OWASP - User contributions [en]

OWASP WAP-Web Application Protection

2016-01-17T04:20:38Z

Iberiam: /* Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*02.Out.2015 - A new version of WAP is available - WAP v2.0.2 
*WAP in Instituto Federal Catarinense, Blumenau, Brasil 
*WAP in Universidade Federal do Amazonas, Manaus, Brasil 
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
WAP in Instituto Federal Catarinense, Blumenau, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with the WAP Tool'''''. Aug 2015. 
 

WAP in Universidade Federal do Amazonas, Manaus, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with Data Mining to Detect False Positives'''''. Jul 2015. 
 

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 
 

[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 
 

[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 
 

[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
 

[http://2014.dsn.org/ WAP in DSN Conference]
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 
 

[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 
 

[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 
 

[http://www.indin2013.org/n/ WAP in INDIN Conference]
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining'''''. IEEE Transactions on Reliability, July 2015. ([http://awap.sourceforge.net/papers/WAP_IEEE_TR_2015.pdf journal])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

Appendix A: Testing Tools

2016-01-16T18:35:00Z

Iberiam: /* Open Source / Freeware */

{{Template:OWASP Testing Guide v4}}

==Open Source Black Box Testing tools==

=== General Testing ===
* '''[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP]'''
**The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
**ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins.
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* '''[[:OWASP Mantra - Security Framework]]'''
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
* '''SPIKE''' - http://www.immunitysec.com/resources-freesoftware.shtml
** SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
* '''Burp Proxy''' - http://www.portswigger.net/Burp/
** Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
* '''Odysseus Proxy''' - http://www.wastelands.gen.nz/odysseus/
** Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
* '''Webstretch Proxy''' - http://sourceforge.net/projects/webstretch
** Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
* '''WATOBO''' - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
** WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
* '''Firefox LiveHTTPHeaders''' - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
** View HTTP headers of a page and while browsing.
* '''Firefox Tamper Data''' - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
** Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
* '''Firefox Web Developer Tools''' - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
** The Web Developer extension adds various web developer tools to the browser.
* '''DOM Inspector''' - https://developer.mozilla.org/en/docs/DOM_Inspector
** DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
* '''Firefox Firebug''' - http://getfirebug.com/
** Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
* '''Grendel-Scan''' - http://securitytube-tools.net/index.php?title=Grendel_Scan
** Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
* '''OWASP SWFIntruder''' - http://www.mindedsecurity.com/swfintruder.html
** SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
* '''SWFScan''' - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
** Flash decompiler
* '''Wikto''' - http://www.sensepost.com/labs/tools/pentest/wikto
** Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
* '''w3af''' - http://w3af.org
** w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
* '''skipfish''' - http://code.google.com/p/skipfish/
** Skipfish is an active web application security reconnaissance tool.
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
* '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
** Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
* '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
** Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
* '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
** Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
* '''Firebug lite for Chrome"" - https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
**Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elements with your mouse, and live editing CSS properties
* '''Session Manager"" - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
**With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
* '''Subgraph Vega''' - http://www.subgraph.com/products.html
**Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

=== Testing for specific vulnerabilities ===

==== Testing for DOM XSS ====
* DOMinator Pro - https://dominator.mindedsecurity.com

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''

==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
* Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
* SQLInjector - Uses inference techniques to extract data and determine the backend database server. http://www.databasesecurity.com/sql-injector.htm
* Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections - http://code.google.com/p/bsqlbf-v2/
* Pangolin: An automatic SQL injection penetration testing tool - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
* Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad

==== Testing SSL ====
* Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx

==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
* Ncat - http://nmap.org/ncat/

==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker
* Metasploit - http://www.metasploit.com/
** A rapid exploit development and Testing frame work

==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
* Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/

==== Googling ====
* Bishop Fox's Google Hacking Diggity Project - http://www.bishopfox.com/resources/tools/google-hacking-diggity/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

