Release on April 4, 2024 (click to expand)
April 4th, 2024
- Open Cloud Storage test (Medium severity, # 1 in OWASP top 10) - Cloud storage services allow websites and services to store and access binary objects (such as photos, videos, documents, etc.) using a storage object (also called Bucket or Blob).
- The Open Cloud Storage test looks for cloud storage object URLs in Entrypoints, requests, and responses to verify they do not have full anonymous access - preventing read or write that may result in sensitive information leakage, data tampering, or unauthorized access.
- URL example: https://neuralegion-open-bucket.s3.amazonaws.com
- We consolidated all major cloud vendors' storage features under the Open Cloud Storage test:
- AWS S3 Storage
- Google Cloud Storage
- Azure Blob Storage (added in this version)
- Server-side test
- SQL Injection (SQLi) (Critical-severity, #3 in the OWASP Top 10), is a security vulnerability that lets attackers manipulate a website's database using the Structured Query Language used to communicate with databases.
- An attacker might inject malicious SQL code, often through web form inputs or URL parameters, making the website execute unintended commands. SQL Injection can lead to unauthorized access to sensitive data, data deletion, or other malicious actions against a database.
- In this release, we’ve:
- Optimized the SQLi test execution time
- OWASP: SQL Injection
- Test Authentication check
- A warning dialog is presented when attempting to create or save an authentication object without completing the test authentication flow first, ensuring discoveries/scans can run smoothly.
- Consolidating statuses
- The status of discovery and scanning activities was consolidated to reflect a clear view of the activity's status.
- The newly available statuses are Completed, Stopped, Failed, Running, Queued, and Scheduled.
Changes from previous statuses:
Previous value | New value |
---|---|
"Searching", "Pending" and "Idle" | "Running" |
"Incomplete", "Disrupted" | "Failed" |
"Complete", "Done" | "Completed" |
To avoid disrupting automated scripts, these changes will be reflected only in the Bright Web App, not the API.