Giter Site home page Giter Site logo

contrastappsec's Introduction

Contrast Security Protect - Quick Start

Contrast Protect is a runtime web application security and observability tool. You can compare it to a WAF, although a WAF generally sits external to the application and Protect is embedded inside the app and has a very high degree of accuracy compared to a WAF. No hardware or software deployment is needed. You simply intrument you application with the Contrast agent and it starts detecting and blocking attacks such as SQL Injection, Cross-site Scripting, Command Injection etc.

Let’s try out Protect with Webgoat (a vulnerable Java app)

Requirements: A Linux or Mac machine with Java installed. Basic understanding of Java , Java Agent , WebGoat, Curl

  1. Get the following attributes from the User Settings screen in the Contrast Portal. If you are not a customer you can use the free Community Edition

    • Organization ID, Authorization Header, API Key and Contrast URL

  2. Download WebGoat Server jar. Webgoat is a vulnerable application, so be careful about where you run it. Open a terminal and run steps 3 and 4 from the same folder where you placed the WebGoat jar

  3. Download contrast agent jar. Replace the variables in <> with the values gathered in step 1.

    • curl --max-time 20 https://<CONTRAST_URL>/api/ng/<ORG_ID>/agents/default/JAVA -H API-Key:<API_Key> -H Authorization:<Authorization_Header>= -o contrast.jar

  4. Start Webgoat and instrument it with the Contrast agent

    • java -javaagent:contrast.jar -Dcontrast.standalone.appname=MyWebGoatTest -Dcontrast.server=MyWebGoatTestServer -Dconstrast.protect.enable=true -jar webgoat-server-8.1.0.jar

  5. Exercise WebGoat by logging into http://localhost:8080/WebGoat/, trying some attacks manually, using a DAST tool or by using my quick and dirty curl

  6. Log into Contrast portal UI. You should see your server under the Servers and attack traffic under the Attacks. Pat yourself on the back and continue exploring. Troubleshooting - If Protect doesn't appear ON or licensed in the UI, try turning the Protect autolicensing setting ON in the UI.

For an easy Docker-based installation see: https://github.com/rstatsinger/IASTRASPLab

contrastappsec's People

Contributors

vikasphonsa avatar

Watchers

James Cloos avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.