copilot FAQ
Scanning
Scanning
Scan Profiles
Scan Profiles
Overview
Mobile Scan Profiles
Web Scan Profiles
Network Scan Profile
Autodiscovery Scan Profile
Run a scan
Run a scan
Scan a Mobile Application from the Store
Scan a Mobile Application from a File
Scan an iOS Mobile Application using TestFlight
Mobile Deep Agentic Scan
Mobile Shielding Scan
Whitelist domains in mobile scans
Scan a Web Application
Authenticated Web Application Scan
Web Deep Agentic Scan
Authenticated Scans
Scans with SBOM or Lockfile
Scan Networks
Scan Assets from the inventory
Scan with custom config
Scan Web App with Chrome's Recorder Puppeteer Script
Scan with extra custom Agents
Scan with UI Prompts
Mobile Scan Prerequisites
How to add a new agent with a private repository
Scan Internal Web App
AI Pentest Prompt Guide
2FA for Authenticated Scans
Manage Scans
Manage Scans
Stop Scan
Archive Scan
Report
Report
Generate PDF report
Risk Rating
Change Risk Rating
Share Scan Report
Analysis
Analysis
IDE
Check Call Coverage
AI Pentest
Monitoring
Monitoring
Monitoring
Create Monitoring Rule
Whitelist domains in mobile application monitoring rules
On-prem Scanners
On-prem Scanners
Run a scan
BYOK
BYOK
Generate a BYOK Scan Key
Use your BYOK Scan Key in a Scan Profile
Recommended BYOK Models
Cyber Models
Cyber Models
Overview
Purchase Tokens
Use Prepaid Tokens in a Scan
Attack Surface
Attack Surface
Discovery
AI Agent Attack Surface Discovery
Data
Monitoring
Search and Navigation
Inventory
Inventory
Add Assets
Discover Assets
Edit Potential Owners
Bulk Import Assets
Edit Assets
Delete Asset
Filter by Asset
Exclude Asset
Advanced Search syntax
Graph
Graph
Share a Graph
Location
Location
Add Location
Owners
Owners
Add Owner
Policies & Remediation
Policies & Remediation
Remediation
Remediation
Ticketing
Ticketing
Guide
Create Ticket
Comment on Ticket
Add a Checklist to a Ticket
Configure Patching Policy
Vulnerabilities and Tickets Management
Identify the Location of a Vulnerability from a ticket
Ticket Aggregation
Ticket Aggregation
How it works?
Configure Aggregation based on the platforms
Configure Aggregation based on the applications IDs
Views
Views
Timeline
Policies
Policies
Automation Rules
Integrations & API
Integrations & API
Integrations
Integrations
CI/CD
CI/CD
GitHub
GitLab
Jenkins
Azure DevOps
App Center
CircleCI
Bitbucket
GoCD
TeamCity
Slack
Vanta
Bitrise
Harness
Ticketing
Ticketing
Jira
ServiceNow
SSO
SSO
Guide
Saml with Azure Active Directory
Saml with Google Workspace (formerly G Suite)
Saml with Okta
Saml with OneLogin
API
API
GraphQl API
Organisation
Organisation
Setup
Setup
Create Organisation
Users
Users
User Roles
Add Users
Switch Organisation
Modify User Permissions
Disable email notifications
Settings
Settings
Add Two-factor authentication device to your account
Add Organisation Tags
Owner-Based RBAC Feature
Access
Access
Manage Access and Attack Surface Auditor Owners
Plans
Plans
Add Plan
Transfer plans
Security & Privacy
Security & Privacy
Checklists
Checklists
Mobile App Security Checklist
iOS App Security Checklist
Android App Security Checklist
Flutter App Security Checklist
Security
Security
Mobile App Security Testing
Streamlining Mobile App Security in the SDLC with Ostorlab
Detection
Platform Support
Security at Ostorlab
Vulnerability Disclosure
Network IPs for Scanning and Integrations
Privacy
Privacy
Privacy Policy Analysis
Knowledge Base
Knowledge Base
ALPACA Attack in SSL/TLS
APK attack surface
APK files list
Abuse of mobile network connection
Account Takeover Vulnerability
Address Space Layout Randomization (ASLR) not enforced
Alias Overloading in GraphQL API
Android Class Load Hijacking
Android Class Loading Hijacking
Android Manifest
Android Obfuscation Detected
Android Obfuscation Not Detected
Android Package Context created without security restrictions
Android Sensitive data stored in keyboard cache
Anonymous unauthenticated server accepted
App Usage Data Collection Disclosed in Privacy Policy
App Usage Data Collection Not Disclosed in Privacy Policy
Application certificate information
Application checks rooted device
Application code not obfuscated
Application implements anti-debug techniques
Application prevents taking screenshots
Application signed with an expired certificate
Array-Based Batch Queries
Assign a unique name and/or number for identifying and tracking user identity
Attribute hasFragileUserData not set
