The Issues Explorer
The Issues Explorer is Flusk’s generated security report, displaying potential vulnerabilities in a detailed, line-by-line format. The report is organized in a table format with the following columns:
Type Assigned: This column categorizes the type of vulnerability each row addresses, helping you quickly identify the nature of the issue.
Item: This column specifies the exact part of your app to which the vulnerability applies, such as a particular data type or an app setting.
Criticality: This shows Flusk’s assessment of the vulnerability’s importance, rating each as low, medium, or high. This rating helps prioritize which vulnerabilities may require the most immediate attention.
Version: This shows the app version to which the issue applies.
Assigned: This optional setting lets you designate a specific team member to investigate and address the issue.
Filtering issues
At the top of the issue explorer, you’ll find different filters to help you narrow down specific issues that you’d want to focus on.
The following filters can be applied:
Location: this lets you specify where in your app a category of issues occurs. For example, you can choose to show only issues related to APIs or the Database.
Filters: this lets you assign more complex filters, such as the type of issue, its criticality or search for its ID.
Versions: Lets you filter issues by a specific .
Assigned: Lets you show only issues assigned to a specific user.
Search: Lets you search by filters by freetext.
Note that changing the filters on this top row doesn’t change or resolve any issues, but only filters which are displayed in the list,
Revealing issue details
Click on each row of the issues explorer reveals more information about that specific issue. This provides the following additional information:
Actions:
Ignore issue: this lets you exclude the issue from future reports
Resolve issue: this lets you mark the issue as resolved
Status: The status field gives you a timeframe of when the issue was first revealed, as well as the time it was last checked.
Issue description: The issue description gives you a more in-depth explanation of what exactly the issue is about, and can point you towards a recommended fix.
Issues
Issues are separated into categories. The table below gives a short description of each category and issue, and the following section describes each issue in more detail.
| Category | Issue | Description |
|---|---|---|
Privacy and data security | Privacy rules definition | Ensure are correctly defined for each data type. |
| Sensitive clear data in login workflows | Check if sensitive data is exposed in login actions. |
| Public sensitive fields | Confirm that sensitive fields (e.g., user personal data) are protected through . |
| Page access protection | Verify that sensitive pages (e.g., admin dashboards) have proper redirection or access controls. |
| Database leaks | Identify potential data leaks due to misconfigured searches or data exposure. |
| API Connector sensitive parameter | Check if sensitive parameters (e.g., API keys, unique IDs) are exposed in API calls. |
| Visible URL in API call | Ensure no sensitive URLs are exposed in API calls. |
| Backend workflows protection | Confirm that backend workflows are not publicly exposed. |
| Assign temp password vulnerability | Check for vulnerabilities related to temporary passwords. |
| Swagger privacy | Ensure the Swagger file doesn’t expose sensitive API information. |
| Public file uploader | Make sure file uploaders store files privately. |
| Public picture uploader | Ensure picture uploaders store images privately. |
| iFrame restriction | Check that your app cannot be rendered in an iFrame to prevent clickjacking. |
User and account security | Editor privacy | Ensure your editor is set to private or secure access levels. |
| Password policy | Confirm that the password policy is strong enough to protect user data. |
| Test version protection | Verify that your test version is protected by a username/password combination. |
| Default username/password combo | Ensure that the default username/password combination isn’t in use. |
| Bubble collaborators | Check for unauthorized collaborators, and ensure each collaborator is approved. |
API & Token Security | Bubble API tokens | Manage internal API tokens to grant only necessary permissions. |
| Unsafe Google Maps API token | Ensure your Google Maps API token has HTTP referrer restrictions. |
Scheduled tests
Scheduled testing can easily be set up to run from a set date, and thereby on the following interval:
Daily
Weekly
Bi-weeks
Monthly
Every 3 months
Custom (down to the hour)
The test will first run at the specified date and time, based on the time zone of your current device.
Privacy rules checker
The privacy rules checker runs a thorough analysis of your entire database. Depending on the size of your database, the process can take a few minutes to complete
This dedicated test reviews all data types within an app (and version) to identify which fields are publicly accessible. It checks each data type for potential information leaks, highlighting any fields that are accessible without restrictions for your review. This allows you to inspect and adjust as needed to secure the data.
To instruct Flusk which fields are considered sensitive and which are public, you use the data type rating tool, described below.
Rating data types
To ensure that the test gives a useful and correct result, you can use the Database review tool to map each individual as:
Safe: the data in the field can be accessible to anyone, including through the Data API.
Sensitive: the data in the field should be protected with , and should not be accessible by anyone without the proper authentication.
Article section: Tools and setting | Data rating
Last updated