Objective
How to download an agents contrast_security.yaml via CURL commands from the Contrast UI.
Process
-
Create a new user that will have limited permissions (default permissions to start)
-
Login as the new user --> click on profile --> "Your account" and gather the following:
-
-
Organization ID
-
API Key
-
Authorization Header
-
-
Logout as the new user
-
Login as admin and restrict the user to:
-
-
Organization Role: Edit (can do very little, like add notifications and view a few things but not much)
-
Application Access Group: <none> (can see no applications, servers or vuln)
-
API Only: <check> (can get into the website at all)
-
-
Construct the CURL command using the information gathered:
curl '#{host}/Contrast/api/ng/#{org_id}/agents/external/default/#{language}'\
-HAuthorization:#{authorization} \
-HAPI-Key:#{api_key} \
-H 'content-type: application/json' \
-H 'accept: application/json' \
--data-binary '{"metadata":[]}' —compressed -o #{output_file}
Example for the Java agents YAML:
curl 'https://app.contrastsecurity.com/Contrast/api/ng/a08a6414-c084-421c-b4fb-9b71794c3d0f/agents/external/default/JAVA' \
-HAuthorization:Y29udHJhc3RAYWNtZS5jb206TktQRzU1WkhWODk3N0k5MA== \
-HAPI-Key:H6j5Z1vFjz58LLhUq3bg5UY91Md19E5I \
-H 'content-type: application/json' \
-H 'accept: application/json' \
--data-binary '{"metadata":[{"agentLabel":"user","value":"foo"}]}' --compressed -OJ
KEY:
host:
https://app.contrastsecurity.comorg_id:
UUID of the organizationlanguage:
JAVA, DOTNET_CORE, NODE, RUBY, PYTHON, PROXY, GO, PHPauthorization:
https://docs.contrastsecurity.com/en/personal-keys.html
metadata:
Custom fields https://docs.contrastsecurity.com/en/organization-custom-fields.html
output_file:
where to save, file ending with .yaml