Changelog
February-March 2023
Release of new automation rules to auto-assign owners, set tag, notify results, etc.
Added new export options to CSV and a copy of ticket.
Improved the UI of the attack surface adding search capabilities.
Added details to the Plans page on exact history usage.
Improved the speed and UI of scan artifacts and call coverage.
Added Jenkins support for remote build nodes.
Released weekly organisation summary email with collection of last scans, last findings and items requiring attention.
Added ability to save searches.
Multiple fixes to Jira ticket creation.
Added new search to the monitoring page.
Fixed handling of XAPK files.
Add scan summary new feature to the PDF reports.
Improved coverage of Web Authentication recorder to support new cases.
Added support in the crawler for path extraction of dynamically routed web frameworks like Next.js and Nuxt.js.
Release of new open-source agent for trufflehog.
Added Wireguard VPN support to several open-source agents like nmap, tsunami, nuclei ...
Improve Monkey tester support for SMS based 2-FA .
Improved reporting of public firebase databases.
Added detection of insecure biometric authentication implementation on Android.
Improved reporting of clear text traffic vulnerabilities.
Improved the backend vulnerability fuzzer and productionization of learning pipeline and addition of new test cases for SQL injection.
Improved PII detection in logs.
Deployed multiple fixes and improvements to secret detection.
Improved over 50 knowledge base entries like
hasFragileUserData
for better description and recommendation.Improved detection of insecure file provider path settings.
Optimized the performance of several queries improving performance by 86%.
December-January 2023
Faster scan and improved scan reliability
Mobile Attack surface tracking and historization
Improved backend detection and geographic location reporting
September-October-November 2022
Improved metrics with over new 100 metrics collected and new dashboard showing both scanning health, remediation improvement and attack surface evolution.
Attack surface tracking and historization allowing for known what services and libraries are present and when they were introduced.
June-July-August 2022
Release of Attack Surface asset discovery, a graph-based approach with improved coverage for better asset detection.
Ability to configure assets with owners, color, notes, tags, location, and risk rating to ease adding context and influence vulnerability risk rating.
Collection of asset history with information like DNS, open services and ports, tech stacks, whois. This offers the ability to track changes and monitor evolution over time.
Out-of-the-box scan instrumentation with opentelemetry and improved debugging of Ostorlab's open-source engine.
Open-sourcing of several new detectors for domain hijacking, recon, fingerprinting ...
- :flag: Ability to search applications on the store by country.
Certificate-based authentication for Mobile Scans and script-based authentication for web scans.
New analysis environment for web applications with intercepted traffic and visualization of crawl coverage (this one looks awesome).
Improved plans management for large organizations with the ability to transfer subscriptions and resize them on the fly.
Improved Jira integrations with configuration test, risk rating selection, and improved information synchronization.
March-April-May 2022
New Attack Surface Discovery to discover known and unknown owned assets and schedule continuous monitoring
Add support for using Chrome Recorder script for Authentication
Add support for CRON based monitoring with defined schedules
Github Actions integrations
Open-sourcing of over 20 security testing agents (Zap, Whatweb, Whois IP, Whois Domain, Wappalyzer, Virus Total, Tsunami, Tracker, Subfinder, Openvas, Nuclei, Nmap ...)
