Using Instrumentation to Find Web Application Vulnerabilities

The Contrast Engine and TeamServer

Contrast consists of two parts. The Contrast Engine is a 3MB JAR file that you drop onto your web application server. The Engine is a standard Java agent that uses the Java Instrumentation API (JSR 163) to passively monitor your running application and gather security critical information. The flexibility of Java byte code allows us to weave security sensors in very easily.

How does this work? Let's look at a simplified example of the technique we use to mark data that comes from an untrusted source:

Now we weave in another check into the SQL code to make sure that the data used in queries isn't from an untrusted source:

"How do you weave these calls in?"  Boy, you got a lot of questions.

When then Engine identifies a vulnerability or other interesting security information using this technique, it sends it to the Contrast TeamServer, a web app for processing and viewing these analytics. In 5 minutes, you can be up and running, monitoring all the applications on your container for critical vulnerabilities. Contrast can monitor applications with millions of lines of custom code and hundreds of libraries easily without any extra hardware or effort.

The Contrast TeamServer provides insight into application security across an organization's entire portfolio. The TeamServer is built using a powerful Java EE stack including Tomcat, Spring, Hibernate, and many other community-driven libraries. This simple web platform allows us to scale the processing of sensor data from hundreds or thousands of applications. The inversion-of-control in Spring allowed us to easily develop both a SAAS and on-premise version of the product, with the magic of injection making our code easy to read and maintain. The database abstractions from JSR-317 (via Hibernate) gives our customers the flexibility to choose their own persistence option.

But all the end user cares about is the fact that the technology behind TeamServer automatically builds an application inventory across your entire portfolio, and provides up-to-the-minute insight into application security. You can even manage your security rules centrally, and push new rules out in real time. Every application gets a main dashboard that summarizes the security relevant information for that application.

What kind of vulnerabilities does it find?  The ones that exist, and no others.

Amazing Web Application Vulnerabilities Coverage!

Every vulnerability is clearly identified for developers with a full vulnerability trace. In the trace below, a Base64 encoded cookie is accepted from the HTTP request, decoded into a byte array, and concatenated into a SQL query. An attacker could use this vulnerability to send a SQL injection attack and compromise the application's database. Contrast provides the exact lines of code, full remediation instructions, and even the HTTP request for retesting. 

"Wow!  Anything else?" That would be enough, wouldn't it? We took it further and solved problems the others can't hope to address.

Application Security Architecture Diagrams Directly from your Code

Contrast even examines the libraries in use in your application. We do this in two ways.  First, we carefully analyze whether the libraries are out-of-date or have known vulnerabilities. This allows you to easily know which libraries need to be updated in order to prevent costly security exposures.

We also analyze the way your custom code uses libraries, to make sure that you don't inadvertently make a call that exposes your application. For example, if you pass untrusted data into a library call, and somewhere inside that library, your data is appended to a command sent to Runtime.exec(), you might have just allowed an attacker to take over your entire application server.  Contrast detects these problems easily where other tools cannot.