Attribute requestLegacyExternalStorage set
Attribute usesCleartextTraffic set
Automatic Reference Counting (ARC) not enforced
BEAST Attack on TLS 1.0/SSL 3.0
BREACH Attack on HTTP Compression
Backdoored Cryptographic Algorithms in SSL
Backup mode disabled
Backup mode enabled
Biometric Authentication Bypass
Biometric Authentication Without Cryptographic Binding
Biometric Data Collection Disclosed in Privacy Policy
Biometric Data Collection Not Disclosed in Privacy Policy
Bleichenbacher Attack on RSA Encryption
Broadcast receiver dynamic registration
Browsing Activity Collection Disclosed in Privacy Policy
Browsing Activity Collection Not Disclosed in Privacy Policy
Brute Force Login Using Alias Batching in GraphQL API
CCS Injection Attack on OpenSSL
CERTIFICATE_EXPIRED
CORS Misconfiguration Vulnerability
CRIME Attack on TLS Compression
CRLF Injection
Call to Android Security API
Call to Bluetooth and BLE API
Call to Crypto API
Call to External Storage API
Call to Inter-Process-Communication (IPC) API
Call to Random API
Call to Reflection API
Call to SQLite query API
Call to Socket API
Call to TLS API
Call to XML parsing API
Call to ZIP API
Call to command execution API
Call to dangerous WebView settings API
Call to delete file API
Call to dynamic code loading API
Call to logging API
Call to native methods
Calls to Privacy API
Circular Fragment in GraphQL
Classes list
Clear text HTTP request
Code Injection
Collection of Device Identifier
Collection of Users' Crash Logs without Consent
Collection of Users' Purchase History in Privacy Policy
Collection of Users' Text Messages in Privacy Policy
Command Injection
Contact Information Present in Privacy Policy
Contact Information missing in Privacy Policy
Contacts Data Type Declaration Match
Contacts Data Type Declaration Mismatch
Continuous collection of GPS location
Cookie missing security attributes
Cordova Cross-Site Scripting (XSS)
Cordova debug mode enabled
Credentials exposed in URLs
Credentials exposed in logs
Criminal Record Information Collection Disclosed in Privacy Policy
Criminal Record Information Collection Not Disclosed in Privacy Policy
Cross-Site Scripting (XSS)
Cryptographic Vulnerability: Hardcoded Key
Cryptographic Vulnerability: Insecure Algorithm
Cryptographic Vulnerability: Insecure mode
Cryptographic Vulnerability: Weak Hashing Algorithm
Current Precise Location Data Collection Disclosed in Privacy Policy
Current Precise Location Data Collection Not Disclosed in Privacy Policy
DNS Check: SPF, DKIM, DMARC, and BIMI Validation
DNS High TTL Values
DNS Information Disclosure
DNS MX Record Misconfiguration
DNS Vulnerability: Dangling Domain Records
DNS Vulnerability: Malicious Content in TXT Records
DROWN Attack on SSLv2/TLS
Debug Symbols Present in the Android Application
Debug Symbols Present in the IOS Application
Debug mode disabled
Debug mode enabled
Debuggable Flag Detection Implemented
Declaration of Approximate Location Collection in Privacy Policy
Declaration of Contact Collection in Privacy Policy
Declaration of Device or Other IDs Collection in Privacy Policy
Declaration of Email Address Collection in Privacy Policy
Declaration of Email Collection in Privacy Policy
Declaration of Health Info Collection in Privacy Policy
Declaration of Installed Apps Collection in Privacy Policy
Declaration of Phone Number Collection in Privacy Policy
Declaration of Photo Collection in Privacy Policy
Declaration of Precise Location Collection in Privacy Policy
Declaration of User Files Collection in Privacy Policy
Declaration of Video Collection in Privacy Policy
Declaration of Voice or Sound Recording Collection in Privacy Policy
Declaration of Web Browsing History Collection in Privacy Policy
Declared permissions list
Dependency Confusion
Deprecated Minimum iOS Version
Deprecated Target API Version
Device ID Data Type Declaration Match
Device ID Data Type Declaration Mismatch
Device and Network Information Collection Disclosed in Privacy Policy
Device and Network Information Collection Not Disclosed in Privacy Policy
Directive Overloading in GraphQL API
Django Debug Mode Enabled
Domain name and IP address reputation report
ELF binaries do not enforce secure binary properties
Email Address Collection Disclosed in Privacy Policy
Email Address Collection Not Disclosed in Privacy Policy
Enforcer proper authentication
Expansion APK enabled