==Commercial Black Box Testing tools==
* NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
* NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
* IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
* Trustwave App Scanner (Formerly Cenzic Hailstorm) - https://www.trustwave.com/Products/Application-Security/App-Scanner-Family/App-Scanner-Enterprise/
* Burp Intruder - http://www.portswigger.net/burp/intruder.html
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* Sleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
* MatriXay - http://www.dbappsecurity.com/webscan.html
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
* HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
* SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
* Netsparker - http://www.mavitunasecurity.com/netsparker/
* SAINT - http://www.saintcorporation.com/
* QualysGuard WAS - http://www.qualys.com/enterprises/qualysguard/web-application-scanning/
* IndusGuard Web - https://www.indusface.com/index.php/products/indusguard-web
* Retina Web - http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx

==Source Code Analyzers==

===Open Source / Freeware===
* [[:Category:OWASP_Orizon_Project|Owasp Orizon]]
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]
* Google CodeSearchDiggity - http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net
* Find Security Bugs - http://h3xstream.github.io/find-sec-bugs/
* Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
* W3af - http://w3af.sourceforge.net/
* phpcs-security-audit - https://github.com/Pheromone/phpcs-security-audit

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
* Checkmarx CxSuite - http://www.checkmarx.com
* HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
* GrammaTech - http://www.grammatech.com
* ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
* Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com
* Armorize CodeSecure - http://www.armorize.com/codesecure/

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://seleniumhq.org/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/
* Seeker by Quotium - http://www.quotium.com/prod/security.php

===Binary Analysis===

* BugScam IDC Package - http://sourceforge.net/projects/bugscam
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html

[[Category:SAMM-CR-2]]

Static Code Analysis

2016-01-16T18:31:32Z

Iberiam: /* OWASP Tools */

Every '''[[Control]]''' should follow this template.

{{Template:Control}}
 
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the Integrated Development Environment (IDE). For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

==Techniques==
There are various techniques to analyze static source code for potential vulnerabilities that maybe combined into one solution. These techniques are often derived from compiler technologies.

===Data Flow Analysis===
Data flow analysis is used to collect run-time (dynamic) information about data in software while it is in a static state (Wögerer, 2005).

There are three common terms used in data flow analysis, basic block (the code), Control Flow Analysis (the flow of data) and Control Flow Path (the path the data takes):

Basic block: A sequence of consecutive instructions where control enters at the beginning of a block, control leaves at the end of a block and the block cannot halt or branch out except at its end (Wögerer, 2005).

Example PHP basic block:

<pre>
1. $a = 0;
2. $b = 1;
3.
4. if ($a == $b)
5. { # start of block
6. echo “a and b are the same”;
7. } # end of block
8. else
9. { # start of block
10. echo “a and b are different”;
11.} # end of block
</pre>

=== Control Flow Graph (CFG) ===
An abstract graph representation of software by use of nodes that represent basic blocks. A node in a graph represents a block; directed edges are used to represent jumps (paths) from one block to another. If a node only has an exit edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is know as an ‘exit’ block (Wögerer, 2005).

Example Control Flow Graph; ‘node 1’ represents the entry block and ‘node 6’ represents the exit block.

[[File:Control_flow_graph.png|400x200px]]

===Taint Analysis===
Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI.

===Lexical Analysis===
Lexical Analysis converts source code syntax into ‘tokens’ of information in an attempt to abstract the source code and make it easier to manipulate (Sotirov, 2005).

Pre tokenised PHP source code:

<pre>
<?php $name = "Ryan"; ?>
</pre>

Post tokenised PHP source code:

<pre>
T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG
</pre>

==Strengths and Weaknesses==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Limitations==

===False Positives===
A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

===False Negatives===
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
* Does it support Object-oriented programming (OOP)?