Performance and resilience improvement to Ostorlab Agent Builder
November-December 2021 / January-February 2022
Improve detection of Flutter and React-Native vulnerabilities
Add detection of several new classes of vulnerabilities, including Log4J
Open-Sourcing of Ostorlab scanning engine adding support for local runtime and Windows-based environment
- Adding Ostorlab Agent store to easily access and publish scan agent
New agent-group definition to define composable scan agent
New agent-group UI builder and YAML definition file generation
Automated agent builder from repo that automatically detects and builds new releases
New learning center exposing documentation, videos, scan sample and vulnerability knowledge base
Open-Sourcing Ostorlab knowledge base
Open-Sourcing agents for popular tools Nmap, Tsunami, Nuclei and Virustotal
Open-Sourcing agents for improved vulnerability tracking (Tracker, Persist Vulnz, Inject Asset and Debug)
Improve account security with OTP (One-Time-Password) support
Add integrations portal to configure newly support integrations
Add Jira, Gitlab and Jenkins for CI/CD and ticketing integration
Add SAML-based authentication for SSO enterprise access
September-October 2021
- Release of the Remediation API with better vulnerability lifecycle management, allowing detection of fixed vulnerabilities, re-opens and maintain status of exception and false positives
- New dashboard offering a glass box view into security posture and urgent tasks
- Management of patching and priority policies with SLO and tools to track and measure fix performance
- 3rd Party integrations with Jira
- Add Ticket timeline to with dynamic setting of start and end time
- Add grouping of ticket by status, priority and tag
- Add Ticket bulk edit mode
August 2021
Focus on improving the Monkey Tester to improve coverage adding support for more strategies and advanced test case generation. Work also included better handling of Application packaging and management of our fleet of mobile devices.
An all improved Monkey Tester with highly improved code coverage
UI Call coverage visualisation to understand what has been done
July 2021
Focus on improving Web Scanner detection, adding several features, like Backend fingerprinting, adding more vulnerabilities and improving Backend Vulnerability representation model. Work also included improving Monkey Tester to support more advanced testing strategies. Key updates:
Adding support for multiple strategies to Monkey Tester
Multiple bug fixes and improvements to Backend Scanner, XSS Scanner, Fingerprint detections
Scale search indexing infrastructure to handle the increase in covered assets
June 2021
Support of new backend vulnerabilities, like SQL with JDBC escape sequence, Jinja template injection, Python Object serialisation ...
Support of new backend vulnerabilities, like XXE, XSLT injection, Fastjson serialisation, PHP RCE ...
Tweaks to the JDWP Android monitor for coverage and performance.
Parallelization and backend vulnerability model generation to improve false positive confidence to 6*9 (99.9999%).
Mai 2021
API traffic improvement and bug fixes
Multiple performance and enhanced result for the new search feature
New dynamic instrumentation engine for iOS based on LLDB
Improve iOS instrumentation to capture SQL, Crypto, Keychain, Zip, Wifi, Webkit, Biometric, Filesystem, HTTP, Preferences dangerous API
Enable backtracing of dangerous API to track their usage
Support of credential authentication in Web Scan
Improved Web Crawling to support mutated html
April 2021
New rules to detect insecure javascript patterns and new insecure secret usage.
Add search, tagging and call trace of extern functions, like JNI.
New scan search capability to search across all analysis asset types.
API traffic IDE capability.
API to persist taint graph from scan.
March 2021
Fixes to the Analysis Environment indexing to enable code and file search
Deprecate Free+Analysis scan type in a revamp of the analysis environment
Asset inventory model rewrite leading address a performance issues leading to 600% performance improvement of loading scans.
Support for persisting taint graph for use by the Analysis Environment and future VulnAPI
Support for tagging of native function in IDE
Add multiple new sinks methods
Remove false positive in detection of RSA/ECB weak encryption
Bug fixes to taint analysis leading missing detections
Detection of valid Sendgrid API keys
Enhanced detection of dangerous Webview settings and deprecation of non-vulnerable APIs
Detection of insecure Zip leading to path traversal arbitrary file overwrite
Fix Twitter API detection
February 2021
Alpha Release of the Web Scanner
Release of Chrome-powered Crawling
Release of Black-box Tree Fuzzer
Release of XSS Detector powered by full-context coverage polyglot payloads
Proxy agent persists and collects HTTP requests
Analysis environment HTTP request and response navigator
Real Time indexing of knowledge Base and Analysis environment for enhanced and fast search
Automated Purge of old community scans
Detection of Dependency Confusion
January 2021
Switch API encoding from JSON to UBJSON to add support for binary format
Analysis Env javascript formatting
Analysis Env detection of new file formats
Analysis Env call trace node coloring to match function and method tagging
Multiple bug fixes and performance optimization of the Analysis Env
Support for sharing report access using a shareable link
Add edit mode to vulnerabilities to change risk rating or mark as a false positive
Detection of new secrets keys and dangerous functions
November, December 2020
Release of Android and iOS application analysis environment
Analysis Env support for APK and IPA file listing with content access
Analysis Env support for Code highlighting for HTML, Javascript, XML, Java, C++
Analysis Env support for Binary plist extraction
Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
Analysis Env support for Macho and ELF string listing
Analysis Env support for DEX classes listing
Analysis Env support for DEX smali listing and java decompilation
Analysis Env support for Android resource extraction
Analysis Env support for Android manifest extraction
Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
Analysis Env support for Dangerous functions tagging to identify security hotspots.
