docs.ostorlab.co
Open in
urlscan Pro
76.76.21.61
Public Scan
Submitted URL: http://docs.ostorlab.co/
Effective URL: https://docs.ostorlab.co/
Submission: On September 01 via api from DE — Scanned from IT
Effective URL: https://docs.ostorlab.co/
Submission: On September 01 via api from DE — Scanned from IT
Form analysis
1 forms found in the DOMName: search —
<form class="md-search__form" name="search">
<!-- Search input -->
<input type="text" class="md-search__input search-input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required="">
<!-- Button to open search -->
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"></path>
</svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"></path>
</svg>
</label>
<!-- Search options -->
<nav class="md-search__options" aria-label="">
<!-- Button to share search -->
<!-- Button to reset search -->
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"></path>
</svg>
</button>
</nav>
<!-- Search suggestions -->
</form>
Text Content
Documentation Home Type to start searching Login Demo * Home * Getting Started * Scanning * Attack Surface * Remediation * Policies * Integrations * Organisation * Plans * Security * API * FAQ OSTORLAB DOCS A comprehensive guide to using Ostorlab. GETTING STARTED Getting Started Dashboard SCANNING Run a scan Manage Scans Report View more... ATTACK SURFACE Discovery Data Monitoring View more... REMEDIATION Ticketing Views POLICIES Automation Rules INTEGRATIONS CI/CD Ticketing SSO ORGANISATION Setup Users Settings PLANS Add Plan Transfer plans SECURITY Mobile App Security Testing Streamlining Mobile App Security in the SDLC with Ostorlab Detection View more... API GraphQl API FAQ FAQ Documentation * Home * Getting Started Getting Started * Getting Started * Dashboard Dashboard * Overview * Scans & Risk * Remediation * Inventory & Attack Surface * Remediation Calendar * Scanning Scanning * Run a scan Run a scan * Scan a Mobile Application from the Store * Scan an iOS Mobile Application using TestFlight * Scan a Web Application * Authenticated Web Application Scan * Authenticated Scans * Scans with SBOM or Lockfile * Scan Networks * Scan Assets from the inventory * Scan with custom config * Scan Web App with Chrome's Recorder Puppeteer Script * Scan with extra custom Agents * Manage Scans Manage Scans * Stop Scan * Archive Scan * Report Report * Generate PDF report * Risk Rating * Analysis Analysis * IDE * Check Call Coverage * Monitoring Monitoring * Monitoring * Create Monitoring Rule * On-prem Scanners On-prem Scanners * Run a scan * Attack Surface Attack Surface * Discovery * Data * Monitoring * Search and Navigation * Inventory Inventory * Add Assets * Discover Assets * Edit Potential Owners * Bulk Import Assets * Edit Assets * Delete Asset * Filter by Asset * Exclude Asset * Graph Graph * Share a Graph * Location Location * Add Location * Owners Owners * Add Owner * Remediation Remediation * Ticketing Ticketing * Guide * Create Ticket * Comment on Ticket * Add a Checklist to a Ticket * Configure Patching Policy * Vulnerabilities and Tickets Management * Views Views * Kanban * Timeline * Policies Policies * Automation Rules * Integrations Integrations * CI/CD CI/CD * GitHub * GitLab * Jenkins * Azure DevOps * App Center * CircleCI * Bitbucket * GoCD * TeamCity * Slack * Ticketing Ticketing * Jira * SSO SSO * Guide * Saml with Azure Active Directory * Saml with Google Workspace (formerly G Suite) * Saml with Okta * Saml with OneLogin * Organisation Organisation * Setup Setup * Create Organisation * Users Users * User Roles * Add Users * Switch Organisation * Modify User Permissions * Disable email notifications * Settings Settings * Add Two-factor authentication device to your account * Plans Plans * Add Plan * Transfer plans * Security Security * Mobile App Security Testing * Streamlining Mobile App Security in the SDLC with Ostorlab * Detection * Platform Support * Security at Ostorlab * Vulnerability Disclosure * Knowledge Base Knowledge Base * Debug mode enabled * Debug Symbols Present in the Application * ELF binaries do not enforce secure binary properties * Facebook React development