<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=113894&amp;fmt=gif">
we build Fantastic Things


Contrast Labs is a team of accomplished cybersecurity researchers and industry experts that perform application security threat analysis, security analytics, and other security research.

The work performed by Contrast Labs continuously improves the Contrast Security platform with support for new threats, attacks, vulnerabilities, and defenses. The team also exposes interesting analytics based on the data gathered by the Contrast Security platform. Finally, the Contrast Labs team is committed to the open source community and frequently publishes tools and research.

CONTRAST LABS: March 2018 AppSec Intelligence Report

Contrast Labs' analysis of real world application security data from March 2018. We're going to change it up a bit this month by expanding our coverage to include:

  • Both known and unknown vulnerabilities in custom code
  • Both known and unknown vulnerabilities in libraries and frameworks
  • Attacks on applications and APIs
Read More
February 2018 AppSec Threat Intelligence Report

In February, overall application attack volume more than doubled. Once again this month there were no applications or APIs that were not attacked.  The majority of the attack traffic originated in the United States.

This month saw continued dominance of injection attacks of all types (XSS, SQL, CMD, PATH, etc...) and added a significant rise in CSRF and Padding Oracle attacks. Attacks on CVEs slightly down in February.

Read More
January 2018 AppSec Threat Intelligence Report

In January, overall application attack volume just about doubled. Once again this month there were no applications or APIs that were not attacked. The United States dominated the attack landscape, with almost 2x the rest of the world combined.

Also, while there was modest growth in attacks on Struts CVEs, the search for zero-day vulnerabilities increased dramatically this month.

Read More
Analysis of Real World Application Attack Data from December 2017

December was a huge month for application layer attacks, with large increases in a category of attack except Padding Oracle. Overall, we saw a 5x increase in attack traffic in December. These attacks included huge increases in SQL injection attacks, attacks on all Struts2 OGNL vulnerabilities (especially) CVE-2016-3081 and CVE-2013-2251), and Path Traversal attacks. 

Read More
Jeff Williams, Contrast CTO: Security Predictions for 2018

The world of software is changing quickly at all of our clients. As we look across tens of thousands of applications and a wealth of vulnerability and attack data, some clear trends emerge. We continue to believe that organizations that move to DevSecOps will thrive against their competition.  Here are some of our thoughts on the changing application security landscape for 2018:

Read More
Contrast Labs Analysis of Real World Attack Data from November 2017

Overall attack traffic was down in November from our highs in August. Once again this month, virtually every application/API was attacked, and some were continuously targeted across the month.  We recorded hundreds of attackers from over 250 cities around the world.

Read More
Struts 2, Equifax and You

Los Altos, Calif. – September 13, 2017 – It's hard to overstate what's happening here. The FBI, New York and Massachusetts Attorneys General, and Congress are now running inquiries into the Equifax breach. More will come. It's clear that the U.S. economy will change in some way as a result of this Struts 2 vulnerability. It may be macabre and indulgent, but you can’t help but speculate on the consequences:

  • Will we see the death of Social Security Numbers?
  • Will one of the "big three" major credit bureaus be dissolved?
  • Will we get legislation around application security?

Whatever happens, I hope the world recognizes this is a watershed moment for software application security.

Read More
The Latest Struts 2 Vulnerabilities and the Aftermath of the Equifax Hack

Los Altos, Calif. – September 9, 2017 – Baird has confirmed that the underlying Equifax vulnerability was in Apache Struts. But there have been a number of vulnerabilities in Struts, including two extremely dangerous ones just this week. The rest of Baird’s analysis is nonsense, as these exploits allow a complete remote host take over, enabling the attacker to steal, corrupt, or delete anything in that database. Depending on the details, this could be serious negligence with regard to protecting SSNs and other PII. 

In my mind, there are two Struts vulnerabilities that jump out as possibilities. The first is far more likely, but the second is a very remote possibility:

  • CVE-2017-9805 was made public this week and while also very serious, is rated a 7.5/10. This attack is also a single HTTP request but this time contains an unsafe serialized object. This attack might require authentication and does not apply to every instance of Struts. Only those with the struts2-rest-plugin are vulnerable. In this case, the attack Contrast has been monitoring for exploit attempts since the release but has not yet seen attacks.
Read More
CVE-2017-9805 – Struts S2-052 Exploit Released

On Tuesday, September 5, 2017, a critical new Remote Code Execution (RCE) vulnerability was disclosed against all previous versions of the Apache Struts 2 REST Plugin [1] available in those packages with Struts 2 between 2.0.0 and 2.5.12 (inclusive). The library uses XStream to deserialize HTTP input without any type enforcement, allowing attackers to specify unexpected types and cause arbitrary and malicious behavior.

