The new commands support the modern scan. Full commands documentation can be found here:
run-discovery
stop-discovery
wait-for-discovery
list-entrypoints
Project Level PDF Report
It is now possible to generate a PDF report from the project level.
Copy Scan Template ID
A "Copy ID" option has been added to the Scan Template object, allowing you to easily retrieve this data for automating scan processes.
Bulk Delete Entrypoints
A Bulk Delete option has been added to the Entrypoints table, enabling the removal of multiple entrypoints at once.
Authentication Recorder
The new Authentication Recorder can now be manually started when you're ready. It also provides feedback on network connection stability.
-The new recorder feature is disabled by default. Speak to your CSE or Bright support to enable the feature in your environment.
Upcoming breaking changes
Tests deprecation
On April 15th, we will deprecate the Mass Assignment test. The following two tests cover its functionality and should be used instead:
The members table has a new "last seen" field, showing a date & time of the last time the member logged in to Bright (either via the UI or by using a user API key).
Note: The data is shown for logins that happened on or after February 18th. Users with "-" haven't logged in since the feature was rolled out.
Added a discovery:polling command to poll the discovery status from the CLI (Polling a Discovery).
Descriptive errors were added.
Under-the-hood improvements
Increasing crawler coverage.
Crawler and Scanning speed improvements.
Upcoming breaking changes
Organization Members
Starting March 4th, we will make a change to the "Get all members (v1)" API - and will restrict it to return only the first 1000 members.
Please plan to move to its v2 version which supports pulling all members by using pagination.
Tests deprecation
On April 15th, we will deprecate the Mass Assignment test. The following two tests cover its functionality and should be used instead:
Starting February 18th, when creating/editing/cloning authentication objects - selecting a project will become mandatory. Using existing authentication objects (without modifying them) will not be affected.
Organization Members
Starting March 4th, we will make a change to the "Get all members (v1)" API - and will restrict it to return only the first 1000 members.
Please plan to move to its v2 version which supports pulling all members by using pagination.
Broken Access Control (BAC). This test checks for improper access controls measures allowing users to perform actions beyond their permissions.
Read additional details in here.
Breaking change - Warning logs are now written to stderr instead of stdout.
Scans: Added a concurrency flag to control the maximum concurrent requests allowed to be sent to the target (Running a Scan).
Discoveries:
Added a discovery:run command to run a discovery from the CLI (Running a Discovery).
Added a discovery:stop command to stop a discovery from the CLI (Stopping a Discovery).
Added a discovery:rerun command to re-run a discovery from the CLI (Rerunning a Discovery).
Proxy:
Added a new proxy-domains-bypass optional flag - can be used with either proxy or proxy-target. Accepts a space-separated list of domains. Domains in the list will not be proxied.
It cannot be used together with proxy-domains (Command Language Syntax).
Added support for reading the PROXY and NO_PROXY environment variables. If those are set, their values will be used as input for the proxy and proxy-domains-bypass flags (Command Language Syntax).
Added IP access restrictions that allow organizations to control account access by specifying trusted IP ranges. This ensures that only users or systems from authorized IP addresses can connect, providing added security and control over organizational access.
Added support for importing projects from Snyk collections. Users can now select collections when running a scan and view Snyk collection details in the Scan info section.
Added the "Queue Size" counter to the discovery details page. Located in the "Scan Progress" box, it shows the crawler queue size (0 for completed/failed/stopped/queued discoveries and >0 for running discoveries). Available for discoveries only.
Activity log
Added project-related actions to the activity log. It now tracks project creation, renaming, and deletion, grouped under the corresponding actions for better clarity and visibility.
Broken Object Level Property Authorization (BOPLA). This test checks if the application properly enforces access controls on individual properties of an object.
Read additional details in here.
Enhancements
Scan health metrics
We've adjusted the successful requests logic, and it now includes any request which is not a network timeout, network gateway error, rate-limiting or authentication error.
Authentication objects
Email OTP: Added support for base64 encoded emails.
Webhooks
Webhook triggers were extended to support discoveries: You can now trigger a webhook when discovery has started, ended or changed status.
