Does Contrast change application data?


Contrast is a passive technology. Contrast changes your bytecode at runtime to install our sensors, but doesn't change your data or how your code flows.

What information does Contrast capture?

Contrast collects a lot of application analytics like URLs, file paths, jar names, and other relatively non-sensitive information. It also sends all the data related to security-relevant events.

If a method occurs that's an integral part of a vulnerability, all the aspects of that event - the object, return value, parameters and more - are sent back to the Contrast site. This process allows you to analyze the collected data and decide if any of it is sensitive.

Example: If a XSS vulnerability in the login code, the username and password will probably be sent back as part of the XSS trace. If Contrast is installed on a Development or QA environment, as recommended, it's not likely that any Production or sensitive data is involved.

Why does Contrast report an increasing number of URLs in an application?

Contrast is an Interactive Application Security Testing (IAST) tool. Therefore, it's only aware of the sections of an application that it's seen.

To effectively monitor your application, the Contrast agent must be running on your server while the application is exercised. During this phase, Contrast reports the new URLs as it encounters them. The same process happens when new URLs are added to your application after the initial introduction of the agent. In most cases, the amount that the number of URLs grow over time scales down logarithmically, and the minor growth you'll see won't have a significant effect on your overall score.

How do I generate a HAR file?

If you're facing a complex issue in the Contrast interface, Contrast might request that you send a HAR file to help the support teams fix the problem more quickly.

What It Is

A HAR file helps troubleshoot the following issues:

  • Slow page load
  • Timeout when performing certain tasks
  • Incorrect page format
  • Missing information after rendering

Generate the File

The following instructions are written for users on Google Chrome. If you don't already have the browser installed, you can get it here.

  • Open Google Chrome and navigate to the page where the issue is occurring.
  • From the Chrome menu bar select View > Developer > Developer Tools, or right click on the page and select Inspect Element.
  • From the panel that opens at either the bottom or side of your screen, select the Network tab.
  • Look for a round Record button in the upper left corner of the Network tab, and make sure it's red. If it's gray, click it once to start recording.
  • Check the box next to Preserve log.
  • Try to reproduce the issue that you were experiencing while the network requests are recording.
  • Once you've reproduced the issue, right click anywhere on the grid of network requests, select Save as HAR with Content, and save the file to your computer.
  • Upload your HAR file to your ticket or attach it to an email so that Contrast can analyze it.

An animated GIF of the process:


Why does my open-source library show up as unknown?

Contrast identifies libraries by their SHA-1 digest, and updates library definitions periodically. As a result, Contrast might not recognize new libraries when agents report them.

Note: If any library repackaging occurs for Java clients, which WebSphere does by default, the digest is different. To prevent repackaging, you can add the following JVM system property:


Why doesn't Contrast recognize my library as the most-recent version?

For Java clients, issues with library version recognition result from the way that Contrast data sources store information about a library's version. Some of the versions are formatted to include the year at the beginning, and so the sort method reads them as a more recent version. The problem should phase itself out as the industry is moving to a more normalized version convention.

How can I get my library file added to the known list of files?

  • If you're using a new, publicly available library file, your cache file may be out of date, and may be updated with the next release of Contrast. If you want to ensure that this is the case, please contact us, and provide the name and version of the library.
  • If you're using a publicly available library file released before the version of Contrast that you're running, please contact us, and provide the name and version of the library so that we can add it to the database.
  • If you're using a custom file, and would like it added to the known list, please contact us with information about the library file. To effectively add it to our database, Contrast needs a hash of the file as well as its name, version number, release date, and any known CVEs affecting it.

What if the library file I'm using is the most-recent version, but still several years old?

Contrast takes this into account when grading a library file, and reduces the impact of the file's age.

Why do my libraries have zero classes used?

Contrast doesn't know that a class has been used from a Java or .NET library file until it sees the class in your application. Further testing of your application should increase these numbers to give you a more accurate analysis of class usage.