Overview

The Bright Repeater is a scan proxy which provides a secure connection between the Bright cloud engine and a target on a local network. The Repeater mode enables you to securely scan targets on a local network, without having to allowlist the Bright IP address in your firewall for incoming traffic.

The Repeater mode is designed for:

• Organizations that cannot open a port in the firewall for inbound traffic. A Repeater enables you to scan either from the Bright SaaS or a private cloud.
• Users who must run a local scan on their machine without deploying the target application.

📘

Important:

• Repeater support WebSocket and HTTPS:443 protocol for communication between the Repeater and Bright cloud.
• If your environment uses a proxy server, please make sure that the SOCKS protocol support is enabled.
• Repeater supports backward compatibility with AMPQ protocol configuration: amq.app.brightsec.com via the AMQ protocol (over TLS) using port 5672.
• The Repeater mode is not compatible with TLS tests.

How the Repeater deployment works

The Bright Repeater is an open source scan proxy which securely connects to the Bright cloud engines and mediates all traffic from the cloud to any local target.

After starting a scan in the Repeater mode, communication works as follows:

1. The Repeater initiates a GET request to the cloud engine via the AMQ server.
2. The Repeater receives the request instructions describing how to interact with the local target.
3. The Repeater locally adds the relevant headers to the request, such as authentication headers, and sends the request to the local target.
4. The local target returns the response to the Repeater.
5. The Repeater sends the response to the engine.
6. The Repeater returns to #1 until the scan completes.

Technical requirements

Connecting a Repeater requires:

• A local machine with:
  • Processor: x86 or x64 1 core (minimum), 2 core (recommended)
  • RAM: 512 MB (minimum), 1 GB (recommended)
  • Hard disk: up to 512 MB of available space may be required
• Access to the relevant internal targets on a local network
• Access to amq.app.brightsec.com on port 5672 or a private cloud on the relevant port
• If a proxy server is used, make sure it is configured to allow the SOCKS protocol.

Deployment

To run a scan in the Repeater mode so that all scan requests are pulled (as outbound traffic) from the Bright cloud through a Repeater to the local target, you first need to install the Bright CLI on your machine. Using a special Bright CLI command, you will be able to connect a Repeater to your local network.

Follow these instructions to deploy Bright CLI:

• Prerequisites
• Install as a standalone app
• Install as Docker
• Install as NPM / Yarn
• Install as Windows app (MSI)

Usage

To learn how to start Bright CLI, follow these instructions.

• Security scanning as self-service
  It’s my first time using a DAST tool. I just want to set up a simple scan to try it out.
  I’m a developer from a small development team, and we want to scan our products (APIs, web applications) for security vulnerabilities from time to time (self-service).
• Scanning at the enterprise level
  I want to scan local targets inside my company’s internal network without exposing the targets externally.
• Scanning as part of CI pipeline
  I want to integrate security scanning in to my company’s CI pipeline so that scans will run automatically with every new build.