Contrast Labs has done landmark research in deserialization flaws. In fact, the exploit for this issue is technically very similar to an exploit we released for CVE-2016-0792, a deserialization vulnerability against Jenkins we disclosed in 2016.

Contrast can protect against this vulnerability across the entire SDL, from early in development all the way through production. Simply adding the Contrast agent to your development, test, and production environments can quickly provide broad protection against this and other vulnerabilities.

Read More
NEW REPORT: Software Libraries Represent Just 7% of Application Vulnerabilities

Contrast Labs Releases State of Application Security: Libraries & Software Composition Analysis Report 

This report highlights analytics gathered from within 1,857 running applications, which included several thousand different open source libraries, frameworks, and modules.

Read More
Google Docs May Still be Vulnerable to Phishing Attacks

On Tuesday, users of Google Docs were targeted with an email phishing attack. The email content was a ruse to trick folks into granting access to their contact data. Google quickly put measures into place to stop the attack. Please visit this Google page to learn how to protect yourself >>

Even though Google put measures into place to prevent the attack, I did find a way to reproduce the phishing scheme this past Wednesday. I used Google's own developer platform to create a third-party app, and also called it “Google Docs.” The only difference is that I used a Cyrillic character, used in Russia, for the letter “o” in the app’s name.

Read More
CVE-2017-5638 – Struts 2 S2-045 Exploit Released – Protection Offered

On March 6, a new remote code execution vulnerability was disclosed1 against Struts 2 (2.3.5-2.3.31 and 2.5-2.5.10.) Most likely, if you're using Struts 2, you are vulnerable to a one-shot attack which can run arbitrary system commands.

On March 7, while everyone was busy frantically grepping through Vault7, a devastatingly simple exploit was released to packetstorm2. Rapid7 researcher Tom Sellers released a great honeypot analysis3showing weaponized mass exploitation late in the day Wednesday, March 8 coming from China.

Contrast Protect customers were able to defend their whole portfolio within hours of the first announcement using a Virtual Patch. We've also just released a new, more robust CVE Shield which allows customers to get code-level insights into this and any similar attacks. 

Read More
IAST & the Villainous Library Named "commons-httpclient-3.1.jar"

Let’s talk about commons-httpclient-3.1.jar. I get asked about this library all the time. It’s an HTTP communication library. It has a vulnerability in it. It doesn’t handle SSL very well. In fact, it doesn’t really verify you are who the client…

Read More
We are Seeing Ongoing Struts 2 Attacks

If you’re running web applications on the Internet, then you’re almost certainly seeing probes for the Struts 2 vulnerability (CVE-2017-5638). These attacks started within hours of the vulnerability being released, and we continue to see widespread probes with dangerous payloads in the first request.

Read More
Contrast Makes .NET Applications Self-Defending

Contrast announced that Contrast Protect now supports Microsoft .NET applications. Microsoft .NET remains one of the top three enterprise application development environments. As a result, more enterprise applications can be self-protecting than ever before.

Read More
Cloud Foundry Java Buildpack

The java-buildpack is a Cloud Foundry build pack for running JVM-based applications. It is designed to run many JVM-based applications (Grails, Groovy, Java Main, Play Framework, Spring Boot, and Servlet) with no additional configuration, but supports configuration of the standard components, and extension to add custom components.

Read More

A lightweight Java agent for preventing attacks against object deserialization like those discussed by @breenmachine and the original researchers @frohoff and @gebl, affecting WebLogic, JBoss, Jenkins and more.

Read More
The True Cost of "False Positives" in Application Security

Remember the story of the boy who cried wolf?  His pranks were "false alarms" - defined as "a mistaken or intentionally misleading alert that something is wrong and needs attention."  False alarms from application security tools are certainly annoying, but how do they affect the overall economics of an application security program? As it turns out, they make all the difference.

Read More
Contrast Security finds DOM XSS vulnerability in wix.com

Los Altos, Calif. – November 2, 2016 – Wix.com, a hosting provider which claims to host millions of websites, contains an XSS that leads to administrator account takeover and could be used to create a Wix website worm.

Read More
Open Docs

The project is part of the Contrast Openness Initiative that consists of an initial combination of our Open API Architecture and our Open Documentation Library.

Read More
Contrast TeamServer Java SDK

This SDK gives you a quick start for programmatically accessing the Contrast REST API using Java.