==Examples==

===RIPS PHP Static Code Analysis Tool===
[[File:Rips.jpg|400px|thum|]]

===OWASP LAPSE+ Static Code Analysis Tool===
[[File:LapsePlusScreenshot.png|400px|thum|]]

== Tools ==

===OWASP Tools===
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler] (.NET & Java)
* [https://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] (Java,PHP,C & JSP)
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]] (Java)
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]] (PHP)

=== Open Source/Free ===

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] (Multiple)
* [http://pmd.sourceforge.net/ PMD] (Java)
* [http://www.dwheeler.com/flawfinder/ FlawFinder] (C/C++)
* [http://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx Microsoft FxCop] (.NET)
* [http://www.splint.org Splint] (C)
* [http://findbugs.sourceforge.net/ FindBugs] (Java)
* [http://sourceforge.net/projects/rips-scanner/ RIPS] (PHP)
* [http://sourceforge.net/projects/agnitiotool/ Agnitio] (Objective-C, C#, Java & Android)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx Microsoft PreFast] (C/C++)
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html Fortify RATS] (C, C++, Perl, PHP & Python)
* [http://www.devbug.co.uk DevBug] (PHP)
* [http://brakemanscanner.org/ Brakeman] (Rails)
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper] (C/C++, C#, VB, PHP, Java & PL/SQL)

=== Commercial ===

* [https://www.fortify.com/ Fortify] (OWASP Member)
* [https://www.veracode.com/ Veracode] (OWASP Member)
* [http://www.grammatech.com/ GrammaTech]
* [http://www.parasoft.com/jsp/home.jsp ParaSoft]
* [http://www.armorize.com/codesecure/ Armorize CodeSecure] (OWASP Member)
* [http://www.checkmarx.com/ Checkmarx Static Code Analysis] (OWASP Member)
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
* [http://www.coverity.com/products/static-analysis.html Coverity]
* [http://www.viva64.com/en/ PVS-Studio]
* [http://www.klocwork.com/products/insight.asp Insight]
* [http://www.mathworks.com/products/polyspace/ Polyspace Static Analysis]

===Other Tool Lists===

* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST - Source Code Security Analyzers]
* [http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Wikipedia - List of tools for static code analysis]

==References==

[0] Ministry of Defence (MoD). (1997) ''SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT'' [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

[1] Northumbria University. (2012) ''Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities'' [Online]. Available at: http://www.ethicalhack3r.co.uk/wp-content/uploads/2012/09/Implementing-Basic-Static-Code-Analysis-into-Integrated-Development-Environments-IDEs-to-Reduce-Software-Vulnerabilities.pdf (Accessed: 19 March 2013)

== Further Reading ==

* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf OWASP Code Review Guide v1.1]
* http://www.crosstalkonline.org/storage/issue-archives/2003/200311/200311-German.pdf
* http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
* http://www.php-security.org/downloads/rips.pdf
* http://www.seclab.tuwien.ac.at/papers/pixy.pdf

[[Category:FIXME|

In addition, one should classify control based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Control]]</nowiki>

Availability Control

Authorization Control

Authentication Control

Concurrency Control

Configuration Control

Cryptographic Control

Encoding Control

Error Handling Control

Input Validation Control

Logging and Auditing Control

Session Management Control
]]
__FORCETOC__

[[Category:Control]]

Source Code Analysis Tools

2016-01-16T18:30:51Z

Iberiam: /* OWASP Tools Of This Type */

{{taggedDocument
| type=partialOld
}}

Source code analysis tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with such a high degree of confidence that what's found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that just automatically finds flaws.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be repeatedly (as with nightly builds)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files and line numbers that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important selection criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [[OWASP WAP-Web Application Protection]]

==Disclaimer==

Disclaimer: The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

==Open Source or Free Tools Of This Type==

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] - Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including some security flaws) in Java Programs
* [http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx FxCop] (Microsoft) - FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html RATS] (Fortify) - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
* [https://www.owasp.org/index.php/Category:OWASP_SWAAT_Project OWASP SWAAT Project] - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino and Ruby on Rails applications. It can work also for non web application wrote in Ruby programming language
* [http://sourceforge.net/projects/visualcodegrepp/ VCG] - Scans C/C++, Java, C# and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

