• slide
  • slide
  • slide

Overview

Application Security Software for the Public Sector

Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production. More information can be found at www.contrastsecurity.com or by following Contrast on Twitter at @ContrastSec.

Products

  • Contrast Assess

    Contrast Assess offers interactive application security testing (IAST) with elements from static application security testing (SAST) and dynamic application security testing (DAST) to automatically identify software vulnerabilities in real time while developers write code. Contrast Assess agents monitor code and report from inside the application—enabling developers to find and fix vulnerabilities without involving security experts and without specialized security expertise.

  • Contrast Protect

    Contrast Protect uses real-time analysis of application runtime events to confirm exploitability before taking action to block an attack. This accuracy virtually eliminates the problems associated with false-positive alerts. Contrast Protect continuously detects and prevents both known threats and zero-day attacks by leveraging multi-technique precision sensors and dynamic control over the runtime. It offers an instrumentation-based approach that simplifies security deployment and scalability.

  • Contrast SCA

    Contrast SCA detects which open-source software components are called in the application runtime and prioritizes vulnerability remediation based on which libraries are actively being used. It also helps organizations avoid unnecessary security risks or legal problems due to open-source licensing complications. Contrast SCA provides critical versioning and usage information and triggers alerts when risks and policy violations are detected.

  • Contrast Scan

    Contrast Scan utilizes a pipeline-native approach to static analysis application security testing (AST) that eliminates the inefficiencies that delay release cycles. It delivers the fastest, most accurate static scanner available today.

  • Contrast Serverless

    Contrast Serverless Application Security delivers developer-friendly security testing that is purpose-built for serverless application development environments.

CSP

Cross Site Scripting Prevention

Table of Contents

  • How Does Cross-Site Scripting Work?

    The cross-site scripting attack is made possible by an XSS vulnerability brought about by inherent security weaknesses in client-side scripting languages such as JavaScript and HTML. By injecting a malicious client-side script into an otherwise trusted website, scripting XSS cross-site tricks an application into sending malicious code through the browser, which believes the script is coming from the trusted source. It then deceives users by manipulating scripts so that they execute in the manner desired by the attacker.Cross-site scripting vulnerabilities typically allow an attacker to masquerade as a victim user in order to carry out any actions that the user is able to perform and access any of the user's data; capture the user’s login credentials; perform virtual defacement of the website, changing its messaging, look and feel; inject trojan functionality into the website, creating a backdoor that gives malicious users access to the user’s system.The XSS attack works by manipulating a website vulnerability such that it returns malicious JavaScript code to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise the user’s interaction with the application. If the victim user has privileged access within the application, the attacker might be able to gain full control over all of the application's functionality and data – a “worst case” application security scenario.

  • How Prevalent Are Cross-Site Scripting Attacks?

    Most studies show that XSS vulnerabilities are very prevalent, affecting the vast majority of applications. Contrast Security work shows that 80% of applications have at least one XSS vulnerability. That's a stunning result for a problem that’s been on the OWASP Top 10 list for over a decade.

    Reinforcing this same cautionary note, Contrast Labs' November 2019 analysis of real-world application security data reports that:

    • The most prevalent serious vulnerabilities across the applications observed were Cross-Site Scripting (XSS), Arbitrary Server Side Forwards, and Cross-Site Request Forgery.
    • The most common attack types were SQL Injection, Cross-Site Scripting (XSS), and Path Traversal for the third month in a row.
  • How Serious Can Cross-Site Scripting Attacks Be?

    XSS vulnerabilities are common enough to have affected application security at companies as large as Facebook, Google, and PayPal. XSS vulnerabilities are especially dangerous because an attacker exploiting an HTML or JavaScript vulnerability can gain the ability to do whatever the user can do, and to see whatever the user can see – including passwords, payments, sensitive financial information, and more. What makes the XSS attack even worse is the fact that victims, both the user and the vulnerable application, often won’t be aware they’re being attacked.

    • Serious impact: Attacker gains access to an application holding sensitive data, such as banking transactions, emails, or healthcare records.
    • Critical impact: The compromised user has elevated privileges within the application, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.
  • Finding XSS Vulnerabilities

    To prevent XSS attacks, the first step is to spot common XSS vulnerabilities. Cross-site scripting (XSS) is really pretty simple. Any time untrusted data ends up on an HTML page without proper validation and escaping, you have a problem. So when a developer takes JavaScript or an HTTP request parameter and it finds its way through the code into an HTML page, the result is XSS – unless the data is properly validated and escaped.

  • How To Prevent XSS Vulnerabilities

    XSS is a type of injection, in which a malicious script is injected into otherwise benign and trusted websites. XSS attacks occur when data enters a web application through an untrusted source, most frequently a web request. XSS can also occur when data is included in dynamic content that is sent to a web user without being validated for malicious content.

    OWASP has published a cheat sheet that can be used to prevent XSS attacks. These guidelines focus on three prevention strategies – escaping, validating input, and sanitizing.

    In general, preventing XSS vulnerabilities is likely to involve a combination of the following four measures:

    • Filter input on arrival:At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
    • Encode data on output:At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
    • Use appropriate response headers:To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
    • Use Content Security Policy: As a last line of defense against attackers, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

    And most importantly, never accept actual JavaScript code from an untrusted source and then run it.

  • Content Security Policy

    Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from execution of malicious content in the trusted webpage context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website.

  • Finding XSS Problems

    Spotting most XSS vulnerabilities is simple. You just have to find input that flows from an untrusted source into an HTML page. Many times, the path from the request to the HTML page isn't very complicated, for example when the same call gets the data and puts it in the HTML page.

    But other XSS vulnerabilities are less common and can be devilishly complex. Imagine an application that has millions of lines of code involved in getting data, transforming it, validating it, storing it, combining it, escaping it, decoding it, persisting it, retrieving it, and finally rendering it. How can one know if there is a path through all that code that creates an XSS vulnerability?

    The number of possible paths and patterns is infinite, and that's why traditional tools struggle to find XSS without flagging a lot of false alarms.

  • Traditional Approaches

    A web application firewall WAF is a network defense that filters, monitors, and blocks HTTP traffic to and from a web application. Unlike a regular firewall that serves as a safety gate between servers, a WAF is able to watch application-level traffic and decide to allow or disallow based on the data that is visible over the network.

    Dynamic scanning DAST tools generate thousands of requests and bombard your application with them to see if they can get anything through. DAST tools can find issues that show up in webpages, but can't see anything internal to your application and don't exercise much of your code.

    Static analysis SAST tools, on the other hand, try to model the entire application by guessing how all the source code, libraries, frameworks, and components fit together and will operate when run. But they make a lot of mistakes and typically don't even attempt to model the whole application.

    Since both of these approaches are difficult to set up and don't get very good results, Contrast is leading the way with the next generation of application security tools known as IAST, or "Interactive Application Security Testing" tools.

  • The Contrast Security Self-Protecting Approach to XSS

    Contrast Protect is a RASP solution that uses deep instrumentation to eliminate 99% of false positives, helping to secure software applications in a way far superior to legacy tools. Contrast operates from within the application and is fully aware as it moves and scales with the app, providing accurate attack visibility, monitoring, and protection.

    Any time untrusted data ends up on an HTML page without proper validation and escaping, that fits the definition of cross-site scripting. Contrast takes the innovative approach of simply tagging and tracking untrusted data wherever it goes within the application. Contrast also tracks all the validation and escaping that happen to that data along the way. Then anytime data gets written to an HTML page, you know if it's an XSS problem, because Contrast reports the vulnerability along with all the details.

    Pinpoint app attacks down to the exact line of code: A WAF can’t tell you the line of code that is being attacked, but Contrast Protect can. Unlike WAFs or external scanners, Contrast analyzes and protects applications from within by integrating security safeguards into the running application making it self-protecting.

    Immediately block known exploits and virtually patch newly discovered vulnerabilities: Contrast Protect becomes an essential part of the application, making application security nimble and quick, shrinking the time from “vulnerable” to “protected” even for zero day attacks.

  • Moving To Next-Gen Security

    Most of the tools available to secure software applications (SAST, DAST, and WAF) were invented over a decade ago, and as such, their legacy underlying core technology prevents them from evolving to keep up with modern software movements like Agile and DevOps. What the enterprise needs in this new era is software which is self-protecting, such as Runtime Application Self-Protection RASP.

    Gartner defines RASP as “a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.”

    RASP provides a level of visibility and accuracy that network security solutions simply cannot achieve. Instead of monitoring the application for potentially malicious inputs, RASP only processes inputs that could change the behavior or operation of the application. This approach has the potential to increase accuracy without significantly impacting app performance.

    Because RASP solutions incorporate security into the running application wherever it resides on a server, it is able to detect, block, and mitigate attacks immediately, protecting applications as they run in real-time by analyzing both application behavior and context. By using the app to continuously monitor its own behavior, RASP has the ability to protect an application from malicious inputs and behavior such as XSS and injection – without human intervention.

    Contrast Security is the world’s leading provider of security technology that enables software applications to protect themselves against cyberattacks, heralding the new era of self-protecting software. Contrast's patented deep security instrumentation is the breakthrough technology that enables highly accurate assessment and always-on protection of an entire application portfolio, without disruptive scanning or expensive security experts. Only Contrast has sensors that work actively inside applications to uncover vulnerabilities, prevent data breaches, and secure the entire enterprise from development, to operations, to production.

Contracts

Federal

GSA 2GIT

47QTCA21A000R
Mar 31, 2021- Mar 30, 2026

GSA Multiple Award Schedule (MAS)

GS-35F-0119Y
Dec 20, 2011- Dec 19, 2026

GSA Multiple Award Schedule Contract (MAS)

47QSWA18D008F
Aug 22, 2018- Aug 21, 2023

NASA SEWP V

NNG15SC03B/NNG15SC27B
May 01, 2015- Apr 30, 2025

ITES-SW2

W52P1J-20-D-0042
Aug 31, 2020- Aug 30, 2025
*Additional Option Years Available

State and Local

CMAS

3-12-70-2247E
Aug 28, 2012- Dec 19, 2026

City of Seattle Contract

0000003265
Jul 11, 2014- Dec 19, 2026

Department of General Services PA - Symantec

4400004253
May 01, 2009- Dec 19, 2026

OH STS 0119Y

534354
May 31, 2012- Dec 19, 2026

Pennsylvania COSTARS-6 IT Software Contract

COSTARS-006-176
Aug 31, 2017- Aug 31, 2022

State of Indiana Contract

0000000000000000000021430
Aug 01, 2017- Jun 30, 2022

State of New Mexico Contract

10-00000-21-00098
Aug 01, 2017- Dec 31, 2022

Education

E&I Carahsoft Cloud Solutions & Services Distributor Contract

EI00063~2021MA
Apr 01, 2021- Mar 31, 2026

E&I Carahsoft Cloud Solutions & Services Distributor Contract

EI00063~2021MA
Apr 01, 2021- Mar 31, 2026

Educational Software Solutions and Services - OMNIA Partners, Public Sector

R191902
Feb 27, 2020- Apr 30, 2023
*Additional Option Years Available

Illinois Learning Technology Purchase Program (ILTPP)

ILTPP-19CT011
May 20, 2019- Mar 01, 2023

Massachusetts Higher Education Consortium (MHEC)

MC15-04
Aug 10, 2019- Jun 30, 2022

NJSBA

E-8801-ACESCPS
Oct 20, 2015- Sep 03, 2025

The Quilt

MSA - 05012019F
Apr 01, 2016- May 02, 2025

VASCUPP

UVA1482501
May 02, 2014- Dec 19, 2026

Events

News

Resources

Solutions Brief

Contrast_Protect_thumbnail-01.jpg
Contrast Security Solutions Brief
Contrast Protect is a runtime application protection and observability solution that uses real-time analysis of application runtime events to confirm exploitability before taking action to block an attack. Contrast Protect maximizes detection and protection against known and unknown threats, while v...

Contrast-Solutions-Brief-Thumbnail-01.jpg
Contrast Security Solutions Brief
A unified foundation for modern application security.