Read More
Node Test Bench

Intentionally Vulnerable Node Applications

Read More
Contrast Maven Plugin

This Maven plugin can be used to allow Contrast to discover vulnerabilities in your application during your integration or verification tests. The "install" goal of the plugin is used to download the agent to the /target directory. In order to use the agent, you should add the -javaagent flag to the JVM options of the application that will be monitored by Contrast in the testing lifecycle phases. 

Read More

Sheepdog is a simple tool to generate normal and attack traffic for OWASP WebGoat. It can be used with security technologies like WAF and RASP in demonstrations and to verify that they are doing a tiny piece of what they are supposed to do. Sheepdog is not intended to be an exhaustive set of security tests. It has some basic SQL injection, XSS, path traversal, and that kind of thing...

Read More
Continuous Application Security Handbook

We reject the old paradigm of periodic and serial scanning, hacking, and patching, which has proven expensive and ineffective. Instead, Continuous Application Security (CAS) relies on security instrumentation in every application. This instrumentation provides security visibility, assessment, and protection in real time and in parallel across the entire application portfolio.

Read More
Cassandra Migration

A simple and lightweight migration tool for Apache Cassandra database that's based on Axel Fontaine's Flyway project. Cassandra Migration works just like Flyway. Plain CQL and Java based migrations are supported. The Java migration interface provides DataStax's Java Driver session.

Read More
Contrast DVNR

ContrastDvnr 1.0: Utility for displaying information about the IIS Site and applications on the current machine. It creates a report file about the following:

  • Machine Information - OS Version, Processor Speed, Memory Available, .NET versions installed
  • IIS Site Information (IIS7 or newer)
    • Bindings - Ip Address, Port, Binding Information
    • Applications - AppPool, Authentication Mode, .NET Dlls, HttpModules
    • AppPools - .NET Framework version, Pipeline mode, .NET x86/64bit. (AppPools not used by any application are ignored)
  • GAC .NET DLLs. (Microsoft DLLs are ignored)

By default results are written to report.xml file in XML format. JSON or text output format can be chosen instead. Output can also be written to another file or output to the screen.

Read More
Contrast REST Client

This library provides a simple REST client for retrieving data from Contrast Team Server's REST API as plain old C# objects.

This library is also provided as a nuget package: https://www.nuget.org/packages/ContrastRestClient/.

Read More
Gradle Based Web App Onboarding With Vagrant

This project will onboard a Gradle based web application to a TeamServer instance. Configuration values can be entered in a config.json file in the projects directory, or you will be prompted to enter the values during the vagrant up phase.

Read More
Contrast Jenkins Plugin

Repository for the Contrast Jenkins plugin. This plugin enables Jenkins builds to check the Contrast Teamserver and fail builds according to a set of configurable criteria.

Read More
The Client Is Not Always Right!

I often get the question, “How well does your product handle iOS?” I’d like to explain why I think this question is a warning sign for an application security program.

An unfortunate part of my job is that sometimes I have to explain that people are focusing on the wrong objectives. Here’s my unfortunate dose of reality for today: We all need a perspective adjustment when it comes to “the client.” With Drumpf-esque powers of oversimplification, let’s start by envisioning that half of your apps are server code, and half client code, looking something like this...

Read More
Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792)

NOTE: Before you begin reading, you may want to visit this article for Act 1 of our series – Kryo serialization library and its weaknesses. This piece frames some of the discussion in this blog, but definitely isn’t required reading. XStream is a popular deserialization library. It’s used directly by many popular apps, like the build tool, Jenkins. It’s also used by other popular libraries, like Spring and Struts 2 for unmarshalling XML input into objects.

Read More
Serialization Must Die: Act 1: Kryo

When @frohoff, @gebl and @breenmachine all combined to melt Java security (in what I’m hereafter conflating under the term “seriapalooza”), I thought about deserialization alternatives. Where are my customers going next? Is there greener grass? We’re going to find out. If the title of my series wasn’t spoiler enough, let me foreshadow more plainly: the grass is brown and dead, everywhere.

Read More
A New, Open Source Tool Proves: Even After Patching, Deserializing Will Still Kill You

With all the talk about Java serialization vulnerabilities, I thought I'd share a new, open source tool I built for you to download and use, purposely designed to consume all the memory of a target that's deserializing objects -- eventually blowing it up. It’s called jinfinity. jinfinity exploits the fact that deserializers, like many parsers, follow very basic read-until-terminator patterns. jinfinity totally bypasses any of the protections discussed recently around untrusted deserialization.

Read More

Subscribe to the Contrast Blog

By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.