Exported activities, services and broadcast receivers list
Expression Language (EL) Injection
External Account Information Collection Disclosed in Privacy Policy
External Account Information Collection Not Disclosed in Privacy Policy
External DNS interaction
FREAK Attack on Export-Grade RSA
Facebook React development settings exposed
Facebook SDK debug mode enabled
Field Duplication in GraphQL API
File Path Traversal
File inclusion vulnerability
Format String Vulnerability
Forward Secrecy Not Implemented
Frida Instrumentation Detection Implemented
GDPR Rights Reference Present in Privacy Policy
Gender Identity Collection Disclosed in Privacy Policy
Gender Identity Collection Not Disclosed in Privacy Policy
Generic Web Entry
Genetic Data Collection Disclosed in Privacy Policy
Genetic Data Collection Not Disclosed in Privacy Policy
GraphQL Authorization Misconfiguration
GraphQL Circular References
GraphQL Debug Mode Enabled
GraphQL Schema Traversal Paths
GraphQL Tracing Enabled
HTML Injection Vulnerability
HTTP Host Header Poisoning
HTTP Method Manipulation in GraphQL
Hardcoded SQL queries list
Hardcoded strings list
Hardcoded urls list
Health and Biometric Data Type Declaration Match
Health and Biometric Data Type Declaration Mismatch
Health and Fitness Data Collection Disclosed in Privacy Policy
Health and Fitness Data Collection Not Disclosed in Privacy Policy
Heartbleed (CVE-2014-0160)
IPA Frameworks list
IPA Plist files
IPA contains only bitcode
IPA files list
IPA symbol table
Identity Verification Information Collection Disclosed in Privacy Policy
Identity Verification Information Collection Not Disclosed in Privacy Policy
Implementation of a FileObserver
Implementation of a WebViewClient
Implicit PendingIntent
In-App Search History Collection in Privacy Policy
In-App Search Queries Collection Disclosed in Privacy Policy
In-App Search Queries Collection Not Disclosed in Privacy Policy
Information Concerning Sex Life Collection Disclosed in Privacy Policy
Information Concerning Sex Life Collection Not Disclosed in Privacy Policy
Insecure Access Control
Insecure App Transport Security (ATS) Settings
Insecure Authorization Restriction
Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure Direct Object Reference
Insecure Dynamic Library Loading
Insecure File Provider Paths Setting
Insecure Filesystem Access
Insecure HTTP Header Setting
Insecure HTTP Header Setting: Content Security Policy (CSP)
Insecure HTTP Header Setting: Content-Type
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: Insecure Referrer Policy
Insecure HTTP Header Setting: X-Frame-Options
Insecure HTTP Header Setting: X-XSS-Protection Header
Insecure JWT Signature Validation
Insecure Keychain Storage
Insecure Network Configuration Settings
Insecure Object Serialization
Insecure Random Seed
Insecure Register Receiver Flag
Insecure Shared Preferences Permissions
Insecure Storage of Application Data
Insecure TLS Certificate Validation
Insecure TLS Ciphers supported
Insecure TLS Renegotiation (CVE-2009-3555)
Insecure TLS certificate domain name validation
Insecure TLS certificate validation (accept self-signed certificate)
Insecure hostname validation check
Insecure password storage
Insecure whitelist
Insecure whitelist configuration
Intent Redirection
Intent Spoofing
Interesting response
LDAP Injection
LOGJAM Attack on Diffie-Hellman
LOGJAM Common Prime Vulnerability
Legal Basis Present in Privacy Policy
List of JNI methods
List of calls to dangerous low-level C functions
Location History Collection Disclosed in Privacy Policy
Location History Collection Not Disclosed in Privacy Policy
Lucky Thirteen Vulnerability in SSL/TLS
MTA-STS Misconfiguration
Mach-O encrypted
Mach-O entitlements
Malformed ATS Configuration
Malicious Package: com.outsystems.plugins.fileviewer
Memory Leak
Mention of User Data Access in Privacy Policy
Mention of User Data Correction Rights in Privacy Policy
Mention of User Data Deletion in Privacy Policy
Mention of Users' Right to Know in Privacy Policy
Missing Debuggable Flag Detection
Missing Declaration of Approximate Location Collection in Privacy Policy
Missing Declaration of Contact Collection in Privacy Policy
Missing Declaration of Device or Other IDs Collection in Privacy Policy
Missing Declaration of Email Address Collection in Privacy Policy
Missing Declaration of Email Collection in Privacy Policy