==Commercial Tools Of This Type==

* [http://www.buguroo.com/ BugScout] (Buguroo Offensive Security)
** Latest generation source code analysis tool bugScout detects source code vulnerabilities and makes possible an accurate management of the life cycles due to its easy use.
* [http://www.contrastsecurity.com/ Contrast from Contrast Security]
** Contrast is not a static analysis tool like these others. It instruments the running application and provides code level results, but doesn't actually perform static analysis. It monitors the code that is actually running.
* [http://www-01.ibm.com/software/rational/products/appscan/source/ IBM Security AppScan Source Edition] (formerly Ounce)
* [http://www.klocwork.com/products/insight.asp Insight] (KlocWork)
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [http://www.pitbullsoftware.net/pitbull-scc-en/ Pitbull Source Code Control] (Pitbull SCC)
**Software application designed to solve efficiently application source code control with the appropriate compiled files to ensure integrity prior to placing it into production. Providing added value,allows the analysis of source code to identify if it has a malware that affects the normal functioning of the application.
* [http://www.quotium.com/prod/security.php Seeker] ([http://www.quotium.com/ Quotium])
** Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [http://www.armorize.com/codesecure/ Static Source Code Analysis with CodeSecure™] (Armorize Technologies)
* [http://www.kiuwan.com Kiuwan - SaaS Software Quality & Security Analysis] ([http://www.optimyth.com Optimyth])
* [http://www.checkmarx.com/technology/static-code-analysis-sca/ Static Code Analysis] (Checkmarx)
* [http://www.coverity.com/products/security-advisor.html Security Advisor] (Coverity)
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio)
* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Source Code Analysis] (HP/Fortify)
* [http://www.veracode.com/ Veracode] (Veracode)
* [https://www.whitehatsec.com/offerings.html Sentinel Source solution] (Whitehat)

==More info==


* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__

Source Code Analysis Tools

2016-01-16T18:29:37Z

Iberiam: /* OWASP Tools Of This Type */

{{taggedDocument
| type=partialOld
}}

Source code analysis tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with such a high degree of confidence that what's found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that just automatically finds flaws.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development life cycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful, especially when compared to finding vulnerabilities much later in the development cycle.

== Strengths and weaknesses ==

=== Strengths ===

* Scales well -- can be run on lots of software, and can be repeatedly (as with nightly builds)
* Useful for things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, and so forth
* Output is good for developers -- highlights the precise source files and line numbers that are affected

=== Weaknesses ===

* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important selection criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of vulnerabilities it can detect (out of the [[OWASP Top Ten]]?) (plus more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==

* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]
* [https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection/ OWASP WAP-Web Application Protection]

==Disclaimer==

Disclaimer: The tools listed in the tables below are presented in alphabetical order. OWASP does not endorse any of the vendors or tools by listing them in the table below. We have made every effort to provide this information as accurately as possible. If you are the vendor of a tool below and think that this information is incomplete or incorrect, please send an e-mail to our mailing list and we will make every effort to correct this information.

==Open Source or Free Tools Of This Type==

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] - Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including some security flaws) in Java Programs
* [http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx FxCop] (Microsoft) - FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html RATS] (Fortify) - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
* [https://www.owasp.org/index.php/Category:OWASP_SWAAT_Project OWASP SWAAT Project] - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications
* [http://brakemanscanner.org/ Brakeman] - Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications
* [http://rubygems.org/gems/codesake-dawn Codesake Dawn] - Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino and Ruby on Rails applications. It can work also for non web application wrote in Ruby programming language
* [http://sourceforge.net/projects/visualcodegrepp/ VCG] - Scans C/C++, Java, C# and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