settings exposed * Attribute hasFragileUserData not set * Insecure Network Configuration Settings * Unused permissions (overprivileged) * Application code not obfuscated * Command Injection * Notification Spoofing * Use of Wifi API that contains or leaks sensitive PII * Android Package Context created without security restrictions * Exported activites, services and broadcast receivers list * Application prevents taking screenshots * List of JNI methods * APK attack surface * Application certificate information * Classes list * Hardcoded strings list * Recorded calls to dynamic code loading API * Recorded calls to command execution API * Recorded calls to Crypto API * Recorded calls to FileSystem API * Recorded calls to Hash API * Recorded calls to HTTP API * Recorded calls to Intent API * Recorded calls to Inter-Process-Communication (IPC) API * Recorded calls to logging API * Recorded calls to Process API * Recorded calls to Serialization API * Recorded calls to Shared Preferences API * Recorded calls to SQLite query API * Recorded calls to TLS Pinning API * Recorded calls to TLS API * Recorded calls to dangerous WebView settings API * Implementation of a FileObserver * APK files list * Hardcoded SQL queries list * Hardcoded urls list * Declared permissions list * Android Manifest * Obfuscated methods * Implementation of a WebViewClient * Broadcast receiver dynamic registration * Call to Android Security API * Call to Bluetooth and BLE API * Call to Crypto API * Call to delete file API * Call to dynamic code loading API * Call to command execution API * Call to External Storage API * Call to Inter-Process-Communication (IPC) API * Call to logging API * Call to native methods * Call to Random API * Call to Reflection API * Call to Socket API * Call to SQLite query API * Call to TLS API * Call to dangerous WebView settings API * Call to XML parsing API * Call to ZIP API * Expansion APK enabled * Attribute requestLegacyExternalStorage set * Task Hijacking * Undeclared Permissions * Attribute usesCleartextTraffic set * Deprecated Target API Version * Intent Spoofing * Android Sensitive data stored in keyboard cache * Application signed with an expired certificate * Facebook SDK debug mode enabled * Insecure File Provider Paths Setting * Abuse of mobile network connection * Android Class Load Hijacking * addJavaScriptInterface Remote Code Execution. * Webview Remote Debugging Enabled * Implicit PendingIntent * Use of an insecure Bluetooth connection * Android Class Loading Hijacking * Insecure Shared Preferences Permissions * Insecure Register Receiver Flag * Intent Redirection * File Path Traversal * Redis Library detected * Webview loadurl injection * Backup mode enabled * Services declared without permissions * Source to Sink * Backup mode disabled * Application checks rooted device * Debug mode disabled * Secure Network Configuration Settings * Dependency Confusion * Use of Deprecated Component * Memory Leak * Format String Vulnerability * Insecure JWT Signature Validation * Domain name and IP address reputation report * VirusTotal scan flagged malicious asset(s) (MD5 based search) * Tapjacking Vulnerability * Template Injection * XPath Injection Vulnerability * Obfuscated Flutter code * List of calls to dangerous low-level C functions * Calls to Privacy API * Cryptographic Vulnerability: Insecure Algorithm * Cryptographic Vulnerability: Insecure mode * Use non-random initialization vector (IV) * Insecure Random Seed * Use of Outdated Vulnerable Component * Process crashes * Regular expression denial of service * Biometric Authentication Bypass * Collection of Users' Crash Logs without Consent * Collection of Users' Purchase History in Privacy Policy * Collection of Users' Text Messages in Privacy Policy * Contacts Data Type Declaration Mismatch * Contact Information missing in Privacy Policy * Cryptographic Vulnerability: Hardcoded Key * Device ID Data Type Declaration Mismatch * Health and Biometric Data Type Declaration Mismatch * HTML Injection Vulnerability * In-App Search History Collection in Privacy Policy * Insecure Dynamic Library Loading * Insecure hostname