Use your application's flow map to see where data from your application connects it to back-end systems and other applications in your organization. Every time you exercise your application, the Contrast agent reports information to the Contrast UI about new back-end systems and applications - no extra configuration required. To see the latest connections, go to your application's new Flow Map tab.
Contrast's sensitive data masking feature protects sensitive data in your applications by redacting it in Contrast vulnerability and attack reports that are sent to the Contrast UI, syslog or security log. All Contrast agents apply data masking for critical data types to all applications by default. To see each of the data types and add custom criteria for your organization, go to the user menu > Policy Managment > Sensitive Data tab in the UI.
Set up Contrast's new PagerDuty integration to receive attack notifications outside of the UI. Each notification automatically provides details on the attack, including the application, server and source IP involved. Go to the user menu > Organization Settings > Integrations tab to connect your PagerDuty account to your Contrast organization.
The Java team improved the accuracy and performance of instrumentation for String replacement operations. We also enhanced the Protect Command Injection Rule so that it can block commands that attempt to use dangerous path arguments such as
The .NET team improved accuracy of Assess SQL-Injection against EF-Core, the Protect XSS rule, and handling of odd URLs when deciding whether or not to analyze events during servicing of a request. We also fixed several bugs that could result in warnings in agent log files.
For the .NET Framework agent, the team implemented beta support for a Protect Cross-Site Request Forgery rule, and extended the Protect Unsafe File Upload rule to handle file uploads under Web API applications. We also fixed the following bugs:
For the .NET Core agent, the team implemented the Protect Unsafe File Upload rule.
The Node team released Beta support for the Kraken.js web framework. We updated our internal logging to standardize reporting at non-DEBUG levels. We closed a defect where an application without a valid license in Protect mode would fail to start. An unlicensed application in Protect mode will now start with a log indicating that Protect mode is disabled due to a lack of licenses. The team resolved an issue where the Unsafe File Upload rule in the Hapi 17 framework wouldn't have the correct HTTP request context. Finally, we updated our internal test suite to include the Ubuntu Alpine image.
The Ruby team updated the agent to use Contrast Service for input analysis of attack vectors. This update provides more consistent rule implementation for Protect rules as well as REP support during input analysis, while also providing more performance and requiring fewer resources on the instrumented application. We also continue to implement performance improvements in the Ruby Assess agent by implementing more granular marking of rewritten Ruby modules and preventing multiple attempts at rewriting a file. The agent now also limits the context where a propagation node needs to be copied.
The Python team continues to work towards the Beta release of the Python Assess agent. In September, the Python team finalized support of the Pylons framework. The agent now has standard behavior of logging at non-DEBUG levels, and no longer reports deprecation warnings due to a escaped regular expression pattern. Finally, the python agent now supports the Contrast Service executable in read-only environments.
Administrators can save time and effort by automatically assigning a user's organizational groups. When the option is enabled in your organization's SSO settings, Contrast uses SAML authentication to automatically provision users with an organizational group when they log in. If the user is already a member of any Contrast groups that aren't allowed by the SSO settings, Contrast can also automatically remove the user from those organizational groups. Go to the user menu > Organization Settings > SSO tab to see the options in the UI.
For Protect, the Java team increased accuracy for the HTTP Method Tampering Rule and Expression Language Injection Rule to resolve false positives, and increased accuracy for the XSS Rule to resolve false negatives. For Assess, we completed performance optimizations for users of the Oracle JDBC driver.
The .NET Framework team improved communication with the Contrast UI to reduce duplicate messages, and added new “cookie-header-missing-flags” to identify when cookies are issued without the secure flag. We also fixed a bug in which the Azure App Service agent would fail to respect rule mode settings as well as a bug in which “##ProductName##” would appear in Tray notifications during the upgrade process.
The .NET Core team removed the requirement that the .NET Framework be installed on the server. We also added new “cookie-header-missing-flags” to identify when cookies are issued without the secure flag, and fixed a bug in which libraries were detected but not reported by the agent.