Missing Declaration of Health Info Collection in Privacy Policy
Missing Declaration of Installed Apps Collection in Privacy Policy
Missing Declaration of Phone Number Collection in Privacy Policy
Missing Declaration of Photo Collection in Privacy Policy
Missing Declaration of Precise Location Collection in Privacy Policy
Missing Declaration of User Files Collection in Privacy Policy
Missing Declaration of Video Collection in Privacy Policy
Missing Declaration of Voice or Sound Recording Collection in Privacy Policy
Missing Declaration of Web Browsing History Collection in Privacy Policy
Missing Frida Instrumentation Detection
Missing GDPR Rights Reference in Privacy Policy
Missing Legal Basis in Privacy Policy
Missing Mention of User Data Access in Privacy Policy
Missing Mention of User Data Correction Rights in Privacy Policy
Missing Mention of User Data Deletion in Privacy Policy
Missing Mention of Users' Right to Know in Privacy Policy
Missing Opt-out Information in Privacy Policy
Missing Privacy Policy Disclosure for Calendar Events Collection
Missing Privacy Policy Disclosure for Fitness Info Collection
Missing Privacy Policy Link
Missing Root/Jailbreak Detection
Missing Sideloading Detection
Missing Signature Verification
Missing Third-Party Sharing Information in Privacy Policy
Missing iOS Frida Instrumentation Detection
Missing or misconfigured DNSSEC
Missing privacy manifest file
Mobile SQL Injection Vulnerability
Mobile WiFi API Personal Identifiable Information concerns
Network Port Scan
No sensitive data stored outside App
NoSQL Injection
Notification Spoofing
OAuth Account Takeover by hijacking custom schemes
Obfuscated Flutter code
Obfuscated methods
Object Limit Overriding in GraphQL
Opt-out Information Present in Privacy Policy
Outdated SSL/TLS Protocols Supported
PII Categories Data Type Declaration Match
PII Categories Data Type Declaration Mismatch
PII Data Type Declaration Match
PII Data Type Declaration Mismatch
POODLE Attack on SSL 3.0
Path Traversal
Payment and Financial Information Collection Disclosed in Privacy Policy
Payment and Financial Information Collection Not Disclosed in Privacy Policy
Personal Identifiers Collection Disclosed in Privacy Policy
Personal Identifiers Collection Not Disclosed in Privacy Policy
Personally Identifiable Information (PII) Leakage
Philosophical Beliefs Collection Disclosed in Privacy Policy
Philosophical Beliefs Collection Not Disclosed in Privacy Policy
Phone Number Data Type Declaration Match
Phone Number Data Type Declaration Mismatch
Political Affiliations Collection Disclosed in Privacy Policy
Political Affiliations Collection Not Disclosed in Privacy Policy
Port open on device
Precise Location Data Type Declaration Match
Precise Location Data Type Declaration Mismatch
Privacy Policy CCPA Rights Reference are Present
Privacy Policy CCPA Rights Reference missing
Privacy Policy Data Retention Description
Privacy Policy Disclosure for Calendar Events Collection is Present
Privacy Policy Disclosure for Fitness Info Collection is Present
Privacy Policy Link is Present
Privacy Policy Personal Data Categories Disclosure match
Privacy Policy Personal Data Categories Disclosure mismatch
Privacy manifest files
Process crashes
Proper Privacy Policy Data Retention Description
Protected Against GraphQL Alias Brute Forcing
Protected Against GraphQL Alias Overloading
Protected Against GraphQL Batch Query Attacks
Protected Against GraphQL Circular Fragments
Protected Against GraphQL Circular References
Protected Against GraphQL Debug Mode Risks
Protected Against GraphQL Directive Overloading
Protected Against GraphQL Field Duplication
Protected Against GraphQL Object Limit Overriding
Protected Against GraphQL Tracing Risks
Protected Against HTTP Method Manipulation
Public AWS S3 bucket with file listing enabled
Publicly exposed Firebase Database
Raccoon Attack on SSL/TLS
Racial or Ethnic Origin Information Collection Disclosed in Privacy Policy
Racial or Ethnic Origin Information Collection Not Disclosed in Privacy Policy
Recorded calls to Crypto API
Recorded calls to FileSystem API
Recorded calls to HTTP API
Recorded calls to Hash API
Recorded calls to Intent API
Recorded calls to Inter-Process-Communication (IPC) API
Recorded calls to Process API
Recorded calls to SQLite query API
Recorded calls to Serialization API
Recorded calls to Shared Preferences API
Recorded calls to TLS API
