Open in urlscan Pro  Public Scan

Submitted URL:
Effective URL:
Submission: On April 05 via api from DE — Scanned from DE

Form analysis 1 forms found in the DOM

Name: search

<form class="md-search__form" name="search">
  <!-- Search input -->
  <input type="text" class="md-search__input search-input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required="">
  <!-- Button to open search -->
  <label class="md-search__icon md-icon" for="__search">
    <svg xmlns="" viewBox="0 0 24 24">
      <path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"></path>
    <svg xmlns="" viewBox="0 0 24 24">
      <path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"></path>
  <!-- Search options -->
  <nav class="md-search__options" aria-label="">
    <!-- Button to share search -->
    <!-- Button to reset search -->
    <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
      <svg xmlns="" viewBox="0 0 24 24">
        <path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"></path>
  <!-- Search suggestions -->

Text Content

Type to start searching
Login Demo
 * Home
 * Getting Started
 * Scanning
 * Attack Surface
 * Remediation
 * Integrations
 * Organisation
 * Plans
 * Security
 * API
 * FAQ


A comprehensive guide to using Ostorlab.


Getting Started


Run a scan
Manage Scans
View more...


View more...








Add Plan
Transfer plans


Mobile App Security Testing
Streamlining Mobile App Security in the SDLC with Ostorlab
View more...


GraphQl API



 * Home
 * Getting Started
   Getting Started
    * Getting Started
    * Dashboard
       * Overview
       * Scans & Risk
       * Remediation
       * Inventory & Attack Surface
       * Remediation Calendar

 * Scanning
    * Run a scan
      Run a scan
       * Scan a Mobile Application from the Store
       * Scan a Web Application
       * Authenticated Web Application Scan
       * Authenticated Scans
       * Scans with SBOM or Lockfile
       * Scan Networks
       * Scan Assets from the inventory
       * Scan with custom config
       * Scan Web App with Chrome's Recorder Puppeteer Script
    * Manage Scans
      Manage Scans
       * Stop Scan
       * Archive Scan
    * Report
       * Generate PDF report
       * Risk Rating
    * Analysis
       * IDE
       * Check Call Coverage
    * Monitoring
       * Monitoring
       * Create Monitoring Rule
    * On-prem Scanners
      On-prem Scanners
       * Run a scan

 * Attack Surface
   Attack Surface
    * Discovery
    * Data
    * Monitoring
    * Search and Navigation
    * Inventory
       * Add Assets
       * Discover Assets
       * Edit Potential Owners
       * Bulk Import Assets
       * Edit Assets
       * Delete Asset
       * Filter by Asset
       * Exclude Asset
    * Graph
       * Share a Graph
    * Location
       * Add Location
    * Owners
       * Add Owner

 * Remediation
    * Ticketing
       * Guide
       * Create Ticket
       * Comment on Ticket
       * Add a Checklist to a Ticket
       * Configure Patching Policy
       * Vulnerabilities and Tickets Management
    * Views
       * Kanban
       * Timeline

 * Integrations
    * CI/CD
       * GitHub
       * GitLab
       * Jenkins
       * Azure DevOps
       * App Center
       * CircleCI
       * Bitbucket
    * Ticketing
       * Jira
    * SSO
       * Guide
       * Saml with Azure Active Directory
       * Saml with Google Workspace (formerly G Suite)
       * Saml with Okta
       * Saml with OneLogin

 * Organisation
    * Setup
       * Create Organisation
    * Users
       * User Roles
       * Add Users
       * Switch Organisation
       * Modify User Permissions
       * Disable email notifications
    * Settings
       * Add Two-factor authentication device to your account

