<iframe src="//www.googletagmanager.com/ns.html?id=GTM-WQV6DT" height="0" width="0" style="display:none;visibility:hidden">

We build fantastic things

Contrast Labs

Contrast Labs is a team of accomplished cybersecurity researchers and industry experts that perform application security threat analysis, security analytics, and other security research.

The work performed by Contrast Labs continuously improves the Contrast Security platform with support for new threats, attacks, vulnerabilities, and defenses. The team also exposes interesting analytics based on the data gathered by the Contrast Security platform. Finally, the Contrast Labs team is committed to the open source community and frequently publishes tools and research papers. 

Contrast Labs Reveals 25% of Web Apps Still Vulnerable to 8 of the OWASP Top Ten

February 13, 2017

Research Also Finds that 80 Percent of Software Applications Had at Least One Vulnerability

Utilizing data, collected by Contrast Labs from the Contrast Security platform across several popular development languages, revealed sensitive data exposure, which includes missing and weak encryption, as the top vulnerability, plaguing 69 percent of web applications and accounting for 26 percent of all vulnerabilities. The research also found that 80 percent of tested software applications had at least one vulnerability, with an average of 45 vulnerabilities per application. 

The top 5 web application vulnerabilities according to the Contrast Labs research are as follows:
  • Sensitive data exposure – affects 69 percent of applications
  • Cross-site request forgery – affects 55 percent of applications
  • Broken authentication and session management – affects 41 percent of applications
  • Security misconfiguration – affects 37 percent of applications
  • Missing function level access control – affects 33 percent of applications

Contrast Makes .NET Applications Self-Defending

December 2016

Contrast announced that Contrast Protect now supports Microsoft .NET applications. Microsoft .NET remains one of the top three enterprise application development environments. As a result, more enterprise applications can be self-protecting than ever before. 

DOM XSS in wix.com

November 2, 2016

Wix.com, a hosting provider which claims to host millions of websites, contains an XSS that leads to administrator account takeover and could be used to create a Wix website worm. 


Wix.com has a severe DOM XSS vulnerability that allows an attacker complete control over any website hosted at Wix. Simply by adding a single parameter to any site created on Wix, the attacker can cause their JavaScript to be loaded and run as part of the target website. 

Here’s an example exploit occurring, causing a reflected payload to occur:


UPDATE - November 3, 2016

Contrast published a disclosure about DOM XSS vulnerability in wix.com discovered by Contrast Senior Security Research Engineer, Matt Austin, on November 2, at 8:00 AM PST. 

GOOD NEWS - Sometime between Noon and 3:00 PM PST that same day, Wix appears to have resolved the problem!

MORE GOOD NEWS:  Wix now has a bug bounty program in place to help avoid issues like this in the future. Ya!


Cloud Foundry Java Buildpack


The java-buildpack is a Cloud Foundry buildpack for running JVM-based applications. It is designed to run many JVM-based applications (Grails, Groovy, Java Main, Play Framework, Spring Boot, and Servlet) with no additional configuration, but supports configuration of the standard components, and extension to add custom components.



A lightweight Java agent for preventing attacks against object deserialization like those discussed by @breenmachine and the original researchers @frohoff and @gebl, affecting WebLogic, JBoss, Jenkins and more.

The True Cost of "False Positives" in Application Security


Remember the story of the boy who cried wolf?  His pranks were "false alarms" - defined as "a mistaken or intentionally misleading alert that something is wrong and needs attention."  False alarms from application security tools are certainly annoying, but how do they affect the overall economics of an application security program? As it turns out, they make all the difference.

IAST & the Villainous Library Named "commons-httpclient-3.1.jar"


Let’s talk about commons-httpclient-3.1.jar. I get asked about this library all the time. It’s an HTTP communication library. It has a vulnerability in it. It doesn’t handle SSL very well. In fact, it doesn’t really verify you are who the client…

Open Docs

October 17, 2016

The project is part of the Contrast Openness Initiative that consists of an initial combination of our Open API Architecture and our Open Documentation Library.

Contrast TeamServer Java SDK

October 17, 2016

This SDK gives you a quick start for programmatically accessing the Contrast REST API using Java.

Node Test Bench

October 17, 2016

Intentionally Vulnerable Node Applications

Contrast Maven Plugin

October 17, 2016

This Maven plugin can be used to allow Contrast to discover vulnerabilities in your application during your integration or verification tests. The "install" goal of the plugin is used to download the agent to the /target directory. In order to use the agent, you should add the -javaagent flag to the JVM options of the application that will be monitored by Contrast in the testing lifecycle phases.