==Commercial Tools Of This Type==

* [http://www.buguroo.com/ BugScout] (Buguroo Offensive Security)
** Latest generation source code analysis tool bugScout detects source code vulnerabilities and makes possible an accurate management of the life cycles due to its easy use.
* [http://www.contrastsecurity.com/ Contrast from Contrast Security]
** Contrast is not a static analysis tool like these others. It instruments the running application and provides code level results, but doesn't actually perform static analysis. It monitors the code that is actually running.
* [http://www-01.ibm.com/software/rational/products/appscan/source/ IBM Security AppScan Source Edition] (formerly Ounce)
* [http://www.klocwork.com/products/insight.asp Insight] (KlocWork)
* [http://www.parasoft.com/jsp/capabilities/static_analysis.jsp?itemId=547 Parasoft Test] (Parasoft)
* [http://www.pitbullsoftware.net/pitbull-scc-en/ Pitbull Source Code Control] (Pitbull SCC)
**Software application designed to solve efficiently application source code control with the appropriate compiled files to ensure integrity prior to placing it into production. Providing added value,allows the analysis of source code to identify if it has a malware that affects the normal functioning of the application.
* [http://www.quotium.com/prod/security.php Seeker] ([http://www.quotium.com/ Quotium])
** Seeker performs code security without actually doing static analysis. Seeker does Interactive Application Security Testing (IAST), correlating runtime code & data analysis with simulated attacks. It provides code level results without actually relying on static analysis.
* [http://www.sourcepatrol.co.uk/ Source Patrol] (Pentest)
* [http://www.armorize.com/codesecure/ Static Source Code Analysis with CodeSecure™] (Armorize Technologies)
* [http://www.kiuwan.com Kiuwan - SaaS Software Quality & Security Analysis] ([http://www.optimyth.com Optimyth])
* [http://www.checkmarx.com/technology/static-code-analysis-sca/ Static Code Analysis] (Checkmarx)
* [http://www.coverity.com/products/security-advisor.html Security Advisor] (Coverity)
* [http://www.viva64.com/en/ PVS-Studio] (PVS-Studio)
* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Source Code Analysis] (HP/Fortify)
* [http://www.veracode.com/ Veracode] (Veracode)
* [https://www.whitehatsec.com/offerings.html Sentinel Source solution] (Whitehat)

==More info==


* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST's list of Source Code Security Analysis Tools]

[[Category:OWASP .NET Project]]
[[Category:SAMM-CR-2]]
__NOTOC__

Static Code Analysis

2016-01-16T18:27:28Z

Iberiam: /* OWASP Tools */

Every '''[[Control]]''' should follow this template.

{{Template:Control}}
 
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the Integrated Development Environment (IDE). For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

==Techniques==
There are various techniques to analyze static source code for potential vulnerabilities that maybe combined into one solution. These techniques are often derived from compiler technologies.

===Data Flow Analysis===
Data flow analysis is used to collect run-time (dynamic) information about data in software while it is in a static state (Wögerer, 2005).

There are three common terms used in data flow analysis, basic block (the code), Control Flow Analysis (the flow of data) and Control Flow Path (the path the data takes):

Basic block: A sequence of consecutive instructions where control enters at the beginning of a block, control leaves at the end of a block and the block cannot halt or branch out except at its end (Wögerer, 2005).

Example PHP basic block:

<pre>
1. $a = 0;
2. $b = 1;
3.
4. if ($a == $b)
5. { # start of block
6. echo “a and b are the same”;
7. } # end of block
8. else
9. { # start of block
10. echo “a and b are different”;
11.} # end of block
</pre>

=== Control Flow Graph (CFG) ===
An abstract graph representation of software by use of nodes that represent basic blocks. A node in a graph represents a block; directed edges are used to represent jumps (paths) from one block to another. If a node only has an exit edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is know as an ‘exit’ block (Wögerer, 2005).

Example Control Flow Graph; ‘node 1’ represents the entry block and ‘node 6’ represents the exit block.

[[File:Control_flow_graph.png|400x200px]]

===Taint Analysis===
Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI.

===Lexical Analysis===
Lexical Analysis converts source code syntax into ‘tokens’ of information in an attempt to abstract the source code and make it easier to manipulate (Sotirov, 2005).

Pre tokenised PHP source code:

<pre>
<?php $name = "Ryan"; ?>
</pre>

Post tokenised PHP source code:

<pre>
T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG
</pre>

==Strengths and Weaknesses==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Limitations==

===False Positives===
A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

===False Negatives===
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
* Does it support Object-oriented programming (OOP)?

