The Issues Explorer
Last updated
Was this helpful?
Last updated
Was this helpful?
The Issues Explorer is Flusk’s generated security report, displaying potential vulnerabilities in a detailed, line-by-line format. The report is organized in a table format with the following columns:
Type Assigned: This column categorizes the type of vulnerability each row addresses, helping you quickly identify the nature of the issue.
Item: This column specifies the exact part of your app to which the vulnerability applies, such as a particular data type or an app setting.
Criticality: This shows Flusk’s assessment of the vulnerability’s importance, rating each as low, medium, or high. This rating helps prioritize which vulnerabilities may require the most immediate attention.
Version: This shows the app version to which the issue applies.
Assigned: This optional setting lets you designate a specific team member to investigate and address the issue.
At the top of the issue explorer, you’ll find different filters to help you narrow down specific issues that you’d want to focus on.
The following filters can be applied:
Location: this lets you specify where in your app a category of issues occurs. For example, you can choose to show only issues related to APIs or the Database.
Filters: this lets you assign more complex filters, such as the type of issue, its criticality or search for its ID.
Versions: Lets you filter issues by a specific .
Assigned: Lets you show only issues assigned to a specific user.
Search: Lets you search by filters by freetext.
Note that changing the filters on this top row doesn’t change or resolve any issues, but only filters which are displayed in the list,
Click on each row of the issues explorer reveals more information about that specific issue. This provides the following additional information:
Actions:
Ignore issue: this lets you exclude the issue from future reports
Resolve issue: this lets you mark the issue as resolved
Status: The status field gives you a timeframe of when the issue was first revealed, as well as the time it was last checked.
Issue description: The issue description gives you a more in-depth explanation of what exactly the issue is about, and can point you towards a recommended fix.
Issues are separated into categories. The table below gives a short description of each category and issue, and the following section describes each issue in more detail.
Privacy and data security
Missing privacy rules
Ensure are correctly defined for each data type.
Sensitive data exposed in workflows
Check if sensitive data is exposed in login actions.
Publicly accessible sensitive fields
Confirm that sensitive fields (e.g., user personal data) are protected through .
Secure page protection
Verify that sensitive pages (e.g., admin dashboards) have proper redirection or access controls.
Database exposure risks
Identify potential data leaks due to misconfigured searches or data exposure.
Exposed sensitive API parameters
Check if sensitive parameters (e.g., API keys, unique IDs) are exposed in API calls.
Sensitive data in API URLs
Ensure no sensitive URLs are exposed in API calls.
Unprotected backend workflows
Confirm that backend workflows are not publicly exposed.
Temporary password exploits
Check for vulnerabilities related to temporary passwords.
Insecure API documentation (Swagger)
Ensure the Swagger file doesn’t expose sensitive API information.
Publicly accessible file uploaders
Make sure file uploaders store files privately.
Publicly accessible picture uploaders
Ensure picture uploaders store images privately.
Unrestricted iFrame embedding
Check that your app cannot be rendered in an iFrame to prevent clickjacking.
User and account security
Editor privacy
Ensure your editor is set to private or secure access levels.
Password policy
Confirm that the password policy is strong enough to protect user data.
Test version protection
Verify that your test version is protected by a username/password combination.
Default username/password combo
Ensure that the default username/password combination isn’t in use.
Unauthorized collaborator access
Check for unauthorized collaborators, and ensure each collaborator is approved.
API & Token Security
Improperly secured map API keys
Manage internal API tokens to grant only necessary permissions.
Unsafe Google Maps API token
Ensure your Google Maps API token has HTTP referrer restrictions.
Scheduled testing can easily be set up to run from a set date, and thereby on the following interval:
Daily
Weekly
Bi-weeks
Monthly
Every 3 months
Custom (down to the hour)
The test will first run at the specified date and time, based on the time zone of your current device.
The privacy rules checker runs a thorough analysis of your entire database. Depending on the size of your database, the process can take a few minutes to complete
This dedicated test reviews all data types within an app (and version) to identify which fields are publicly accessible. It checks each data type for potential information leaks, highlighting any fields that are accessible without restrictions for your review. This allows you to inspect and adjust as needed to secure the data.
To instruct Flusk which fields are considered sensitive and which are public, you use the data type rating tool, described below.
To ensure that the test gives a useful and correct result, you can use the Database review tool to map each individual as:
Safe: the data in the field can be accessible to anyone, including through the Data API.
Sensitive: the data in the field should be protected with , and should not be accessible by anyone without the proper authentication.
Article:
Article section: |