August 26, 2016

Sheepdog is a simple tool to generate normal and attack traffic for OWASP WebGoat. It can be used with security technologies like WAF and RASP in demonstrations and to verify that they are doing a tiny piece of what they are supposed to do. Sheepdog is not intended to be an exhaustive set of security tests. It has some basic SQL injection, XSS, path traversal, and that kind of thing.

Continuous Application Security Handbook

Revised: August 2016

We reject the old paradigm of periodic and serial scanning, hacking, and patching, which has proven expensive and ineffective. Instead, Continuous Application Security (CAS) relies on security instrumentation in every application. This instrumentation provides security visibility, assessment, and protection in real time and in parallel across the entire application portfolio. CAS is a unified program covering the entire software lifecycle, including both development and production, designed to create a clear line of sight from the threat to strong defenses, and ultimately to assurance.

A CAS program empowers ordinary developers to reliably build and operate secure applications and APIs by transforming paper-based security policy and guidance into “security as code” through instrumentation-based security enforcement. CAS also enables development, security, and operations to work together effectively, at the pace of modern software development and at global enterprise scale.  

Cassandra Migration

August 12, 2016

A simple and lightweight migration tool for Apache Cassandra database that's based on Axel Fontaine's Flyway project. Cassandra Migration works just like Flyway. Plain CQL and Java based migrations are supported. The Java migration interface provides DataStax's Java Driver session.

Contrast DVNR

August 9, 2016

ContrastDvnr 1.0: Utility for displaying information about the IIS Site and applications on the current machine. It creates a report file about the following:

  • Machine Information - OS Version, Processor Speed, Memory Available, .NET versions installed
  • IIS Site Information (IIS7 or newer)
    • Bindings - Ip Address, Port, Binding Information
    • Applications - AppPool, Authentication Mode, .NET Dlls, HttpModules
    • AppPools - .NET Framework version, Pipeline mode, .NET x86/64bit. (AppPools not used by any application are ignored)
  • GAC .NET DLLs. (Microsoft DLLs are ignored)

By default results are written to report.xml file in XML format. JSON or text output format can be chosen instead. Output can also be written to another file or output to the screen.

Contrast REST Client

August 1, 2016

This library provides a simple REST client for retrieving data from Contrast Team Server's REST API as plain old C# objects.

This library is also provided as a nuget package: https://www.nuget.org/packages/ContrastRestClient/.

Gradle Based Web App Onboarding With Vagrant

June 27, 2016

This project will onboard a Gradle based web application to a TeamServer instance. Configuration values can be entered in a config.json file in the projects directory, or you will be prompted to enter the values during the vagrant up phase.

Contrast Jenkins Plugin

July 22, 2016

Repository for the Contrast Jenkins plugin. This plugin adds the ability to configure a connection to a Jenkins Build.

The Client Is Not Always Right!

June 10, 2016


I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.

An unfortunate part of my job is that sometimes I have to explain that people are focusing on the wrong objectives. Here’s my unfortunate dose of reality for today: We all need a perspective adjustment when it comes to “the client.” With Drumpf-esque powers of oversimplification, let’s start by envisioning that half of your apps are server code, and half client code, looking something like this:

Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792)

February 24, 2016

NOTE: Before you begin reading, you may want to visit this article for Act 1 of our series – Kryo serialization library and its weaknesses. This piece frames some of the discussion in this blog, but definitely isn’t required reading. XStream is a popular deserialization library. It’s used directly by many popular apps, like the build tool, Jenkins. It’s also used by other popular libraries, like Spring and Struts 2 for unmarshalling XML input into objects.

Serialization Must Die: Act 1: Kryo

February 12, 2016

When @frohoff, @gebl and @breenmachine all combined to melt Java security (in what I’m hereafter conflating under the term “seriapalooza”), I thought about deserialization alternatives. Where are my customers going next? Is there greener grass? We’re going to find out. If the title of my series wasn’t spoiler enough, let me foreshadow more plainly: the grass is brown and dead, everywhere.

A New, Open Source Tool Proves: Even After Patching, Deserializing Will Still Kill You

January 5, 2016

With all the talk about Java serialization vulnerabilities, I thought I'd share a new, open source tool I built for you to download and use, purposely designed to consume all the memory of a target that's deserializing objects -- eventually blowing it up. It’s called jinfinity. jinfinity exploits the fact that deserializers, like many parsers, follow very basic read-until-terminator patterns. jinfinity totally bypasses any of the protections discussed recently around untrusted deserialization.

OWASP Benchmark Technical Brief

November, 2016

The Open Web Application Security Project (OWASP) Benchmark Project lets organizations freely assess products they have or are planning to use. Read the brief to and discover how to FREELY assess your sites using the Benchmark and see why Contrast scored a 92%.


schedule a demo now

No risk. No obligations. No training required.
Get Demo