CONTRAST LABS

On Tuesday, users of Google Docs were targeted with an email phishing attack. The email content was a ruse to trick folks into granting access to their contact data. Google quickly put measures into place to stop the attack. Please visit this Google page to learn how to protect yourself >>

Even though Google put measures into place to prevent the attack, I did find a way to reproduce the phishing scheme this past Wednesday. I used Google's own developer platform to create a third-party app, and also called it “Google Docs.” The only difference is that I used a Cyrillic character, used in Russia, for the letter “o” in the app’s name.

On March 6, a new remote code execution vulnerability was disclosed¹ against Struts 2 (2.3.5-2.3.31 and 2.5-2.5.10.) Most likely, if you're using Struts 2, you are vulnerable to a one-shot attack which can run arbitrary system commands.

On March 7, while everyone was busy frantically grepping through Vault7, a devastatingly simple exploit was released to packetstorm². Rapid7 researcher Tom Sellers released a great honeypot analysis³showing weaponized mass exploitation late in the day Wednesday, March 8 coming from China.

Contrast Protect customers were able to defend their whole portfolio within hours of the first announcement using a Virtual Patch. We've also just released a new, more robust CVE Shield which allows customers to get code-level insights into this and any similar attacks. 

Let’s talk about commons-httpclient-3.1.jar. I get asked about this library all the time. It’s an HTTP communication library. It has a vulnerability in it. It doesn’t handle SSL very well. In fact, it doesn’t really verify you are who the client…

If you’re running web applications on the Internet, then you’re almost certainly seeing probes for the Struts 2 vulnerability (CVE-2017-5638). These attacks started within hours of the vulnerability being released, and we continue to see widespread probes with dangerous payloads in the first request.

Contrast announced that Contrast Protect now supports Microsoft .NET applications. Microsoft .NET remains one of the top three enterprise application development environments. As a result, more enterprise applications can be self-protecting than ever before.

The java-buildpack is a Cloud Foundry build pack for running JVM-based applications. It is designed to run many JVM-based applications (Grails, Groovy, Java Main, Play Framework, Spring Boot, and Servlet) with no additional configuration, but supports configuration of the standard components, and extension to add custom components.

A lightweight Java agent for preventing attacks against object deserialization like those discussed by @breenmachine and the original researchers @frohoff and @gebl, affecting WebLogic, JBoss, Jenkins and more.

Remember the story of the boy who cried wolf?  His pranks were "false alarms" - defined as "a mistaken or intentionally misleading alert that something is wrong and needs attention."  False alarms from application security tools are certainly annoying, but how do they affect the overall economics of an application security program? As it turns out, they make all the difference.

Los Altos, Calif. – November 2, 2016 – Wix.com, a hosting provider which claims to host millions of websites, contains an XSS that leads to administrator account takeover and could be used to create a Wix website worm.

The project is part of the Contrast Openness Initiative that consists of an initial combination of our Open API Architecture and our Open Documentation Library.

This SDK gives you a quick start for programmatically accessing the Contrast REST API using Java.

Intentionally Vulnerable Node Applications

A simple and lightweight migration tool for Apache Cassandra database that's based on Axel Fontaine's Flyway project. Cassandra Migration works just like Flyway. Plain CQL and Java based migrations are supported. The Java migration interface provides DataStax's Java Driver session.

ContrastDvnr 1.0: Utility for displaying information about the IIS Site and applications on the current machine. It creates a report file about the following:

• Machine Information - OS Version, Processor Speed, Memory Available, .NET versions installed
• IIS Site Information (IIS7 or newer)
  • Bindings - Ip Address, Port, Binding Information
  • Applications - AppPool, Authentication Mode, .NET Dlls, HttpModules
  • AppPools - .NET Framework version, Pipeline mode, .NET x86/64bit. (AppPools not used by any application are ignored)
• GAC .NET DLLs. (Microsoft DLLs are ignored)

By default results are written to report.xml file in XML format. JSON or text output format can be chosen instead. Output can also be written to another file or output to the screen.

This library provides a simple REST client for retrieving data from Contrast Team Server's REST API as plain old C# objects.

This library is also provided as a nuget package: https://www.nuget.org/packages/ContrastRestClient/.

This project will onboard a Gradle based web application to a TeamServer instance. Configuration values can be entered in a config.json file in the projects directory, or you will be prompted to enter the values during the vagrant up phase.

I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.

An unfortunate part of my job is that sometimes I have to explain that people are focusing on the wrong objectives. Here’s my unfortunate dose of reality for today: We all need a perspective adjustment when it comes to “the client.” With Drumpf-esque powers of oversimplification, let’s start by envisioning that half of your apps are server code, and half client code, looking something like this...

NOTE: Before you begin reading, you may want to visit this article for Act 1 of our series – Kryo serialization library and its weaknesses. This piece frames some of the discussion in this blog, but definitely isn’t required reading. XStream is a popular deserialization library. It’s used directly by many popular apps, like the build tool, Jenkins. It’s also used by other popular libraries, like Spring and Struts 2 for unmarshalling XML input into objects.

When @frohoff, @gebl and @breenmachine all combined to melt Java security (in what I’m hereafter conflating under the term “seriapalooza”), I thought about deserialization alternatives. Where are my customers going next? Is there greener grass? We’re going to find out. If the title of my series wasn’t spoiler enough, let me foreshadow more plainly: the grass is brown and dead, everywhere.

With all the talk about Java serialization vulnerabilities, I thought I'd share a new, open source tool I built for you to download and use, purposely designed to consume all the memory of a target that's deserializing objects -- eventually blowing it up. It’s called jinfinity. jinfinity exploits the fact that deserializers, like many parsers, follow very basic read-until-terminator patterns. jinfinity totally bypasses any of the protections discussed recently around untrusted deserialization.