The Node team is moving forward on support for the Kraken.js framework; this month, we implemented support for routing, form uploads and view layer code. The agent now deploys with pre-built binaries that ease deployment to applications that depend on Yarn as well as applications in environments where a compilation pipeline isn't available. In addition, the agent handles more detailed analysis of the URL object. The team also fixed the following issues:
For the Ruby team, much of the August release was focused on performance improvements in the agent, particularly when operating in Assess mode. The agent now defers creation of the properties object on tracked strings until the first tag is generated; this is an optimization to prevent the properties object from being created on introspection of the string, reduction on string generation, and prioritize the use of faster native method over slower equivalents. We resolved an issue in which Stored XSS vulnerabilities weren't being discovered in some instances. We also closed an issue to prevent redundant rewrites of ActiveRecord classes.
The Python team released a major update to source input analysis when operating in Protect mode. This update allows for a reduction of processing within the client application while standardizing user input scoring across agent implementations. We moved common code for the Flask middleware to the base class to be shared among all WSGI-derived middlewares. We resolved an issue in which binary uploads in HTTP requests were being reported for analysis as if they were UTF-8. The team is also moving towards the Python Assess beta release.
Export your application’s route coverage information to use and share outside the UI. To download the spreadsheet, go to the application’s Route Coverage tab, and select the icon above the grid to Export Routes to CSV. You can also export the same data via the APIs.
The Node agent is available in the default Node Pivotal Cloud Foundry buildpack. You can also set up the Contrast tile to send any vulnerabilities up to your organization.
The Java agent added support for IBM JDK 8.
The Java agent is now available through package managers from the Contrast Debian and Contrast RPM repositories. If host installation is right for you, you can also install the agent with the Exec Helper package for Ubuntu and Red Hat.
The Java team also made improvements to Protect rules, and turned off semantic analysis for SQL injection by default.
The .NET Framework and .NET Core teams fixed an issue that could taint some objects to be rendered incorrectly in the Contrast UI. We also improved creation of method signatures for methods with generic types. (This may invalidate previously created sanitizers and validators, if those signatures included generic types.)
The .NET Framework team added a new Assess rule that detects when IIS is configured to send the unnecessary “X-Powered-By” header as well as a new Assess rule that detects when non-session cookies are missing the “secure” flag. We added a new Protect rule for ASP.NET applications that can block a potentially malicious file from being uploaded. We fixed a bug in which instrumentation could cause an error in applications using a specific version (18.104.22.168) of System.Net.Http from a Nuget package instead of the BCL. We also added the following capabilities to our agent configuration:
Server.Transferwithin error pages
agent.dotnet. restore_error_handling_after_sending_headers_behaviorconfiguration flag.)
You can now use the .NET Core agent on servers that have the .NET Framework agent installed. The team also added new Assess rules that detect when cookies are missing http-only or secure flags.
The Node team investigated and closed an issue in which Bluebird async implementation was polluting the Node domain implementation which resulted in extraneous vulnerability reports in the Contrast UI. The team also fixed incompatibilities with the Comment Event Formatting (CEF) specification in the security log. We updated the handling of route reporting when routes are registered after server startup. Finally, we implemented improvements in the handling of the CSP Header Misconfigured, SSJS and SSRF rules.
The Ruby team delivers an expanded test suite to include Ruby Core String specs as well as support for trust-boundary-violation. The team added performance optimizations to limit the generation of reported stack traces, limit the reporting of agent classes in inventory mode, append and flush log messages. We also migrated tag range handling from Ruby to C.
The Python team added additional support for handling Protect rules that need to introspect the response body for the Flask framework. We closed an issue where the HTTP Method Tampering rule was blocking requests using the WebDAV protocol and aligned the defaults for communicating with the Contrast Service. Finally, the team closed an issue related to compatibility with MySQL in Python 2.7.
Set up session metadata to pinpoint the source of vulnerabilities for each of your applications. To get started, configure your agent to report one of the available metadata types, including build numbers, branch names, repositories, and committers. Go to your application’s Vulnerabilities tab to see the data in the new vulnerabilities timeline, and use the Seen By column in the grid to filter vulnerabilities by specific values.
Use source names to label attack events by expected sources so you can promptly choose which attack events to investigate. All you need is the IP information for a known source (like a pen tester) to get started. When you view attacks in the Attacks > Monitor page and Attacks Details pages, Contrast will display the source name instead of the attacker’s IP information. (We’ll be adding source names to the Attack Events grid next!)
