New business logic test

• Broken Access Control (BAC). This test checks for improper access controls measures allowing users to perform actions beyond their permissions.
  Read additional details in here.

Enhancements

Bright-CLI:

1. v13.0.1: Fixed the MSI installer.
2. v13.0.0: New major release:
   1. Breaking change - Warning logs are now written to stderr instead of stdout.
   2. Scans: Added a concurrency flag to control the maximum concurrent requests allowed to be sent to the target (Running a Scan).
   3. Discoveries:
      1. Added a discovery:run command to run a discovery from the CLI (Running a Discovery).
      2. Added a discovery:stop command to stop a discovery from the CLI (Stopping a Discovery).
      3. Added a discovery:rerun command to re-run a discovery from the CLI (Rerunning a Discovery).
   4. Proxy:
      1. Added a new proxy-domains-bypass optional flag - can be used with either proxy or proxy-target. Accepts a space-separated list of domains. Domains in the list will not be proxied.
         It cannot be used together with proxy-domains (Command Language Syntax).
      2. Added support for reading the PROXY and NO_PROXY environment variables. If those are set, their values will be used as input for the proxy and proxy-domains-bypass flags (Command Language Syntax).
   5. Added log-level 5 - trace (Command Language Syntax).

New option to manage IP restrictions

• Added IP access restrictions that allow organizations to control account access by specifying trusted IP ranges. This ensures that only users or systems from authorized IP addresses can connect, providing added security and control over organizational access.

Bright's documentation

Enhancements

Snyk integration

• Added support for importing projects from Snyk collections. Users can now select collections when running a scan and view Snyk collection details in the Scan info section.

Bright's documentation

---

Queue size on the Discovery page

• Added the "Queue Size" counter to the discovery details page. Located in the "Scan Progress" box, it shows the crawler queue size (0 for completed/failed/stopped/queued discoveries and >0 for running discoveries). Available for discoveries only.

  
  

---

Activity log

• Added project-related actions to the activity log. It now tracks project creation, renaming, and deletion, grouped under the corresponding actions for better clarity and visibility.

Bright's documentation

---

Amazon AWS S3 bucket takeover renaming

• The "Amazon AWS S3 bucket takeover" test was renamed to "AWS S3 Takeover".

Bright's documentation

New business logic test

• Broken Object Level Property Authorization (BOPLA). This test checks if the application properly enforces access controls on individual properties of an object.
  Read additional details in here.

Enhancements

Scan health metrics

• We've adjusted the successful requests logic, and it now includes any request which is not a network timeout, network gateway error, rate-limiting or authentication error.

---

Authentication objects

• Email OTP: Added support for base64 encoded emails.

---

Webhooks

1. Webhook triggers were extended to support discoveries: You can now trigger a webhook when discovery has started, ended or changed status.
2. The optional customerMetadata scan field is now included as part of the scan webhook payload.

Webhooks documentation

---

Bright-CLI:

1. v12.6.0: The timeout flag now accepts duration strings (Command Language Syntax).

Enhancements

Snyk validation

1. Added support for branches.
2. Added support for multiple Synk organizations.
3. Added the ability to set a minimal severity at the organization level.
4. Added the ability to select all repositories when running a validation scan.

Snyk validation

---

Bright-CLI:

1. v12.5.0:
   1. Added a timeout flag to all commands, accepting values in seconds (Command Language Syntax).
   2. Removal of the old proxy-internal and proxy-external flags (were replaced with proxy-target and proxy-bright).
2. v12.4.0:
   1. Listing Entrypoints - added a new pretty optional flag to return a "prettified" version of the entry points, in JSON format (Listing Entrypoints).
3. v12.3.0:
   1. Listing Entrypoints - added new optional filter flags (Listing Entrypoints):
      1. limit - to set a limit of returned entrypoints.
      2. connectivity - to filter by connectivity status.
      3. status - to filter by entrypoint status.

Enhancements

XPath selector support - Bright now supports XPath selectors for Manual and Recorded Browser-Based Authentication flows to find elements on a page.

📘

XPath selectors are expressions used for precise selection, navigation, and manipulation of elements in XML and HTML documents based on their hierarchy, attributes, text, and other characteristics.

Currently, Bright supports XPath, CSS, and ARIA selectors.

For example, here’s how to set up the XPath selector in the Bright web app:

• Type: text input
• Name: Email
• Value: xpath///*[@id="email"]

Added mandatory project flag for Entrypoint scans - When using the new --entrypoint flag, users must now include the --project flag. This allows users to specify a list of entrypoint IDs to run the scan on specific entrypoints.

For example:
bright-cli scan:run --project <project_id> --entrypoint <entrypoint_id1> <entrypoint_id2> <entrypoint_id3> ...