 * Plans
    * Add Plan
    * Transfer plans

 * Security
    * Mobile App Security Testing
    * Streamlining Mobile App Security in the SDLC with Ostorlab
    * Detection
    * Platform Support
    * Product
    * Architecture
    * Security at Ostorlab
    * Vulnerability Disclosure
    * Knowledge Base
      Knowledge Base
       * Debug mode enabled
       * ELF binaries do not enforce secure binary properties
       * Insecure Network Configuration Settings
       * Application code not obfuscated
       * Insecure File Provider Paths Setting
       * Command Injection
       * Notification Spoofing
       * Use of Wifi API that contains or leaks sensitive PII
       * Android Package Context created without security restrictions
       * Exported activites, services and broadcast receivers list
       * Application prevents taking screenshots
       * List of JNI methods
       * APK attack surface
       * Application certificate information
       * Classes list
       * Hardcoded strings list
       * Recorded calls to dynamic code loading API
       * Recorded calls to command execution API
       * Recorded calls to Crypto API
       * Recorded calls to FileSystem API
       * Recorded calls to Hash API
       * Recorded calls to HTTP API
       * Recorded calls to Intent API
       * Recorded calls to Inter-Process-Communication (IPC) API
       * Recorded calls to logging API
       * Recorded calls to Process API
       * Recorded calls to Serialization API
       * Recorded calls to Shared Preferences API
       * Recorded calls to SQLite query API
       * Recorded calls to TLS Pinning API
       * Recorded calls to TLS API
       * Recorded calls to dangerous WebView settings API
       * Implementation of a FileObserver
       * APK files list
       * Hardcoded SQL queries list
       * Hardcoded urls list
       * Declared permissions list
       * Android Manifest
       * Obfuscated methods
       * Implementation of a WebViewClient
       * Broadcast receiver dynamic registration
       * Call to Android Security API
       * Call to Bluetooth and BLE API
       * Call to Crypto API
       * Call to delete file API
       * Call to dynamic code loading API
       * Call to command execution API
       * Call to External Storage API
       * Call to Inter-Process-Communication (IPC) API
       * Call to logging API
       * Call to native methods
       * Call to Random API
       * Call to Reflection API
       * Call to Socket API
       * Call to SQLite query API
       * Call to TLS API
       * Call to dangerous WebView settings API
       * Call to XML parsing API
       * Call to ZIP API
       * Expansion APK enabled
       * Debug Symbols Present in the Application
       * Facebook React development settings exposed
       * Attribute hasFragileUserData not set
       * Unused permissions (overprivileged)
       * Attribute requestLegacyExternalStorage set
       * Task Hijacking
       * Attribute usesCleartextTraffic set
       * Deprecated Target API Version
       * Intent Spoofing
       * Android Sensitive data stored in keyboard cache
       * Application signed with an expired certificate
       * Facebook SDK debug mode enabled
       * Abuse of mobile network connection
       * Android Class Load Hijacking
       * Undeclared Permissions
       * addJavaScriptInterface Remote Code Execution.
       * Webview Remote Debugging Enabled
       * Implicit PendingIntent
       * Use of an insecure Bluetooth connection
       * Android Class Loading Hijacking
       * Insecure Shared Preferences Permissions
       * Insecure Register Receiver Flag
       * Intent Redirection
       * File Path Traversal
       * Redis Library detected
       * Stack traces reveal technical information
       * Untrusted External Storage File Access
       * Webview loadurl injection
       * Backup mode enabled
       * Services declared without permissions
       * Source to Sink
       * Backup mode disabled
       * Application checks rooted device
       * Debug mode disabled
       * Secure Network Configuration Settings
       * Domain name and IP address reputation report
       * Secure Virustotal malware analysis (MD5 based search)
       * Dependency Confusion
       * Format String Vulnerability
       * CORS Misconfiguration Vulnerability
       * Use of Deprecated Component
       * Insecure hostname validation check
       * Insecure JWT Signature Validation
       * Domain name and IP address reputation report
       * Insecure Storage of Application Data
       * VirusTotal scan flagged malicious asset(s) (MD5 based search)
       * Protected Health Information were detected on the system
       * Personally Identifiable Information (PII) Leakage