Contrast offers two new Protect rules against unsafe files: The Unsafe File Uploads rule blocks malicious files being uploaded to web applications, and the Zip File Overwrite rule protects against malicious files and directory structures within zip files uploaded to web applications. These rules are available for all languages.
Check back next release for updates!
The .NET team added support for agent use within Docker containers for .NET 4.5.2+ applications. We improved accuracy of an insecure authentication protocol Assess rule, and added a new Assess rule to detect the “X-Powered-By” header. We fixed a bug that caused a null reference error in processing exclusions. We also added support for setting
Note: The agent no longer supports the legacy DotnetAgentService.exe.config file for application pool whitelisting and blacklisting. We recommend that you move these configuration values to
agent.dotnet.app_pool_blacklistin the contrast_security.yaml. This change applies to all versions after 19.5.4.
The .NET Core agent for Windows is now available! The agent supports many of the same expansive Assess and Protect security policies as the .NET Framework agent, including detection of all the most important vulnerabilities and attacks. To start using the agent, check out the system requirements, and then download and install the agent from the Contrast UI.
The Node.js team expanded rule coverage and better precision for our 2.4.0 release. We now support an Unsafe File Upload Protect rule (in Express and Koa) to block attacks or monitor at perimeter, as well as Server Side Request Forgery (SSRF) detection in Assess. We properly block Protect rules in Hapi by returning 403 not 500 in certain cases. Lastly, we've added support for multi-part form uploads in Koa.
The Ruby team delivered expanded rule coverage and better performance for our 2.6.0 release. The agent now supports an Unsafe File Upload Protect rule to block attacks at perimeter as well as Server Side Request Forgery (SSRF) detection in Assess. We also enhanced our string instrumentation rewriting along with other under-the-hood performance improvements.
The Python agent's 1.10.0 release introduces a few important changes. We're dropping support for Python 3.4 as it's reached its End of Life date. We also allow users to set Protect rule modes in the configuration YAML, which gives you more control over deployed instances of the agent without using the Contrast UI. We also improved response handling on SecurityExceptions: In the instance application code catches our exception during an attack, the agent will send the exception after application code has completed, if we need to block a request. Some minor bug fixes include the CSRF header used by the agent and improvements for the PyramidMiddleware with legacy Pyramid versions.
Enable Server Messages to stay on top of agent updates. When your agent version is out of date, Contrast will send you an email with recommendations for updates. You can also check your notifications in the Contrast UI, or hover over the warning icon in the Servers grid and your server's Overview tab for a reminder. To enable Server Messages, go to the Notifications page from Your Account or Organization Settings.
Check back next release for more updates!
The .NET team improved the accuracy and performance of Protect Command Injection as well as the accuracy of Protect SQL-Injection and Reflected XSS. We implemented a Server Side Request Forgery (SSRF) rule for Assess. We also fixed a bug where the Tray would occasionally fail to update agent status.
The Node team focused on broadening framework support. We added support for the Koa framework as well as Route Coverage support for Koa for applications using
koa-router. We also added Route Coverage support for Hapi. We added
agent.heap_dump configuration settings to allow periodic creation of heap dumps for debugging v8 crashes and memory issues. Bug fixes included:
sequelize.queryno longer causes the sensor to fail
ast-typesmodule no longer crashes when loaded with Assess enabled
The Ruby team focused on expanding our feature offering for this release. We expanded our rule coverage to include support for several new Assess rules, with a focus on rules responsible for HTTP Session security evaluation. To improve our customer support, we also added the ability to generate heap dumps directly from the agent. Finally, to further our effort to improve our interoperability with other testing infrastructures, we've continued to transition our sensor weaving into C, and we've addressed bugs causing an incompatibility with the FactoryBot testing framework.
The Python team refactored our middleware code to work better with the range of frameworks we support, including older versions of Django. Improvements to agent startup eliminated some noisy trackback logs from configuration and Route Coverage. Bug fixes include the XXE rule with SAX incorrectly patching and improperly setting Django headers in responses.