Analysis Env support for Contextual call trace generation.
October 2020
Release of continuous application monitoring from the store
Detection of weak Bluetooth connection
Detection of dynamic broadcast receiver with no permissions
New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab (https://github.com/jenkinsci/ostorlab-plugin)
Email and UI notification to inform of key events (scan completion, password change ...)
Expose API key generation and management from the UI
September 2020
Release of Ostorlab lighthouse continuously scanning public applications
Release of Ostorlab VulnDB UI to access internal known vulnz database
Vulnerability tagged as affecting security and privacy, security only or privacy only
Detection of several privacy settings in Android manifest
Detection of facebook SDK debug mode
Detection of GPS location tracking impacting privacy
Fix insufficient sink default taint and missing propagation for Array and Const
August 2020
Store search and scan feature
Deep 3rd party dependencies fingerprinting
Markdown vulnerability text and description support
July 2020
Extend 3rd party dependencies rules
Creation of database of unreported vulnerabilities
June 2020
Report libraries and 3rd party dependencies
Fingerprinting of Native Android libs, iOS Frameworks, Cordova plugins, Javascript libraries, Xamarin libs and OpenSSL
Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
Detect calls to dangerous Bluetooth API
May 2020
Exposure of CVSSv3 score
Alpha support for UI Automation rules
Add Xamarin decompiled source code to the list of artifacts
Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)
April 2020
Add generation of executive summary PDF report
New
Secure
risk rating to denote secure implementationNew
Hardening
risk rating to differentiate between actual vulnerability and missing hardening mechanismAdd support for archiving scans
Add support for exporting scans
Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
Enhance performance of taint analysis and increase coverage
Enhanced representation of taint information
Enhanced representation of stack traces collected in dynamic analysis
Fix inconsistency in risk rating
Fix false positive in iOS detection for missing ARC and Stack Guard protections
March 2020
- Support for streaming API to create and stops scans
- Subscription support
- New KB entry for Webview LoadURL injection
- Bug fixes to JDWP Hooking engine
- Dashboard update showing scan plan
- Support for stopping and archiving scans
February 2020
- API for scheduling rules
- Migration to Kubernetes
- Initial support for streaming API to create scans
January 2020
- API to manage Inventory (mobile apps, urls, domains, ...)
- UI to list, create and update Inventory and Assets
- CI/CD pipeline integration
- Deprecate old UIs
December 2019
- Release of the alpha version of the new reporting front end
- API naming fixes
- Fix submission of the test credentials
- New Google Play client to support scanning from the Play Store directly
- Several New APIs move to GraphQL (Account and Password Management, Artifcats)
- Worker to handle long-running jobs (PDF generation and Scan Export)
November 2019
- Progress on the new reporting front end
- Bug fixes in public website
- Simplified pagination support in all APIs
- Experimental API to create Web Scans
October 2019
- Release of an open source Android application to benchmark vulnerability scanners
- Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
- Progress on the new reporting front end
September 2019
- Release of a new documentation website docs.ostorlab.co
- Release of a new website www.ostorlab.co using material design
August 2019
- Major migration of all existing infra and data to the new backends.
June 2019
- Infra refactoring into a micro-service architecture.
- Separation of user portal and public website to prepare moving to serverless.
- Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.