==Examples==

===RIPS PHP Static Code Analysis Tool===
[[File:Rips.jpg|400px|thum|]]

===OWASP LAPSE+ Static Code Analysis Tool===
[[File:LapsePlusScreenshot.png|400px|thum|]]

== Tools ==

===OWASP Tools===
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler] (.NET & Java)
* [https://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] (Java,PHP,C & JSP)
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]] (Java)
* [[OWASP O2 Platform]]
* [https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection/ OWASP WAP-Web Application Protection] (PHP)

=== Open Source/Free ===

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] (Multiple)
* [http://pmd.sourceforge.net/ PMD] (Java)
* [http://www.dwheeler.com/flawfinder/ FlawFinder] (C/C++)
* [http://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx Microsoft FxCop] (.NET)
* [http://www.splint.org Splint] (C)
* [http://findbugs.sourceforge.net/ FindBugs] (Java)
* [http://sourceforge.net/projects/rips-scanner/ RIPS] (PHP)
* [http://sourceforge.net/projects/agnitiotool/ Agnitio] (Objective-C, C#, Java & Android)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx Microsoft PreFast] (C/C++)
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html Fortify RATS] (C, C++, Perl, PHP & Python)
* [http://www.devbug.co.uk DevBug] (PHP)
* [http://brakemanscanner.org/ Brakeman] (Rails)
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper] (C/C++, C#, VB, PHP, Java & PL/SQL)

=== Commercial ===

* [https://www.fortify.com/ Fortify] (OWASP Member)
* [https://www.veracode.com/ Veracode] (OWASP Member)
* [http://www.grammatech.com/ GrammaTech]
* [http://www.parasoft.com/jsp/home.jsp ParaSoft]
* [http://www.armorize.com/codesecure/ Armorize CodeSecure] (OWASP Member)
* [http://www.checkmarx.com/ Checkmarx Static Code Analysis] (OWASP Member)
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
* [http://www.coverity.com/products/static-analysis.html Coverity]
* [http://www.viva64.com/en/ PVS-Studio]
* [http://www.klocwork.com/products/insight.asp Insight]
* [http://www.mathworks.com/products/polyspace/ Polyspace Static Analysis]

===Other Tool Lists===

* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST - Source Code Security Analyzers]
* [http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Wikipedia - List of tools for static code analysis]

==References==

[0] Ministry of Defence (MoD). (1997) ''SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT'' [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

[1] Northumbria University. (2012) ''Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities'' [Online]. Available at: http://www.ethicalhack3r.co.uk/wp-content/uploads/2012/09/Implementing-Basic-Static-Code-Analysis-into-Integrated-Development-Environments-IDEs-to-Reduce-Software-Vulnerabilities.pdf (Accessed: 19 March 2013)

== Further Reading ==

* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf OWASP Code Review Guide v1.1]
* http://www.crosstalkonline.org/storage/issue-archives/2003/200311/200311-German.pdf
* http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
* http://www.php-security.org/downloads/rips.pdf
* http://www.seclab.tuwien.ac.at/papers/pixy.pdf

[[Category:FIXME|

In addition, one should classify control based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Control]]</nowiki>

Availability Control

Authorization Control

Authentication Control

Concurrency Control

Configuration Control

Cryptographic Control

Encoding Control

Error Handling Control

Input Validation Control

Logging and Auditing Control

Session Management Control
]]
__FORCETOC__

[[Category:Control]]

Static Code Analysis

2016-01-16T18:25:49Z

Iberiam: /* Open Source/Free */

Every '''[[Control]]''' should follow this template.

{{Template:Control}}
 
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the Integrated Development Environment (IDE). For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

==Techniques==
There are various techniques to analyze static source code for potential vulnerabilities that maybe combined into one solution. These techniques are often derived from compiler technologies.

===Data Flow Analysis===
Data flow analysis is used to collect run-time (dynamic) information about data in software while it is in a static state (Wögerer, 2005).

There are three common terms used in data flow analysis, basic block (the code), Control Flow Analysis (the flow of data) and Control Flow Path (the path the data takes):

Basic block: A sequence of consecutive instructions where control enters at the beginning of a block, control leaves at the end of a block and the block cannot halt or branch out except at its end (Wögerer, 2005).

