Contrast Protect is a runtime web application security and observability tool. You can compare it to a WAF, although a WAF generally sits external to the application and Protect is embedded inside the app and has a very high degree of accuracy compared to a WAF. No hardware or software deployment is needed. You simply intrument you application with the Contrast agent and it starts detecting and blocking attacks such as SQL Injection, Cross-site Scripting, Command Injection etc.
Requirements: A Linux or Mac machine with Java installed. Basic understanding of Java , Java Agent , WebGoat, Curl
-
Get the following attributes from the User Settings screen in the Contrast Portal. If you are not a customer you can use the free Community Edition
- Organization ID, Authorization Header, API Key and Contrast URL
-
Download WebGoat Server jar. Webgoat is a vulnerable application, so be careful about where you run it. Open a terminal and run steps 3 and 4 from the same folder where you placed the WebGoat jar
-
Download contrast agent jar. Replace the variables in <> with the values gathered in step 1.
curl --max-time 20 https://<CONTRAST_URL>/api/ng/<ORG_ID>/agents/default/JAVA -H API-Key:<API_Key> -H Authorization:<Authorization_Header>= -o contrast.jar
-
Start Webgoat and instrument it with the Contrast agent
java -javaagent:contrast.jar -Dcontrast.standalone.appname=MyWebGoatTest -Dcontrast.server=MyWebGoatTestServer -Dconstrast.protect.enable=true -jar webgoat-server-8.1.0.jar
-
Exercise WebGoat by logging into http://localhost:8080/WebGoat/, trying some attacks manually, using a DAST tool or by using my quick and dirty curl
-
Log into Contrast portal UI. You should see your server under the Servers and attack traffic under the Attacks. Pat yourself on the back and continue exploring. Troubleshooting - If Protect doesn't appear ON or licensed in the UI, try turning the Protect autolicensing setting ON in the UI.
For an easy Docker-based installation see: https://github.com/rstatsinger/IASTRASPLab