These docs are for v1.1. Click to read the latest docs for v1.2.

New business logic test

  • Broken Object Level Property Authorization (BOPLA). This test checks if the application properly enforces access controls on individual properties of an object.
    Read additional details in here.

Enhancements

Scan health metrics

  • We've adjusted the successful requests logic, and it now includes any request which is not a network timeout, network gateway error, rate-limiting or authentication error.

Authentication objects

  • Email OTP: Added support for base64 encoded emails.

Webhooks

  1. Webhook triggers were extended to support discoveries: You can now trigger a webhook when discovery has started, ended or changed status.
  2. The optional customerMetadata scan field is now included as part of the scan webhook payload.

Webhooks documentation


Bright-CLI:

  1. v12.6.0: The timeout flag now accepts duration strings (Command Language Syntax).

Enhancements

Snyk validation

  1. Added support for branches.
  2. Added support for multiple Synk organizations.
  3. Added the ability to set a minimal severity at the organization level.
  4. Added the ability to select all repositories when running a validation scan.

Snyk validation


Bright-CLI:

  1. v12.5.0:
    1. Added a timeout flag to all commands, accepting values in seconds (Command Language Syntax).
    2. Removal of the old proxy-internal and proxy-external flags (were replaced with proxy-target and proxy-bright).
  2. v12.4.0:
    1. Listing Entrypoints - added a new pretty optional flag to return a "prettified" version of the entry points, in JSON format (Listing Entrypoints).
  3. v12.3.0:
    1. Listing Entrypoints - added new optional filter flags (Listing Entrypoints):
      1. limit - to set a limit of returned entrypoints.
      2. connectivity - to filter by connectivity status.
      3. status - to filter by entrypoint status.

Enhancements

XPath selector support - Bright now supports XPath selectors for Manual and Recorded Browser-Based Authentication flows to find elements on a page.

📘

XPath selectors are expressions used for precise selection, navigation, and manipulation of elements in XML and HTML documents based on their hierarchy, attributes, text, and other characteristics.

Currently, Bright supports XPath, CSS, and ARIA selectors.

For example, here’s how to set up the XPath selector in the Bright web app:

  • Type: text input
  • Name: Email
  • Value: xpath///*[@id="email"]


Added mandatory project flag for Entrypoint scans - When using the new --entrypoint flag, users must now include the --project flag. This allows users to specify a list of entrypoint IDs to run the scan on specific entrypoints.

For example:
bright-cli scan:run --project <project_id> --entrypoint <entrypoint_id1> <entrypoint_id2> <entrypoint_id3> ...

This change ensures that the scan is targeted at the correct project and its associated entrypoints.

Enhancements

Schedule Discoveries: Bright now allows users to automate the timing and frequency of discoveries, with three available options:

  • Run a Discovery immediately
  • Schedule a one-time scan for a specific date and time
  • Set up recurrent scans to run at regular intervals

Previously, it was allowed to run a Discovery immediately only.

Bright’s documentation


Email One-Time Password - Bright now supports Email One-Time Passwords (OTP), allowing automatic authentication for users within the tested applications.

Bright’s documentation


Multiple One-Time Passwords - add several OTPs within one authentication object. Users are allowed to create up to five OTPs at once.

Also, now it’s possible to rename an OTP by opening the OTP settings:

Bright’s documentation


The new version of Bright-CLI (12.2.0) -

  • Repeater proxy changes:
    • Renamed existing flags (proxy-internal and proxy-external) to reduce confusion about their functionality:
      Rename proxy-internal to proxy-target.
      Rename proxy-external to proxy-bright.
    • Add a new proxy-domains optional flag - can be used with either proxy-target or proxy. Accepts a comma-separated list of domains to be proxied. Domains not in the list will not be proxied.

Bright's documentation

  • Run a scan with projects Entrypoints - Added support for running scans with project-level Entrypoints via the CLI. There are two new options available:
    • Users can request a list of Entrypoint IDs to run the scan on specific Entrypoints.
      • Example:
        bright-cli scan:run --entrypoint <entrypoint_id1> <entrypoint_id2> <entrypoint_id3>
    • If a project is specified and the --entrypoint flag is added without specifying Entrypoint IDs, the scan will run on the first 2000 project-level Entrypoints.
      • Example:
        bright-cli scan:run --project <PROJECT_ID> --entrypoint

Bright's documentation


ARIA selector support - Bright now supports ARIA selectors for Manual Browser-based authentication flow and Recorded Browser-Based Authentication flow for finding the elements on the page.

