• In this release, we've made major speed improvements to the OS command injection (OSI) and server-side request forgery (SSRF) attacks.

The latest release is available at app.brightsec.com!

• IBM API Connect - Add support to IBM API Connect format of OAS files, supporting a customer need. OAS file is an industry standard, but IBM added some specific syntax to the OAS generated by their system that required specific parsing that was added.

• Snyk integration - Extended the view of Bright's Snyk integration. The platform now shows how many vulnerabilities were imported from Snyk, how many Bright issues matched a specific attack simulation, and the specific vulnerabilities that were validated and found by Bright, as well as the indication from the SAST tool. It creates a clearer view of the activity and findings and enables our customers to focus on the remediation of the most severe vulnerabilities.

The latest release is available at app.brightsec.com!

• New test added: Google Cloud Storage - Google Cloud Storage attack (Medium severity, # 1 in the OWASP top 10 Web Apps for 2021). This test validates URLs in payloads that address Google Cloud Storage. When the URL can be copied and used outside of the scope of the authenticated user, the data stored is at risk of exposure.
  For more details see the documentation.

• Scan progress indication in the scan view - A new column was added to the scans table called Tests Progress. This column provides a percentage estimation of the test progress. Users can view, filter, and sort the scans table based on this column.
  For more details see the documentation.

• Set Single Sign-On with Microsoft Azure Entra ID - Admins can set the SSO for the Bright platform from within the Microsoft Entra ID interface based on their existing user directory. See our documentation for setup instructions.
  To learn how to set up the integration, see the documentation.

• Bright's API: Update scan behavior - Ability to edit Scheduled/Queued/Re-test scans to use tests defined in a template instead of defining specific tests

  Go explore it on app.brightsec.com Brightsec app!

• New test available - Broken Object Level Authentication (BOLA), (critical severity, number 1 in the OWASP API top 10). This test discovers unauthorized access or data manipulation to objects. The attack leverages objects that are not checking permissions at the object level (so an authenticated user can access objects he is not supposed to access).
  For a detailed explanation please refer to OWASP: API1:2023 Broken Object Level Authorization.
• Sitemap - Graphical representation of the web application hierarchy. The sitemap is available at two places in the product:
  • Scan info - in the scan page lower section there are several tabs with information about the scan. A new tab is available (note that it is not visible by default in the section and the section setting should be used to turn this tab on). This tab is called sitemap and it shows the data, providing a clear understanding of the application mapping created throughout the discovery phase.
  • Discover history - in the project page in the lower section, there are 4 tabs under the project overview section. The last tab is called discovery history. Тavigate to that tab, and select one of the discoveries that were performed in the project. It will lead to a new set of tabs called discovery results. Select the section setting, turn on the sitemap toggle and you will get the sitemap tab.
• Starting scan from template via CLI - Scan Templates allow predefined scan configurations to be re-used multiple times and save time and effort. Scan Templates can be used when setting a new scan in the UI. More details in the docs.
• PDF report customization enabled - The ability to customize the look of the PDF Report to the customer branding and style is now available for all customers. Users with "Admin" or "Owner" user roles, can set the PDF report style.

• The latest Bright CLI v11 is now available on GitHub, NPM, or Docker Hub and can be pulled via a command on the Quick Start wizard!

Repeater v11

• Introducing a new way to plug into the Bright Repeater by using the standard HTTPS (443) & WebSocket communication, that IT can easily approve

Compatability

• NPM & Yarn Installations now have no additional dependencies to install (Python, GCC, G++, etc.)
• Alpine Linux is now supported
• Docker builds via the Red Hat OpenShift Container Platform are supported

We highly recommend using the latest version to benefit from the enhanced capabilities and stability. We are planning to end the support for version 9 by the end of 2023, and we recommend upgrading to newer versions in the near future.

For details, read the official overview Docs.

• Reflected & Stored XSS optimization - The duration of tests has been reduced from days to a couple of hours or less, depending on the target, entry points, and parameters.
• Engine notification for running tests - To improve the determination of ongoing test status, we have introduced a new engine notification at the scan level. This notification will provide information on which tests are currently active and will indicate the number of entry points that are still in progress for each test. The notification will be generated every hour.
• Display deleted users’ actions in Activity log - Deleted user actions are now visible in the Activity log.
• API key expiration notifications - The user is notified via email when the API key is about to expire or has already expired. Notifications are sent 7 days before the expiration date and immediately upon expiration of the key.
• Autocomplete allowed target URLs - Now, users can immediately see the available targets for scanning without needing to check the list of allowed targets. When a user fills in the URL field, suggestions from the allowed targets list will be displayed.

• Snyk integration - Using this integration, Snyk SAST issues are being validating with the Bright DAST capabilities. This combined approach reduces false positives and provides more reliable vulnerability assessment process for users.
• Tables improvements - We continue to unify and enhance all tables in the Bright app: server-side pagination and table controls have been added on User API keys table.

• Baseline Parameters tool - Enhances accuracy by replacing our heuristic value approximations with predefined values. These enhancements aim to enhance the reliability and system predictability.
• New Tests Available - CSS Injection, which tests for weaknesses that could allow hackers to inject malicious CSS code.
• Organization API key support for scan templates - Allows use of Organization API keys to create/manage scan templates. Learn more about sharing a template.

• Self-serve Connectivity tool - The Response tab within the Entrypoint Summary page now features a connectivity issue indicator, along with details regarding potential causes and solutions.
• Enhanced Notification for Entrypoint Editor - A new notification has been integrated into the Entrypoint Editor, appearing whenever there's invalid syntax detected in the Request Body field.
• New Tests Available - iFrame injection, Prompt injection
• Rerun Discovery from the History tab - The option to quick Discovery rerun without adjusting the settings is now available.
• Updated PDF reports - The Discovered Entrypoints section has been added to the PDF reports for enhanced content.

Known Issues

• Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.

Authentication-Related Issues

• Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
• Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.

• Test buckets - Now all tests are organized into groups that describe general attack direction. There is still a possibility to select tests manually if needed.
• New section in PDF reports - The PDF reports are now enhanced with new data about Vulnerable entrypoints, containing a number of issues related to a particular entrypoint.
• Activity Log filters - New filters by date, object, action, and actor have been added.

Known Issues

• Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.

Authentication-Related Issues

• Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
• Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.