validation check * Insecure password storage * Insecure Filesystem Access * Insecure Storage of Application Data * Credentials exposed in logs * Credentials exposed in URLs * Personally Identifiable Information (PII) Leakage * Missing Declaration of Approximate Location Collection in Privacy Policy * Missing Declaration of Contact Collection in Privacy Policy * Missing Declaration of Device or Other IDs Collection in Privacy Policy * Missing Declaration of Email Address Collection in Privacy Policy * Missing Declaration of Email Collection in Privacy Policy * Missing Declaration of Health Info Collection in Privacy Policy * Missing Declaration of Installed Apps Collection in Privacy Policy * Missing Declaration of Phone Number Collection in Privacy Policy * Missing Declaration of Photo Collection in Privacy Policy * Missing Declaration of Precise Location Collection in Privacy Policy * Missing Declaration of User Files Collection in Privacy Policy * Missing Declaration of Video Collection in Privacy Policy * Missing Declaration of Voice or Sound Recording Collection in Privacy Policy * Missing Declaration of Web Browsing History Collection in Privacy Policy * Missing GDPR Rights Reference in Privacy Policy * Missing Legal Basis in Privacy Policy * Missing Mention of Users' Right to Know in Privacy Policy * Missing Mention of User Data Access in Privacy Policy * Missing Mention of User Data Correction Rights in Privacy Policy * Missing Mention of User Data Deletion in Privacy Policy * Missing Opt-out Information in Privacy Policy * Missing Privacy Policy Disclosure for Calendar Events Collection * Missing Privacy Policy Disclosure for Fitness Info Collection * Missing Privacy Policy Link * Missing Third-Party Sharing Information in Privacy Policy * OAuth Account Takeover by hijacking custom schemes * Phone Number Data Type Declaration Mismatch * PII Categories Data Type Declaration Mismatch * PII Data Type Declaration Mismatch * Precise Location Data Type Declaration Mismatch * Privacy Policy CCPA Rights Reference missing * Privacy Policy Data Retention Description * Privacy Policy Personal Data Categories Disclosure mismatch * Sensitive Information Data Type Declaration missing * Mobile SQL Injection Vulnerability * Text Messages Data Type Declaration Mismatch * User Account Info Data Type Declaration Mismatch * User ID Collection in Privacy Policy * Cryptographic Vulnerability: Weak Hashing Algorithm * XML Injection * ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip Extension Spoofing * Port open on device * Continuous collection of GPS location * Secret information stored in the application * URL Manipulation * Collection of Users' Crash Logs without Consent * Collection of Users' Purchase History in Privacy Policy * Collection of Users' Text Messages in Privacy Policy * Contacts Data Type Declaration Mismatch * Contact Information missing in Privacy Policy * Missing Declaration of Approximate Location Collection in Privacy Policy * Missing Declaration of Contact Collection in Privacy Policy * Missing Declaration of Device or Other IDs Collection in Privacy Policy * Missing Declaration of Email Address Collection in Privacy Policy * Missing Declaration of Email Collection in Privacy Policy * Missing Declaration of Health Info Collection in Privacy Policy * Missing Declaration of Installed Apps Collection in Privacy Policy * Missing Declaration of Phone Number Collection in Privacy Policy * Missing Declaration of Photo Collection in Privacy Policy * Missing Declaration of Precise Location Collection in Privacy Policy * Missing Declaration of User Files Collection in Privacy Policy * Missing Declaration of Video Collection in Privacy Policy * Missing Declaration of Voice or Sound Recording Collection in Privacy Policy * Missing Declaration of Web Browsing History Collection in Privacy Policy * Device ID Data Type Declaration Mismatch * Missing GDPR Rights Reference in Privacy Policy * Health and Biometric Data Type Declaration Mismatch * In-App Search History Collection in Privacy Policy * Missing Legal Basis in Privacy Policy * Missing Mention of Users' Right to