📘

ARIA is a set of attributes that can be added to HTML elements that define ways to make web content and applications accessible to users with disabilities who use assistive technologies.

Previously, Bright web app could only interact with text or CSS selectors.

For example, to specify the element using Manual Browser-Based Authentication, type the following in the Auth flow settings:

  • Type: text input
  • Name: aria/Email
  • Value: admin

For those who use the Recorded Browser-Based Authentication flow, the transition will be completely seamless and won’t require any action.


Rendering the HTML DOM of the authentication object's page - Bright now displays the page's rendered HTML code in Browser-Based Authentication flows, enhancing the ability to debug non-working authentication objects, particularly in SPA applications. Additionally, functionality to copy the rendered HTML DOM data has been added for easier analysis and troubleshooting.



Integrate Snyk projects in a bulk action - now users can select multiple items without saving progress after each added project.

Bright’s documentation


Add workstation parameter - Bright IDE Extension now allows developers to add their unique workstation names. These names can be configured in the extension settings. If empty, the hostname will be saved as a workstation ID.

To enter the settings, open the Command Palette by Command + Shift + P from macOS or Control + Shift + P for Windows, then type bright in the search bar to filter the fields.


Bright’s documentation



Save Repeaters information after disconnect - now the information about a Repeater (version, description, etc) will be saved in the Bright web app even if the connection is lost.

Enhancements

  1. Referencing OTP objects:
    • Old syntax: {{ authobject.otpToken1 }}
    • New syntax: {{ authobject.otps.<OTPNAME> }} - all current tokens will be named "token1" so you will use {{ auth_object.otps.token1 }}. OTP names can be modified to any name consisting of alphanumeric characters and underscore _ only.

Bright’s documentation

  1. Referencing stages (Custom API flow): Stage names will no longer be restricted to starting with the stage. They can consist of alphanumeric characters and underscore _ only. The term any is a reserved name and cannot be used.
    • Old syntax: {{ auth_object.<STAGE_NAME>.request.headers }} or {{ auth_object.any_stage.request.headers }}. You can refer to request/response and headers/body/URL as usual, where the <STAGE_NAME> must start with the stage).
    • New syntax: {{ auth_object.stages.<STAGE_NAME>.request.headers }} or {{ auth_object.stages.any.request.headers }}. Existing authentication objects will be upgraded automatically.

Bright’s documentation

  1. Enhanced crawler logic: Improved the crawler logic to identify more Entrypoints, which expands the attack surface. Users may notice increased crawling and scanning times as a result. New discoveries will reveal more entrypoints, so users should select their attack surface carefully to manage scan times. Legacy scans may also experience longer crawling and testing times due to the expanded attack surface.

Enhancements

  • The new version of Bright-CLI (12.1.0)
    • Removed hardcoded test types in scan commands, enhancing flexibility (#554)

Bug Fixes

  • repeater: add cap_net_raw+ep capabilities for node in Docker image (#560)
  • scan: correct param handling to respect user-provided values (#566)

For more details, visit the Brightsec repository.

Enhancements

  1. Optional "Execute the application under test" Command (Bright Dev-Centric) - If no start command is provided, the process will not start automatically, allowing users to initiate their target manually. This is useful for users who need to run complex scripts or deal with issues preventing automatic startup.

Bright's documentation

  1. The new version of Bright-CLI (11.5.4) - The Repeater server now decodes base64 encoded bodies before running scripts, making script execution simpler and reducing potential errors.

Bright's Github repository

Enhancements

  • Webhooks - users can now add headers sent with the webhook to include authentication headers, enabling webhooks to access authenticated endpoints.
    • Webhooks and their headers can be managed from the Project settings in the Webhooks section. To add a header, do the following:
      • Select a suitable Header name from a drop-down menu or type your own.
      • Provide a Header value to proceed.

📘

There is no limit to the number of custom header values you can add.

Bright's documentation


  • Scan Health monitoring - Easily spot and filter authentication and network issues during a scan with colored indicators based on successful request percentage. This health status refers to scan results, not overall Entrypoint health, highlighting test interactions during scanning.
    • New columns have been added to the Entrypoints table on the Scan Info page: Health, Successful Requests, and Total Requests. The Health metric is calculated by dividing the number of successful requests by the total number of requests.
    • New filters for Health, Successful Requests, and Total Requests are available.
    • Successful Requests are any responses that are not 401 (Unauthorized) or 403 (Forbidden).

