Objective
How to download the latest Contrast agents via CURL commands from the Contrast UI.
Process
-
Create a new user that will have limited permissions (default permissions to start)
-
Login as the new user --> click on profile --> "Your account" and gather the following:
-
-
Organization ID
-
API Key
-
Authorization Header
-
-
Logout as the new user
-
Login as admin and restrict the user to:
-
-
Organization Role: Edit (can do very little, like add notifications and view a few things but not much)
-
Application Access Group: <none> (can see no applications, servers or vuln)
-
API Only: <check> (can get into the website at all)
-
-
Construct the CURL command using the information gathered:
curl http://<TeamServer FQDN>/Contrast/api/ng/<Organization ID>/agents/default/<language>\
-H API-Key:<API KEY> \
-H Authorization:<Authorization Header> \
-OJ
Example for the Java agent:
curl https://app.contrastsecurity.com/Contrast/api/ng/3c41a8de-972e-449a-90f8-ae5224834836/agents/default/JAVA \
-H API-Key:8BLqHXPqUnTj1SO9 \
-H Authorization:R3VybmV5OlZUM1kxNjhFSzQwRU8yVDk= \
-OJ
Example for the Java agent from Maven repo:
curl 'https://download.java.contrastsecurity.com/latest' -Lo contrast.jar
Powershell example for the .NET Framework Agent:
Invoke-WebRequest -Method "POST" -Headers @{'Authorization'='R3VybmV5OlZUM1kxNjhFSzQwRU8yVDk='; 'API-Key' = '8BLqHXPqUnTj1SO9'} -ContentType 'application/json' -Uri "https://apptwo.contrastsecurity.com/Contrast/api/ng/3c41a8de-972e-449a-90f8-ae5224834836/agents/default/DOTNET" -UseBasicParsing -Outfile contrast-setup.zip
KEY:
host:
https://app.contrastsecurity.comorg_id:
UUID of the organizationlanguage:
JAVA, DOTNET, DOTNET_CORE, DOTNET_CORE_INSTALLER_FOR_IISauthorization:
https://docs.contrastsecurity.com/en/personal-keys.html
-OJ:
Filename is provided by the server and saved to folder