       * OAuth Account Takeover by hijacking custom schemes
       * Regular expression denial of service
       * Tapjacking Vulnerability
       * Template Injection
       * XPath Injection Vulnerability
       * Obfuscated Flutter code
       * List of calls to dangerous low-level C functions
       * Calls to Privacy API
       * Use of Outdated Vulnerable Component
       * Process crashes
       * Biometric Authentication Bypass
       * Cryptographic Vulnerability: Insecure Algorithm
       * Cryptographic Vulnerability: Hardcoded Key
       * Cryptographic Vulnerability: Insecure mode
       * Use non-random initialization vector (IV)
       * HTML Injection Vulnerability
       * Insecure Dynamic Library Loading
       * Insecure password storage
       * Insecure Filesystem Access
       * Insecure Random Seed
       * Credentials exposed in logs
       * Credentials exposed in URLs
       * Memory Leak
       * Mobile SQL Injection Vulnerability
       * Cryptographic Vulnerability: Weak Hashing Algorithm
       * XML Injection
       * ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip
         Extension Spoofing
       * port open on localhost
       * Continuous collection of GPS location
       * Secret information stored in the application
       * URL Manipulation
       * Malformed ATS Configuration
       * Automatic Reference Counting (ARC) not enforced
       * Stack smashing protection not enforced
       * Missing privacy manifest file
       * iOS URL Scheme Injection
       * IPA contains only bitcode
       * Mach-O encrypted
       * Mach-O entitlements
       * IPA files list
       * IPA Frameworks list
       * IPA Plist files
       * IPA symbol table
       * URL Scheme list
       * Strings Bplist files
       * Debug Symbols Present in the Application
       * iOS Sensitive data stored in keyboard cache
       * iTunes UI File Sharing Enabled
       * Address Space Layout Randomization (ASLR) not enforced
       * Insecure App Transport Security (ATS) Settings
       * iOS URL Scheme Hijacking
       * Application implements anti-debug techniques
       * Privacy manifest files
       * No sensitive data stored outside App
       * Insecure whitelist configuration
       * Source Map Code Leak
       * Cordova debug mode enabled
       * Cordova Cross-Site Scripting (XSS)
       * Insecure whitelist
       * Public AWS S3 bucket with file listing enabled
       * Secure Firebase Database Permissions
       * Subdomain Takeover
       * External DNS interaction
       * Network Port Scan
       * Account Takeover Vulnerability
       * Code Injection
       * Command Injection
       * Expression Language (EL) Injection
       * File inclusion vulnerability
       * NoSQL Injection
       * Server-side template injection (SSTI)
       * Server Side Inclusion
       * SQL injection
       * XPath Injection
       * XML External Entity (XXE) Injection
       * Cookie missing security attributes
       * Insecure HTTP Header Setting: Content Security Policy (CSP)
       * Insecure HTTP Header Setting: Content-Type
       * Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
       * Insecure HTTP Header Setting: Insecure Referrer Policy
       * Insecure HTTP Header Setting: X-Frame-Options
       * Insecure HTTP Header Setting: X-XSS-Protection Header
       * Strict-Transport-Security (HSTS) not enforced
       * CRLF Injection
       * Publicly exposed Firebase Database
       * Insecure Direct Object Reference
       * LDAP Injection
       * Heartbleed (CVE-2014-0160)
       * Insecure TLS certificate validation (accept self-signed certificate)
       * Insecure Object Serialization
       * Path Traversal
       * XML Injection
       * TLS/SSL Server Configuration Settings
       * Interesting response
       * Django Debug Mode Enabled
       * Username enumeration
       * Generic Web Entry
       * Insecure HTTP Header Setting
       * Insecure Cross-Origin Resource Sharing (CORS) policy
       * Insecure TLS Certificate Validation
       * Anonymous unauthenticated server accepted
       * Use of deprecated TLS/SSL protocol version
       * Clear text HTTP request
       * Insecure TLS Ciphers supported
       * Insecure TLS certificate domain name validation
       * HTTP Host Header Poisoning
       * Insecure Direct Object Reference (IDOR)
       * Insecure Access Control
       * Unrestricted file upload
       * Cross-Site Scripting (XSS)
       * Secret information transmitted over the network
       * Enforcer proper authentication
       * Secure TLS certificate validation
       * Assign a unique name and/or number for identifying and tracking user

 * API
    * GraphQl API

 * FAQ

Next Getting Started

Copyright © 2024 Ostorlab Security Testing Platform.
Made with Material for MkDocs