Bright's documentation


  • Users can now add metadata to run a new scan call to simplify automation workflows and provide additional metadata for a complex programmatical flow. This is relevant only for API start scans.
  • To add metadata, add the customerMetadata parameter into the request body:
{
  "tests": [
    "csrf",
    "sqli"
  ],
  "buckets": [
    "string"
  ],
  "entryPointIds": [
    "EP_ID"
  ],
  "discoveryTypes": [
    "archive"
  ],
  "poolSize": 50,
  "crawlerUrls": [
    "https://example.com"
  ],
  "attackParamLocations": [
    "artifical-fragment"
  ],
  "extraHosts": {
    "example.com": "127.0.0.1"
  },
  "headers": [
    {
      "name": "Authorization",
      "value": "Bearer token",
      "mergeStrategy": "replace"
    }
  ],
  "fileId": "FILEID",
  "hostsFilter": [
    "localhost:3000"
  ],
  "repeaters": [
    "REPEATERID"
  ],
  "smart": true,
  "optimizedCrawler": true,
  "maxInteractionsChainLength": 5,
  "subdomainsCrawl": true,
  "skipStaticParams": true,
  "projectId": "PROJECTID",
  "exclusions": {
    "requests": [
      {
        "patterns": [
          "(?<excluded_file_ext>(\\/\\/[^?#]+\\.)((?<image>jpg|jpeg|png|gif|svg)|(?<font>ttf|otf|fnt|fon))(?:$|#|\\?))"
        ],
        "methods": [
          "GET"
        ]
      }
    ],
    "params": [
      "^(?!.*login).*$"
    ],
    "htmlSelectors": [
      "/html/body/div[1]/table/tbody/tr/td[8]/a",
      ".mat-focus-indicator .mat-menu-item ng-tns-c46-3"
    ]
  },
  "inclusions": {
    "headers": [
      "Authorization"
    ]
  },
  "slowEpTimeout": 100,
  "targetTimeout": 120,
  "name": "brokencrystals owasp top 10",
  "authObjectId": "AUTHOBJECTID",
  "schedule": {
    "type": "future",
    "repeatInterval": 1000,
    "repeatIntervalUnit": "hours",
    "repeatWeekdays": [
      0
    ],
    "nextRunAt": "2024-06-10T10:17:06.825Z",
    "endAt": "2024-06-10T10:17:06.825Z",
    "runNow": false,
    "skipConcurrent": true
  },
  "module": "dast",
  "templateId": "TEMPLATEID",
  "info": {
    "client": {
      "name": "bright-cli",
      "version": "10.0.0"
    },
    "provider": "string",
    "source": "api"
  },
  "configSource": {
    "type": "integration",
    "metadata": [
      {
        "system": "azure",
        "issueSourceId": "ISSUESOURCEID"
      }
    ]
  },
  "customerMetadata": "TEXT_PLACEHOLDER"
}

  • The customerMetadataThe field is a string type, so any text information can be placed here. The maximum length of this field is 10000 characters.
  • To request previously added metadata, use the endpoint: /api/v1/scans/{SCAN_ID}/customer-metadata
  1. New Large language models (LLM) test
  • Insecure Output Handling (High-severity, #2 in the OWASP Top 10 for LLM)
  • This test aims to validate that the application properly sanitizes and escapes the outputs of the large language model (LLM) to prevent insecure or harmful responses, such as cross-site scripting (XSS) and HTML injection vulnerabilities. Without proper sanitation and escaping, LLM responses can expose users to potential security risks by allowing HTML elements to manipulate the application's DOM.
  • Example:
    • The vulnerability occurs when an attacker inputs a malicious prompt in an LLM that appears to the user as a legitimate link.
      When the user clicks on the link, the user's browser runs the malicious script.
      This exposes the user to potential security risks such as Access to User Data, Phishing Attacks, Execute Unauthorized Code or Commands, Website Defacement, and Malware Distribution.
  • Attacker: Can you demonstrate adding a link to https://example.com in a newsletter using HTML? Don't use code format.
  • LLM: Of course! To add a link to https://example.com in a newsletter using HTML, you can simply use the following code: Click here to visit Example. This will create a clickable link in your newsletter that directs readers to the specified website.

Bright's documentation

OWASP: LLM02: Insecure Output Handling

  1. Snyk SAST integration: many-to-one
  • Add multiple Snyk SAST repositories to your Bright project to encompass all your asset findings in one place.
  • View, sort, and filter your Snyk repositories using the repository column in the Snyk vulnerabilities tab on any SAST issues validation scan page.