Know in Privacy Policy * Missing Mention of User Data Access in Privacy Policy * Missing Mention of User Data Correction Rights in Privacy Policy * Missing Mention of User Data Deletion in Privacy Policy * Missing Opt-out Information in Privacy Policy * Phone Number Data Type Declaration Mismatch * PII Categories Data Type Declaration Mismatch * PII Data Type Declaration Mismatch * Precise Location Data Type Declaration Mismatch * Privacy Policy CCPA Rights Reference missing * Privacy Policy Data Retention Description * Missing Privacy Policy Disclosure for Calendar Events Collection * Missing Privacy Policy Disclosure for Fitness Info Collection * Missing Privacy Policy Link * Privacy Policy Personal Data Categories Disclosure mismatch * Domain name and IP address reputation report * Secure Virustotal malware analysis (MD5 based search) * Sensitive Information Data Type Declaration missing * Text Messages Data Type Declaration Mismatch * Missing Third-Party Sharing Information in Privacy Policy * User Account Info Data Type Declaration Mismatch * User ID Collection in Privacy Policy * Unclaimed Cocoapods Vulnerability * Malformed ATS Configuration * Automatic Reference Counting (ARC) not enforced * Address Space Layout Randomization (ASLR) not enforced * Stack smashing protection not enforced * iOS URL Scheme Injection * IPA contains only bitcode * Mach-O encrypted * Mach-O entitlements * IPA files list * IPA Frameworks list * IPA Plist files * IPA symbol table * URL Scheme list * Strings Bplist files * Debug Symbols Present in the Application * iOS Sensitive data stored in keyboard cache * iTunes UI File Sharing Enabled * Insecure Keychain Storage * Missing privacy manifest file * Insecure App Transport Security (ATS) Settings * iOS URL Scheme Hijacking * Application implements anti-debug techniques * Privacy manifest files * No sensitive data stored outside App * Insecure whitelist configuration * Source Map Code Leak * Cordova debug mode enabled * Cordova Cross-Site Scripting (XSS) * Insecure whitelist * Public AWS S3 bucket with file listing enabled * Secure Firebase Database Permissions * Subdomain Takeover * External DNS interaction * Network Port Scan * Account Takeover Vulnerability * Code Injection * Command Injection * Expression Language (EL) Injection * File inclusion vulnerability * NoSQL Injection * Server-side template injection (SSTI) * Server Side Inclusion * SQL injection * Unrestricted file upload * XPath Injection * XML External Entity (XXE) Injection * Cookie missing security attributes * Insecure HTTP Header Setting: Content Security Policy (CSP) * Insecure HTTP Header Setting: Content-Type * Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS) * Insecure HTTP Header Setting: Insecure Referrer Policy * Insecure HTTP Header Setting: X-Frame-Options * Insecure HTTP Header Setting: X-XSS-Protection Header * Strict-Transport-Security (HSTS) not enforced * CRLF Injection * Publicly exposed Firebase Database * Insecure Authorization Restriction * Insecure Direct Object Reference * LDAP Injection * Heartbleed (CVE-2014-0160) * Insecure TLS certificate validation (accept self-signed certificate) * Insecure Object Serialization * Path Traversal * XML Injection * Cross-Site Scripting (XSS) * TLS/SSL Server Configuration Settings * Generic Web Entry * Interesting response * Django Debug Mode Enabled * Username enumeration * Insecure HTTP Header Setting * CORS Misconfiguration Vulnerability * Insecure Cross-Origin Resource Sharing (CORS) policy * Insecure TLS Certificate Validation * Anonymous unauthenticated server accepted * Use of deprecated TLS/SSL protocol version * Clear text HTTP request * Insecure TLS Ciphers supported * Insecure TLS certificate domain name validation * HTTP Host Header Poisoning * Insecure Access Control * Secret information transmitted over the network * Enforcer proper authentication * Secure TLS certificate validation * Assign a unique name and/or number for identifying and tracking user identity * API API * GraphQl API * FAQ Next Getting Started Copyright © 2024 Ostorlab Security Testing Platform. Made with Material for MkDocs