Runtime Security sample application walk through

Start by connecting Contrast to a sample application. Once the Contrast agent is instrumented on your application, our agent automatically captures security data anytime there is interaction with the application, either manually or via testing. This makes security testing a side effect of normal testing processes, saving time and money over traditional scans.

Tip

Want to run the sample application in a Docker container? Learn more.

Before you begin

Make sure you have everything you need before you start.

Access to a terminal or command prompt to enter commands.
Ensure you have the correct version of Java installed; Java 8 - 15.

1. Download and configure

Download and configure the agent and sample application.

Download the Contrast agent and the vulnerable sample application.	This is the sample application (Terracotta Bank) with the embedded Contrast agent. The agent analyzes the code during any interaction with the application.

Download the Contrast YAML file and save it in the sample application folder.	The agent configuration (YAML file) contains the authentication keys for your trial account. This will allow the Contrast agent in the sample application to reference the configuration.

Depending on your operating system, open Terminal or PowerShell.

Go to the folder where you saved the application files and Contrast agent.

Run the application with the `./start.sh <environment> [port]` command.	Where `<environment>` is one of the following options: `assess`: Start the application in Development mode (Assess) only `protect`: Start the application in Production mode (Protect) only `all`: Start both Development and Production environments (Assess and Protect) simultaneously The optional `[port]` argument allows specifying a custom port for the application. If not provided, default ports will be used. This may take some time.

Continue by capturing IAST data.

2. Capture and view IAST data

Capture and view Interactive Application Security Testing (IAST),

if you didn't previously run the application with the `all` or `assess` option, run it with the `./start.sh assess` command.	The `assess` option starts the application with Contrast Assess enabled.

Browse the application at http://localhost:8080/.

Click around in the running application and try to log in with username admin and password admin.	While you are interacting with the application, the Contrast agent will be analyzing the application's code and library data.

Log in to Contrast.

Go to the Applications tab and click the application that you onboarded.	You may have to refresh the page to get the latest data.

Go to the Vulnerabilities tab to see the vulnerabilities detected by Contrast Assess.	The vulnerability data captures not only the method, but the parameters and sink information so you have the confidence that this is a real vulnerability open to attacks. Click the vulnerability name to get an overview of what happened. Under the How to Fix tab you’ll find information about the suggested steps to resolve the issues.

Go to the Libraries tab and select a library to view the library data .	The agent automatically also collects library information at runtime, allowing you to see which libraries are actually getting used. This information makes it much easier to prioritize library updates and not spend time updating libraries that are not being used.

Continue by running tests for newly deployed code.

3. Run tests for newly deployed code

Now that the agent is instrumented on the application, keeping on top of the most recent code is as easy as running functional or manual tests anytime you deploy new code.

Download the agent packaged with selenium tests at https://github.com/Contrast-Security-OSS/demo-terracotta-bank

Install the Firefox browser.

Run the application using `./gradlew cleanTest test`.

Keep testing the application manually or using the provided automated tests to capture more data and analyze more routes.

Turn off the sample application and agent in the CLI using the stop command: `./stop.sh`	You can restart the application using the start command: `./start.sh <environment> [port]` command

Continue by enabling RASP and attacking a known vulnerability.

4. Enable RASP and attack a known vulnerability found from IAST

If you used Assess previously, you can see in the Contrast web interface that we captured a SQL injection vulnerability with Terracotta Bank. Let’s exploit that vulnerability with an attack.

Enable Contrast Runtime Application Self Protect (RASP).

If you didn't previously run the application with the `all` or `protect` option, run it with the `./start.sh protect` command.	This `protect` option starts the application with Contrast Protect enabled.

Browse the application at http://localhost:8082/	To show you how to block exploits, we'll help you attack Terracotta Bank with a sql injection.

Attack it by putting the following string in the user login: `admin' --`.	This command logs you in as the admin user because the rest of the SQL query is ignored. This action is like an attack in production.

Log in to Contrast.	You may have to refresh to see the latest data.

Go to the Attacks tab and select Monitor.	The attack data that Contrast displays includes Source IP, Status, Application, Server, Rule, Start, End, and Events.

Select the SQL Injection attack and view the details such as the attacker IP and attack values.

Configure a Protect rule to block the attack by selecting the SQL injection rule, selecting Change mode and selecting Block for all environments. (Remember to save your settings.)	The Protect rule tells the agent to block the method of attack.

Validate the rule is working by returning to Terracotta Bank and trying the attack again.	You can no longer log in.

Return to Contrast to see that the new attack was blocked.

Keep trying other attacks.

Turn off the sample application and the agent with the `./stop.sh` command.	You can restart the application using the start command: `./start.sh <environment> [port]` command

In this section: