- Reflected & Stored XSS optimization - The duration of tests has been reduced from days to a couple of hours or less, depending on the target, entry points, and parameters.
- Engine notification for running tests - To improve the determination of ongoing test status, we have introduced a new engine notification at the scan level. This notification will provide information on which tests are currently active and will indicate the number of entry points that are still in progress for each test. The notification will be generated every hour.
- Display deleted users’ actions in Activity log - Deleted user actions are now visible in the Activity log.
- API key expiration notifications - The user is notified via email when the API key is about to expire or has already expired. Notifications are sent 7 days before the expiration date and immediately upon expiration of the key.
- Autocomplete allowed target URLs - Now, users can immediately see the available targets for scanning without needing to check the list of allowed targets. When a user fills in the URL field, suggestions from the allowed targets list will be displayed.
- Snyk integration - Using this integration, Snyk SAST issues are being validating with the Bright DAST capabilities. This combined approach reduces false positives and provides more reliable vulnerability assessment process for users.
- Tables improvements - We continue to unify and enhance all tables in the Bright app: server-side pagination and table controls have been added on User API keys table.
- Baseline Parameters tool - Enhances accuracy by replacing our heuristic value approximations with predefined values. These enhancements aim to enhance the reliability and system predictability.
- New Tests Available - CSS Injection, which tests for weaknesses that could allow hackers to inject malicious CSS code.
- Organization API key support for scan templates - Allows use of Organization API keys to create/manage scan templates. Learn more about sharing a template.
- Self-serve Connectivity tool - The Response tab within the Entrypoint Summary page now features a connectivity issue indicator, along with details regarding potential causes and solutions.
- Enhanced Notification for Entrypoint Editor - A new notification has been integrated into the Entrypoint Editor, appearing whenever there's invalid syntax detected in the Request Body field.
- New Tests Available - iFrame injection, Prompt injection
- Rerun Discovery from the History tab - The option to quick Discovery rerun without adjusting the settings is now available.
- Updated PDF reports - The Discovered Entrypoints section has been added to the PDF reports for enhanced content.
Known Issues
- Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.
Authentication-Related Issues
- Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
- Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.
- Test buckets - Now all tests are organized into groups that describe general attack direction. There is still a possibility to select tests manually if needed.
- New section in PDF reports - The PDF reports are now enhanced with new data about Vulnerable entrypoints, containing a number of issues related to a particular entrypoint.
- Activity Log filters - New filters by date, object, action, and actor have been added.
Known Issues
- Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.
Authentication-Related Issues
- Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
- Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.
- OTP support for recorded Browser-Based Form Authentication – manually added one-time password (OTP) generation feature is available now, as well as for Browser-Based Authentication and Custom API Authentication. Learn more about how to add an OTP in the authentication flow.
- Scan PDF report customization – Compliance results section in Scan PDF reports has been reworked and upgraded by creating a new "Not checked" status. Learn about exporting scan reports in the article.
- New vectors – 3 new vectors have been added to the XML External Entity Injection
- New payloads – 2 new payloads have been added to the Reflective Cross-Site Scripting (rXSS)
- Issues tab improvements – the new Unconfirmed issues tab & details showing SQL Injection findings
Known Issues
- Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.
Authentication-Related Issues
- Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
- Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.
This Bright's release is significant: it highly improves scanning speed and quality, due to the new architecture of internal processes. To learn more about the updated user flow, see the documentation.
- Splitting a scanning into two parts: Discovery and Testing – it allows getting faster testing with more consistent results and more accurate results by validating all Entrypoints live before testing. Legacy scans are still available. To learn more about it, see the article.
- Adding In-app Entrypoint and Baseline Editor – now it's possible to quickly fix the Entrypoints with connectivity problems. To learn about how to use it, see the article.
Known Issues
- To fix the issue, when a scan is getting into disrupted state for no obvious reason, restart the scan and change the scan setting:
1. Open Optimizations tab → Scan performance & speed
2. Uncheck the option Stop scan if target doesn’t respond for ... min
3. Click Retest scan
While we’re working on optimization of the setting, use this note to prevent the issue. - Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.
Authentication-Related Issues
- Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
- Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.
- Improved activity log - The capabilities of the activity log have been improved: users now have the ability to view the activity of all users in the organization, and can easily filter the data based on the actor. For more information, see Managing Activity Log.
- Improved Broken Object Level Authorization (BOLA) test - test logic has been changed to improve the scan resiliency.
- Comment access with personal API-keys - Bright now provides the ability to manage comments using personal API-keys.
Known Issues
- Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.
Authentication-Related Issues
- Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
- Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.
- Engine progress calculation improvements - Total scan progress now is based on actual tests that need to be done on each entry-point. As a result two new parameters can be displayed: tests progress per entry-point and time saved by parallel testing (performed with high-concurrency tests).
Known Issues
- Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.
Authentication-Related Issues
- Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
- Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.
- New engine recoverability capabilities - The new engine mechanism has been implemented, that improves scan resilience with continuous progress saving, significantly reducing chances of failure.
- New Activity log events - The new activity log events have been added for changes to project issue status, severity, and assignee.
- Improved Projects filtering and presentation - Now it is possible to filter projects by their labels. Also, the Labels column is now presented in the Projects table.
- Group role scopes inheritance - Role group permissions are now inherited on a user level.
- Export all Projects data as a CSV file - The ability to export data of all projects in CSV format has been added.
- Improved UI - The files attached to the project are now located in the Files tab, instead of a separate module.
Known Issues
- Windows narrator repeats the title of items from dropdown lists 3 times. - Bug on Google Material side (to be fixed in the next updates): In a number of dropdown lists, the Windows narrator repeats list items 3 times instead of voicing them only once.
Authentication-Related Issues
- Error when creating recorded browser-based authentication with Chrome record made starting from an empty tab: When creating a record in Chrome starting from an empty tab and then creating recorded browser-based authentication using the created record, the user gets the following error: The actual URL (chrome-error://chromewebdata/) doesn't match up to the specified validation URL (chrome://YOUR_PAGE), please make sure the URL is correct or record again with the correct configuration.
- Recording created with Google Chrome recorder is not replayed with the Evaluation failed error. When replaying the recording, an error appears: Evaluation failed. TypeError: Failed to execute ‘observe’ on ‘IntersectionObserver’: parameter 1 is not type ‘Element’… For details, see Troubleshooting Authentication Issues.