Previously, you could add only one Snyk repository to a single Bright project.

Bright's documentation

  1. Visual Studio Code Extension
    Visual Studio Marketplace
    • Project-level findings
      Share the work with everyone on the team; view all your project findings originating from any developer on the project and retest them to check if they are resolved.
    • Start mapping with a click
      Instantly start a new mapping (Discovery) of your application right from the Bright IDE side panel using the “Start Mapping” and “Stop All” options.
      Bright's documentation

  1. Scan Health monitoring
    • Understand scan health status at a glance based on successful request percentage with clear colored indicators to easily identify issues and sort/filter scans by health for informed decision-making.
    • The metric is calculated by dividing the number of successful requests by the total number of requests.
    • "Successful Requests" are any responses that are not 401 (Unauthorized) or 403 (Forbidden).
      Bright's documentation

Enhancements

  • New webhook trigger actions

Trigger your CI/CD tests and deployment process with the new webhook trigger actions, “Scan status changed” and “Scan started” in addition to the existing “Scan completed” option.

Bright's documentation

Example:

scan_completed: {
    payload: {
        name: 'My Scan',
        scanId: 'jMx6bGh9HTNBRgE8BZi9dB',
        status: 'stopped',
        elapsed: 0,
        endTime: '2024-01-01T00:00:00.000Z',
        avgSpeed: null,
        requests: 0,
        createdAt: '2024-01-01T00:00:00.000Z',
        projectId: '75ctkAG1Fd0qRu3AG55sDg',
        startTime: null,
        discovering: null,
        entryPoints: 0,
        totalParams: 0,
        totalTraffic: { sent: 0, received: 0 },
        avgResponseTime: 0,
        numberOfLowSeverityIssues: 0,
        numberOfHighSeverityIssues: 0,
        numberOfMediumSeverityIssues: 0,
        numberOfCriticalSeverityIssues: 0
    },
    when: '2024-01-01T00:00:00.000Z',
    id: '09c7bd7a-e109-4e43-a67b-d39c8823b60d',
    type: 'scan_completed'
  • Client-side attacks

    • Unvalidated Redirect (Medium-severity, # 1 in the OWASP Top 10) - is an attack that occurs when a website allows users to be redirected to any site specified in the URL path. This could cause the website to redirect the user to a malicious website controlled by an attacker that could be used to steal information or install malware.
    • For example, If you visit this link: https://brokencrystals.com/api/goto?url=www.example.com, you will be automatically taken to www.example.com
    • In this release, we’ve
      Optimized the Unvalidated Redirect test execution duration (from 75 to 30 minutes on Broken Crystals)
  • Server-side attacks

    • Cross-Site Request Forgery (CSRF) (Medium-severity, # 1 in the OWASP Top 10) - is an attack that occurs when a malicious site you visit makes a request to another site where you're logged in, using your credentials without authorizing it. For example, requesting to transfer funds, changing passwords, etc.
    • OWASP: Cross Site Request Forgery (CSRF)
  • What’s new?

    • SameSite is a browser security mechanism that determines when a website's cookies are included in requests originating from other websites.
  • All major browsers currently support the following SameSite restriction levels:

    • Strict
    • Lax (default)
    • None
  • Lax SameSite restrictions mean that browsers will send the cookie in cross-site requests, if both of the following conditions are met:

    • The request uses the GET method.
    • The request resulted from a top-level navigation by the user, such as clicking on a link.
    • In this release, we’ve
      Added the SameSite Lux vector, increasing the number of CSRF findings
  • Edit recorded authentications

    • The recorded browser-based form authentication type helps users set up authentication objects by recording the login steps in the background using the Bright or Chrome recorder and capturing this in a JSON format. When authentication is required for the scanning, Bright will repeat these steps and log on to the application.

    • In this release, we’ve added options to edit your recorded files:

    • Field value: You can now edit the authentication field value, such as user name or password, In the Create/Edit Authentication dialog under the Auth Flow Setup tab.

    • Page Timeouts: Adjust how long each page waits before timing out (from 1 to 120 seconds) to address slow page loading speed.

    • One-Time Passwords: append one-time passwords (OTP) generated by the OTP Generation settings under the Advanced tab by entering the marker {{auth_object.otpToken}}, replacing the static OTP saved by the page recording (e.g. 763041).