Recorded calls to TLS Pinning API
Recorded calls to command execution API
Recorded calls to dangerous WebView settings API
Recorded calls to dynamic code loading API
Recorded calls to logging API
Redis Library detected
Regular expression denial of service
Religious Beliefs Collection Disclosed in Privacy Policy
Religious Beliefs Collection Not Disclosed in Privacy Policy
Remote Command Execution
Root/Jailbreak Detection Implemented
SQL injection
SSL Extension Bleed Vulnerability
SSL/TLS Certificate Hostname Mismatch
SSL/TLS Certificate Pinning Not Implemented
SSL/TLS Certificates Expiring Soon
SSL/TLS Pinning Detected
SWEET32 Attack on 64-bit Block Ciphers
Secret information stored in the application
Secret information transmitted over the network
Secure Collection of Users' Crash Logs without Consent
Secure Collection of Users' Purchase History in Privacy Policy
Secure Collection of Users' Text Messages in Privacy Policy
Secure Content Security Policy
Secure Cookie Implementation
Secure Cross-Origin Resource Sharing (CORS) Policy
Secure Firebase Database Permissions
Secure HTTP Header Setting: Secure Referrer Policy
Secure HTTP Header Settings
Secure HTTP Strict Transport Security (HSTS) Implementation
Secure In-App Search History Collection in Privacy Policy
Secure Network Configuration Settings
Secure TLS certificate validation
Secure User ID Collection in Privacy Policy
Secure Virustotal malware analysis (MD5 based search)
Secure domain name and IP address reputation report
Sensitive Information Data Type Declaration is Present
Sensitive Information Data Type Declaration missing
Server Side Inclusion
Server-side template injection (SSTI)
Services declared without permissions
Sexual Orientation Information Collection Disclosed in Privacy Policy
Sexual Orientation Information Collection Not Disclosed in Privacy Policy
Sideloading Detection Implemented
Signature Verification Implemented
Source Map Code Leak
Source to Sink
Stack smashing protection not enforced
Static Anti-Tampering Mechanisms Detected
Static Anti-Tampering Techniques Not Implemented
Strict-Transport-Security (HSTS) not enforced
Strings Bplist files
Subdomain Takeover
TLS Client-Initiated Renegotiation DoS Vulnerability
TLS/SSL Server Configuration Settings
TLS_FALLBACK_SCSV Not Supported
Tapjacking Vulnerability
Task Hijacking
Template Injection
Text Messages Data Type Declaration Match
Text Messages Data Type Declaration Mismatch
Third-Party Sharing Information in Privacy Policy is Present
Ticketbleed Memory Disclosure in F5 BIG-IP
Trade Union Membership Information Collection Disclosed in Privacy Policy
Trade Union Membership Information Collection Not Disclosed in Privacy Policy
URL Manipulation
URL Scheme list
Unclaimed Cocoapods Vulnerability
Undeclared Permissions
Unrestricted DNS Zone Transfers
Unrestricted file upload
Unused permissions (overprivileged)
Use non-random initialization vector (IV)
Use of Deprecated Component
Use of Outdated Vulnerable Component
Use of an insecure Bluetooth connection
Use of deprecated TLS/SSL protocol version
User Account Info Data Type Declaration Match
User Account Info Data Type Declaration Mismatch
User Credentials Handling Disclosed in Privacy Policy
User Credentials Handling Not Clearly Disclosed in Privacy Policy
User ID Collection in Privacy Policy
User Photos and Media Collection Disclosed in Privacy Policy
User Photos and Media Collection Not Disclosed in Privacy Policy
Username enumeration
VirusTotal scan flagged malicious asset(s) (MD5 based search)
Voice Data Collection Disclosed in Privacy Policy
Voice Data Collection Not Disclosed in Privacy Policy
Weak Cipher Suites Supported
Weak Cryptographic Key and Signature Algorithm in SSL/TLS Certificate
Weak Message Authentication Code (MAC) Algorithms Supported
Web XML Injection
Webview Remote Debugging Enabled
Webview loadurl injection
XML External Entity (XXE) Injection
XML Injection
XPath Injection
XPath Injection Vulnerability
ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip Extension Spoofing
addJavaScriptInterface Remote Code Execution.
iOS Anti-Tampering Detected
iOS Anti-Tampering Not Detected
iOS Frida Instrumentation Detection Implemented
iOS Obfuscation Detected
iOS Obfuscation Not Detected
iOS Sensitive data stored in keyboard cache
iOS URL Scheme Hijacking
iOS URL Scheme Injection
iTunes UI File Sharing Enabled
FAQ