Example PHP basic block:

<pre>
1. $a = 0;
2. $b = 1;
3.
4. if ($a == $b)
5. { # start of block
6. echo “a and b are the same”;
7. } # end of block
8. else
9. { # start of block
10. echo “a and b are different”;
11.} # end of block
</pre>

=== Control Flow Graph (CFG) ===
An abstract graph representation of software by use of nodes that represent basic blocks. A node in a graph represents a block; directed edges are used to represent jumps (paths) from one block to another. If a node only has an exit edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is know as an ‘exit’ block (Wögerer, 2005).

Example Control Flow Graph; ‘node 1’ represents the entry block and ‘node 6’ represents the exit block.

[[File:Control_flow_graph.png|400x200px]]

===Taint Analysis===
Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI.

===Lexical Analysis===
Lexical Analysis converts source code syntax into ‘tokens’ of information in an attempt to abstract the source code and make it easier to manipulate (Sotirov, 2005).

Pre tokenised PHP source code:

<pre>
<?php $name = "Ryan"; ?>
</pre>

Post tokenised PHP source code:

<pre>
T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG
</pre>

==Strengths and Weaknesses==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Limitations==

===False Positives===
A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

===False Negatives===
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
* Does it support Object-oriented programming (OOP)?

==Examples==

===RIPS PHP Static Code Analysis Tool===
[[File:Rips.jpg|400px|thum|]]

===OWASP LAPSE+ Static Code Analysis Tool===
[[File:LapsePlusScreenshot.png|400px|thum|]]

== Tools ==

===OWASP Tools===
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler] (.NET & Java)
* [https://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] (Java,PHP,C & JSP)
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]] (Java)
* [[OWASP O2 Platform]]

=== Open Source/Free ===

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] (Multiple)
* [http://pmd.sourceforge.net/ PMD] (Java)
* [http://www.dwheeler.com/flawfinder/ FlawFinder] (C/C++)
* [http://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx Microsoft FxCop] (.NET)
* [http://www.splint.org Splint] (C)
* [http://findbugs.sourceforge.net/ FindBugs] (Java)
* [http://sourceforge.net/projects/rips-scanner/ RIPS] (PHP)
* [http://sourceforge.net/projects/agnitiotool/ Agnitio] (Objective-C, C#, Java & Android)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx Microsoft PreFast] (C/C++)
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html Fortify RATS] (C, C++, Perl, PHP & Python)
* [http://www.devbug.co.uk DevBug] (PHP)
* [http://brakemanscanner.org/ Brakeman] (Rails)
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper] (C/C++, C#, VB, PHP, Java & PL/SQL)

=== Commercial ===

* [https://www.fortify.com/ Fortify] (OWASP Member)
* [https://www.veracode.com/ Veracode] (OWASP Member)
* [http://www.grammatech.com/ GrammaTech]
* [http://www.parasoft.com/jsp/home.jsp ParaSoft]
* [http://www.armorize.com/codesecure/ Armorize CodeSecure] (OWASP Member)
* [http://www.checkmarx.com/ Checkmarx Static Code Analysis] (OWASP Member)
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
* [http://www.coverity.com/products/static-analysis.html Coverity]
* [http://www.viva64.com/en/ PVS-Studio]
* [http://www.klocwork.com/products/insight.asp Insight]
* [http://www.mathworks.com/products/polyspace/ Polyspace Static Analysis]

===Other Tool Lists===

* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST - Source Code Security Analyzers]
* [http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Wikipedia - List of tools for static code analysis]

==References==

[0] Ministry of Defence (MoD). (1997) ''SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT'' [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

[1] Northumbria University. (2012) ''Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities'' [Online]. Available at: http://www.ethicalhack3r.co.uk/wp-content/uploads/2012/09/Implementing-Basic-Static-Code-Analysis-into-Integrated-Development-Environments-IDEs-to-Reduce-Software-Vulnerabilities.pdf (Accessed: 19 March 2013)