This change ensures that the scan is targeted at the correct project and its associated entrypoints.

Enhancements

Schedule Discoveries: Bright now allows users to automate the timing and frequency of discoveries, with three available options:

• Run a Discovery immediately
• Schedule a one-time scan for a specific date and time
• Set up recurrent scans to run at regular intervals

Previously, it was allowed to run a Discovery immediately only.

Bright’s documentation

---

Email One-Time Password - Bright now supports Email One-Time Passwords (OTP), allowing automatic authentication for users within the tested applications.

Bright’s documentation

---

Multiple One-Time Passwords - add several OTPs within one authentication object. Users are allowed to create up to five OTPs at once.

Also, now it’s possible to rename an OTP by opening the OTP settings:

Bright’s documentation

---

The new version of Bright-CLI (12.2.0) -

• Repeater proxy changes:
  • Renamed existing flags (proxy-internal and proxy-external) to reduce confusion about their functionality:
    Rename proxy-internal to proxy-target.
    Rename proxy-external to proxy-bright.
  • Add a new proxy-domains optional flag - can be used with either proxy-target or proxy. Accepts a space-separated list of domains to be proxied. Only domains in the list will be proxied.

Bright's documentation

• Run a scan with projects Entrypoints - Added support for running scans with project-level Entrypoints via the CLI. There are two new options available:
  • Users can request a list of Entrypoint IDs to run the scan on specific Entrypoints.
    • Example:
      bright-cli scan:run --entrypoint <entrypoint_id1> <entrypoint_id2> <entrypoint_id3>
  • If a project is specified and the --entrypoint flag is added without specifying Entrypoint IDs, the scan will run on the first 2000 project-level Entrypoints.
    • Example:
      bright-cli scan:run --project <PROJECT_ID> --entrypoint

Bright's documentation

---

ARIA selector support - Bright now supports ARIA selectors for Manual Browser-based authentication flow and Recorded Browser-Based Authentication flow for finding the elements on the page.

📘

ARIA is a set of attributes that can be added to HTML elements that define ways to make web content and applications accessible to users with disabilities who use assistive technologies.

Previously, Bright web app could only interact with text or CSS selectors.

For example, to specify the element using Manual Browser-Based Authentication, type the following in the Auth flow settings:

• Type: text input
• Name: aria/Email
• Value: admin

For those who use the Recorded Browser-Based Authentication flow, the transition will be completely seamless and won’t require any action.

---

Rendering the HTML DOM of the authentication object's page - Bright now displays the page's rendered HTML code in Browser-Based Authentication flows, enhancing the ability to debug non-working authentication objects, particularly in SPA applications. Additionally, functionality to copy the rendered HTML DOM data has been added for easier analysis and troubleshooting.

---

Integrate Snyk projects in a bulk action - now users can select multiple items without saving progress after each added project.

Bright’s documentation

---

Add workstation parameter - Bright IDE Extension now allows developers to add their unique workstation names. These names can be configured in the extension settings. If empty, the hostname will be saved as a workstation ID.

To enter the settings, open the Command Palette by Command + Shift + P from macOS or Control + Shift + P for Windows, then type bright in the search bar to filter the fields.

Bright’s documentation

---

Save Repeaters information after disconnect - now the information about a Repeater (version, description, etc) will be saved in the Bright web app even if the connection is lost.

Enhancements

1. Referencing OTP objects:
   • Old syntax: {{ authobject.otpToken1 }}
   • New syntax: {{ authobject.otps.<OTPNAME> }} - all current tokens will be named "token1" so you will use {{ auth_object.otps.token1 }}. OTP names can be modified to any name consisting of alphanumeric characters and underscore _ only.

Bright’s documentation

2. Referencing stages (Custom API flow): Stage names will no longer be restricted to starting with the stage. They can consist of alphanumeric characters and underscore _ only. The term any is a reserved name and cannot be used.
   • Old syntax: {{ auth_object.<STAGE_NAME>.request.headers }} or {{ auth_object.any_stage.request.headers }}. You can refer to request/response and headers/body/URL as usual, where the <STAGE_NAME> must start with the stage).
   • New syntax: {{ auth_object.stages.<STAGE_NAME>.request.headers }} or {{ auth_object.stages.any.request.headers }}. Existing authentication objects will be upgraded automatically.

Bright’s documentation

3. Enhanced crawler logic: Improved the crawler logic to identify more Entrypoints, which expands the attack surface. Users may notice increased crawling and scanning times as a result. New discoveries will reveal more entrypoints, so users should select their attack surface carefully to manage scan times. Legacy scans may also experience longer crawling and testing times due to the expanded attack surface.

