The Issues Explorer

The Issues Explorer is Flusk’s generated security report, displaying potential vulnerabilities in a detailed, line-by-line format. The report is organized in a table format with the following columns:

  • Type Assigned: This column categorizes the type of vulnerability each row addresses, helping you quickly identify the nature of the issue.

  • Item: This column specifies the exact part of your app to which the vulnerability applies, such as a particular data type or an app setting.

  • Criticality: This shows Flusk’s assessment of the vulnerability’s importance, rating each as low, medium, or high. This rating helps prioritize which vulnerabilities may require the most immediate attention.

  • Version: This shows the app version to which the issue applies.

  • Assigned: This optional setting lets you designate a specific team member to investigate and address the issue.

Filtering issues

At the top of the issue explorer, you’ll find different filters to help you narrow down specific issues that you’d want to focus on.

The following filters can be applied:

  • Location: this lets you specify where in your app a category of issues occurs. For example, you can choose to show only issues related to APIs or the Database.

  • Filters: this lets you assign more complex filters, such as the type of issue, its criticality or search for its ID.

  • Versions: Lets you filter issues by a specific .

  • Assigned: Lets you show only issues assigned to a specific user.

  • Search: Lets you search by filters by freetext.

Note that changing the filters on this top row doesn’t change or resolve any issues, but only filters which are displayed in the list,

Revealing issue details

Click on each row of the issues explorer reveals more information about that specific issue. This provides the following additional information:

  • Actions:

    • Ignore issue: this lets you exclude the issue from future reports

    • Resolve issue: this lets you mark the issue as resolved

  • Status: The status field gives you a timeframe of when the issue was first revealed, as well as the time it was last checked.

  • Issue description: The issue description gives you a more in-depth explanation of what exactly the issue is about, and can point you towards a recommended fix.

Issues

Issues are separated into categories. The table below gives a short description of each category and issue, and the following section describes each issue in more detail.

Category
Issue
Description

Privacy and data security

Privacy rules definition

Ensure are correctly defined for each data type.

Sensitive clear data in login workflows

Check if sensitive data is exposed in login actions.

Public sensitive fields

Confirm that sensitive fields (e.g., user personal data) are protected through .

Page access protection

Verify that sensitive pages (e.g., admin dashboards) have proper redirection or access controls.

Database leaks

Identify potential data leaks due to misconfigured searches or data exposure.

API Connector sensitive parameter

Check if sensitive parameters (e.g., API keys, unique IDs) are exposed in API calls.

Visible URL in API call

Ensure no sensitive URLs are exposed in API calls.

Backend workflows protection

Confirm that backend workflows are not publicly exposed.

Assign temp password vulnerability

Check for vulnerabilities related to temporary passwords.

Swagger privacy

Ensure the Swagger file doesn’t expose sensitive API information.

Public file uploader

Make sure file uploaders store files privately.

Public picture uploader

Ensure picture uploaders store images privately.

iFrame restriction

Check that your app cannot be rendered in an iFrame to prevent clickjacking.

User and account security

Editor privacy

Ensure your editor is set to private or secure access levels.

Password policy

Confirm that the password policy is strong enough to protect user data.

Test version protection

Verify that your test version is protected by a username/password combination.

Default username/password combo

Ensure that the default username/password combination isn’t in use.

Bubble collaborators

Check for unauthorized collaborators, and ensure each collaborator is approved.

API & Token Security

Bubble API tokens

Manage internal API tokens to grant only necessary permissions.

Unsafe Google Maps API token

Ensure your Google Maps API token has HTTP referrer restrictions.

Scheduled tests

Scheduled testing can easily be set up to run from a set date, and thereby on the following interval:

  • Daily

  • Weekly

  • Bi-weeks

  • Monthly

  • Every 3 months

  • Custom (down to the hour)

The test will first run at the specified date and time, based on the time zone of your current device.

Privacy rules checker

The privacy rules checker runs a thorough analysis of your entire database. Depending on the size of your database, the process can take a few minutes to complete

This dedicated test reviews all data types within an app (and version) to identify which fields are publicly accessible. It checks each data type for potential information leaks, highlighting any fields that are accessible without restrictions for your review. This allows you to inspect and adjust as needed to secure the data.

To instruct Flusk which fields are considered sensitive and which are public, you use the data type rating tool, described below.

Rating data types

To ensure that the test gives a useful and correct result, you can use the Database review tool to map each individual as:

  • Safe: the data in the field can be accessible to anyone, including through the Data API.

  • Sensitive: the data in the field should be protected with , and should not be accessible by anyone without the proper authentication.

Article section: Tools and setting | Data rating

Last updated

#829: Flusk: more detailed Issue Descriptions

Change request updated