Mai 2019
- Refactoring of API adding support for GraphQL.
- Migration of website, user portal and orchestrator to GraphQL.
April 2019
- Extending vulnerability test bed.
- Add support for template injection of 4 new Java template engines.
- Add support detection of Ruby code injection.
- Add support detection of Node.js code injection.
March 2019
- Multiple bug fixes and performance enhancements.
- Fix false positive detection of Template Injection.
- Add support detection of python code injection.
- Add support detection of pickle deserialization injection.
February 2019
- Multiple bug fixes and performance enhancements.
- Enhance detection of XSS adding support for multiple callbacks vectors.
January 2019
- New alpha system to detect vulnerabilities in backends from previously collected ones.
- Creation of a new vulnerability test bed.
December 2018
- Add support for detection of stored XSS.
- Complete rework of the scan authentication module. It works well and sends fewer requests.
- Brand new subscription menu.
- Bug cleaning season.
November 2018
- Add support for multi-step submitting of Forms.
- Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
- Alpha version of Fingerprinting agents.
October 2018
- Major enhancement coverage of XSS contexts, long live Polyglot payloads.
September 2018
- Enhance CSRF handling for web scanning.
- Add scan export and import feature for on-premise scanning support.
- Implementation of ADB Proxy agent for on-premise scanning support.
- Add collection of screenshots and logcat traffic during dynamic analysis.
- New security rules for Android Network Security Configuration.
- Fix false positives in Cryptography rules using static taint.
- Rework of all rules formatting.
- Fix PDF generation and add support for code highlighting.
- Add support for kown pathes crawling
- Add Artifact panel to store extracted source code, screenshots and traffic logs.
- Add Xamarin source code decompilation.
- Fix duplicate request testing by backend and XSS scanner.
- Initial work on CSRF token detection and generation for POST request fuzzing.
- Add support for inserting payloads in sub-pathes.
August 2018
- Extensive bug fixes month of all core components.
- Enhance testability of the scanning engine.
- Enhance reporting features.
July 2018
- Enhanced detection of template injection vulnerabilities.
- New scanner for detecting XSS vulnerabilities.
- Ehanced supported for nested serialization formats.
- Major rework for scan scheduling engine for increased scalability.
June 2018
- New backend scanning engine with beta support for SQL injection and XXE
- Adding beta support for crawling of HTML content.
May 2018
- Bumping free scanner coverage limit from 100 to 300.
- New detector for encrypted IPA.
- Fix false positive in dynamic rules detecting weak encryption.
April 2018
- Porting LLDB for iOS to work on Linux.
- New backend scan engine.
- New experimental crawler.
February 2018
- Adding Support for authenticated scan.
- Final version of Java hook engine with stack trace support and full context inspection.
- Major enhancement to the taint engine reducing false positives.
- Multiple bug fixes affecting PDF generation and false positive declaration.
- Adding feature to report false positives and remove them from the final report.
- Multiple new dynamic rules to trace sensitive function call.
- New agent to detect sensitive material files, like private encryption keys.
January 2018
- Surface static taint analysis coverage in the scan report.
December 2017
- Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
- Performance enhancement for the support of large multidex files.
- Bug fix in method xref for multidex files.
- Enhance vulnerability de-duplication.
- Multiple bug fixes for iOS scan rules.
November 2017
- Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
- Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
- Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
- Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
- Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
- Advanced option to support download PDF report.
September 2017
- Stabilizing unlimited scan feature with bug fixes.
- Correction of false positives in Insecure Encryption Mode.
- Correction of false positives in ASLR detection for iOS Apps.
- Move to a clustered architecture to support increase scan load.
- Final version to support dedicated unlimited scans.
August 2017
- New feature to support dedicated scans.
- Tweaks and updates to the user interface to support fast uploading.
July 2017
- New backend system to support the increased load.
- Major code refactoring of all agents to support the new backend system.
- Multiple bug fixes.
June 2017
- New static taint engine for Android Bytecode.
- Multiple bug fixes and performance tweaks.