The optional customerMetadata scan field is now included as part of the scan webhook payload.
XPath selector support - Bright now supports XPath selectors for Manual and Recorded Browser-Based Authentication flows to find elements on a page.
📘
XPath selectors are expressions used for precise selection, navigation, and manipulation of elements in XML and HTML documents based on their hierarchy, attributes, text, and other characteristics.
Currently, Bright supports XPath, CSS, and ARIA selectors.
For example, here’s how to set up the XPath selector in the Bright web app:
Type: text input
Name: Email
Value: xpath///*[@id="email"]
Added mandatory project flag for Entrypoint scans - When using the new --entrypoint flag, users must now include the --project flag. This allows users to specify a list of entrypoint IDs to run the scan on specific entrypoints.
Email One-Time Password - Bright now supports Email One-Time Passwords (OTP), allowing automatic authentication for users within the tested applications.
Renamed existing flags (proxy-internal and proxy-external) to reduce confusion about their functionality:
Rename proxy-internal to proxy-target.
Rename proxy-external to proxy-bright.
Add a newproxy-domainsoptional flag - can be used with either proxy-target or proxy. Accepts a space-separated list of domains to be proxied. Only domains in the list will be proxied.
Run a scan with projects Entrypoints - Added support for running scans with project-level Entrypoints via the CLI. There are two new options available:
Users can request a list of Entrypoint IDs to run the scan on specific Entrypoints.
If a project is specified and the --entrypoint flag is added without specifying Entrypoint IDs, the scan will run on the first 2000 project-level Entrypoints.
ARIA selector support - Bright now supports ARIA selectors for Manual Browser-based authentication flow and Recorded Browser-Based Authentication flow for finding the elements on the page.
📘
ARIA is a set of attributes that can be added to HTML elements that define ways to make web content and applications accessible to users with disabilities who use assistive technologies.
Previously, Bright web app could only interact with text or CSS selectors.
For example, to specify the element using Manual Browser-Based Authentication, type the following in the Auth flow settings:
Type:text input
Name:aria/Email
Value:admin
For those who use the Recorded Browser-Based Authentication flow, the transition will be completely seamless and won’t require any action.
Rendering the HTML DOM of the authentication object's page - Bright now displays the page's rendered HTML code in Browser-Based Authentication flows, enhancing the ability to debug non-working authentication objects, particularly in SPA applications. Additionally, functionality to copy the rendered HTML DOM data has been added for easier analysis and troubleshooting.
Integrate Snyk projects in a bulk action - now users can select multiple items without saving progress after each added project.
Add workstation parameter - Bright IDE Extension now allows developers to add their unique workstation names. These names can be configured in the extension settings. If empty, the hostname will be saved as a workstation ID.
To enter the settings, open the Command Palette by Command + Shift + P from macOS or Control + Shift + P for Windows, then type bright in the search bar to filter the fields.
Save Repeaters information after disconnect - now the information about a Repeater (version, description, etc) will be saved in the Bright web app even if the connection is lost.
New syntax: {{ authobject.otps.<OTPNAME> }} - all current tokens will be named "token1" so you will use {{ auth_object.otps.token1 }}. OTP names can be modified to any name consisting of alphanumeric characters and underscore _ only.
Referencing stages (Custom API flow): Stage names will no longer be restricted to starting with the stage. They can consist of alphanumeric characters and underscore _ only. The term any is a reserved name and cannot be used.
Old syntax: {{ auth_object.<STAGE_NAME>.request.headers }} or {{ auth_object.any_stage.request.headers }}. You can refer to request/response and headers/body/URL as usual, where the <STAGE_NAME> must start with the stage).
New syntax: {{ auth_object.stages.<STAGE_NAME>.request.headers }} or {{ auth_object.stages.any.request.headers }}. Existing authentication objects will be upgraded automatically.
Enhanced crawler logic: Improved the crawler logic to identify more Entrypoints, which expands the attack surface. Users may notice increased crawling and scanning times as a result. New discoveries will reveal more entrypoints, so users should select their attack surface carefully to manage scan times. Legacy scans may also experience longer crawling and testing times due to the expanded attack surface.