Enhancements

• The new version of Bright-CLI (12.1.0)
  • Removed hardcoded test types in scan commands, enhancing flexibility (#554)

Bug Fixes

• repeater: add cap_net_raw+ep capabilities for node in Docker image (#560)
• scan: correct param handling to respect user-provided values (#566)

For more details, visit the Brightsec repository.

Enhancements

1. Optional "Execute the application under test" Command (Bright Dev-Centric) - If no start command is provided, the process will not start automatically, allowing users to initiate their target manually. This is useful for users who need to run complex scripts or deal with issues preventing automatic startup.

Bright's documentation

2. The new version of Bright-CLI (11.5.4) - The Repeater server now decodes base64 encoded bodies before running scripts, making script execution simpler and reducing potential errors.

Bright's Github repository

Enhancements

• Webhooks - users can now add headers sent with the webhook to include authentication headers, enabling webhooks to access authenticated endpoints.
  • Webhooks and their headers can be managed from the Project settings in the Webhooks section. To add a header, do the following:
    • Select a suitable Header name from a drop-down menu or type your own.
    • Provide a Header value to proceed.

📘

There is no limit to the number of custom header values you can add.

Bright's documentation

---

• Scan Health monitoring - Easily spot and filter authentication and network issues during a scan with colored indicators based on successful request percentage. This health status refers to scan results, not overall Entrypoint health, highlighting test interactions during scanning.
  • New columns have been added to the Entrypoints table on the Scan Info page: Health, Successful Requests, and Total Requests. The Health metric is calculated by dividing the number of successful requests by the total number of requests.
  • New filters for Health, Successful Requests, and Total Requests are available.
  • Successful Requests are any responses that are not 401 (Unauthorized) or 403 (Forbidden).

Bright's documentation

---

• Users can now add metadata to run a new scan call to simplify automation workflows and provide additional metadata for a complex programmatical flow. This is relevant only for API start scans.
• To add metadata, add the customerMetadata parameter into the request body:

{
  "tests": [
    "csrf",
    "sqli"
  ],
  "buckets": [
    "string"
  ],
  "entryPointIds": [
    "EP_ID"
  ],
  "discoveryTypes": [
    "archive"
  ],
  "poolSize": 50,
  "crawlerUrls": [
    "https://example.com"
  ],
  "attackParamLocations": [
    "artifical-fragment"
  ],
  "extraHosts": {
    "example.com": "127.0.0.1"
  },
  "headers": [
    {
      "name": "Authorization",
      "value": "Bearer token",
      "mergeStrategy": "replace"
    }
  ],
  "fileId": "FILEID",
  "hostsFilter": [
    "localhost:3000"
  ],
  "repeaters": [
    "REPEATERID"
  ],
  "smart": true,
  "optimizedCrawler": true,
  "maxInteractionsChainLength": 5,
  "subdomainsCrawl": true,
  "skipStaticParams": true,
  "projectId": "PROJECTID",
  "exclusions": {
    "requests": [
      {
        "patterns": [
          "(?<excluded_file_ext>(\\/\\/[^?#]+\\.)((?<image>jpg|jpeg|png|gif|svg)|(?<font>ttf|otf|fnt|fon))(?:$|#|\\?))"
        ],
        "methods": [
          "GET"
        ]
      }
    ],
    "params": [
      "^(?!.*login).*$"
    ],
    "htmlSelectors": [
      "/html/body/div[1]/table/tbody/tr/td[8]/a",
      ".mat-focus-indicator .mat-menu-item ng-tns-c46-3"
    ]
  },
  "inclusions": {
    "headers": [
      "Authorization"
    ]
  },
  "slowEpTimeout": 100,
  "targetTimeout": 120,
  "name": "brokencrystals owasp top 10",
  "authObjectId": "AUTHOBJECTID",
  "schedule": {
    "type": "future",
    "repeatInterval": 1000,
    "repeatIntervalUnit": "hours",
    "repeatWeekdays": [
      0
    ],
    "nextRunAt": "2024-06-10T10:17:06.825Z",
    "endAt": "2024-06-10T10:17:06.825Z",
    "runNow": false,
    "skipConcurrent": true
  },
  "module": "dast",
  "templateId": "TEMPLATEID",
  "info": {
    "client": {
      "name": "bright-cli",
      "version": "10.0.0"
    },
    "provider": "string",
    "source": "api"
  },
  "configSource": {
    "type": "integration",
    "metadata": [
      {
        "system": "azure",
        "issueSourceId": "ISSUESOURCEID"
      }
    ]
  },
  "customerMetadata": "TEXT_PLACEHOLDER"
}

• The customerMetadataThe field is a string type, so any text information can be placed here. The maximum length of this field is 10000 characters.
• To request previously added metadata, use the endpoint: /api/v1/scans/{SCAN_ID}/customer-metadata