Release on July 23, 2024

Enhancements

  1. Referencing OTP objects:
    • Old syntax: {{ authobject.otpToken1 }}
    • New syntax: {{ authobject.otps.<OTPNAME> }} - all current tokens will be named "token1" so you will use {{ auth_object.otps.token1 }}. OTP names can be modified to any name consisting of alphanumeric characters and underscore _ only.

Bright’s documentation

  1. Referencing stages (Custom API flow): Stage names will no longer be restricted to starting with the stage. They can consist of alphanumeric characters and underscore _ only. The term any is a reserved name and cannot be used.
    • Old syntax: {{ auth_object.<STAGE_NAME>.request.headers }} or {{ auth_object.any_stage.request.headers }}. You can refer to request/response and headers/body/URL as usual, where the <STAGE_NAME> must start with the stage).
    • New syntax: {{ auth_object.stages.<STAGE_NAME>.request.headers }} or {{ auth_object.stages.any.request.headers }}. Existing authentication objects will be upgraded automatically.

Bright’s documentation

  1. Enhanced crawler logic: Improved the crawler logic to identify more Entrypoints, which expands the attack surface. Users may notice increased crawling and scanning times as a result. New discoveries will reveal more entrypoints, so users should select their attack surface carefully to manage scan times. Legacy scans may also experience longer crawling and testing times due to the expanded attack surface.