== Further Reading ==

* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf OWASP Code Review Guide v1.1]
* http://www.crosstalkonline.org/storage/issue-archives/2003/200311/200311-German.pdf
* http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
* http://www.php-security.org/downloads/rips.pdf
* http://www.seclab.tuwien.ac.at/papers/pixy.pdf

[[Category:FIXME|

In addition, one should classify control based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Control]]</nowiki>

Availability Control

Authorization Control

Authentication Control

Concurrency Control

Configuration Control

Cryptographic Control

Encoding Control

Error Handling Control

Input Validation Control

Logging and Auditing Control

Session Management Control
]]
__FORCETOC__

[[Category:Control]]

Static Code Analysis

2016-01-16T18:25:21Z

Iberiam: /* Open Source/Free */

Every '''[[Control]]''' should follow this template.

{{Template:Control}}
 
[[Category:OWASP ASDR Project]]

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within 'static' (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the Integrated Development Environment (IDE). For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

The UK Defense Standard 00-55 requires that Static Code Analysis be used on all 'safety related software in defense equipment'. [0]

==Techniques==
There are various techniques to analyze static source code for potential vulnerabilities that maybe combined into one solution. These techniques are often derived from compiler technologies.

===Data Flow Analysis===
Data flow analysis is used to collect run-time (dynamic) information about data in software while it is in a static state (Wögerer, 2005).

There are three common terms used in data flow analysis, basic block (the code), Control Flow Analysis (the flow of data) and Control Flow Path (the path the data takes):

Basic block: A sequence of consecutive instructions where control enters at the beginning of a block, control leaves at the end of a block and the block cannot halt or branch out except at its end (Wögerer, 2005).

Example PHP basic block:

<pre>
1. $a = 0;
2. $b = 1;
3.
4. if ($a == $b)
5. { # start of block
6. echo “a and b are the same”;
7. } # end of block
8. else
9. { # start of block
10. echo “a and b are different”;
11.} # end of block
</pre>

=== Control Flow Graph (CFG) ===
An abstract graph representation of software by use of nodes that represent basic blocks. A node in a graph represents a block; directed edges are used to represent jumps (paths) from one block to another. If a node only has an exit edge, this is known as an ‘entry’ block, if a node only has a entry edge, this is know as an ‘exit’ block (Wögerer, 2005).

Example Control Flow Graph; ‘node 1’ represents the entry block and ‘node 6’ represents the exit block.

[[File:Control_flow_graph.png|400x200px]]

===Taint Analysis===
Taint Analysis attempts to identify variables that have been 'tainted' with user controllable input and traces them to possible vulnerable functions also known as a 'sink'. If the tainted variable gets passed to a sink without first being sanitized it is flagged as a vulnerability.

Some programming languages such as Perl and Ruby have Taint Checking built into them and enabled in certain situations such as accepting data via CGI.

===Lexical Analysis===
Lexical Analysis converts source code syntax into ‘tokens’ of information in an attempt to abstract the source code and make it easier to manipulate (Sotirov, 2005).

Pre tokenised PHP source code:

<pre>
<?php $name = "Ryan"; ?>
</pre>

Post tokenised PHP source code:

<pre>
T_OPEN_TAG
T_VARIABLE
=
T_CONSTANT_ENCAPSED_STRING
;
T_CLOSE_TAG
</pre>

==Strengths and Weaknesses==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Limitations==

===False Positives===
A static code analysis tool will often produce false positive results where the tool reports a possible vulnerability that in fact is not. This often occurs because the tool cannot be sure of the integrity and security of data as it flows through the application from input to output.

False positive results might be reported when analysing an application that interacts with closed source components or external systems because without the source code it is impossible to trace the flow of data in the external system and hence ensure the integrity and security of the data.

===False Negatives===
The use of static code analysis tools can also result in false negative results where vulnerabilities result but the tool does not report them. This might occur if a new vulnerability is discovered in an external component or if the analysis tool has no knowledge of the runtime environment and whether it is configured securely.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.
* Types of Vulnerabilities it can detect (The OWASP Top Ten?) (more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)
* Does it support Object-oriented programming (OOP)?

==Examples==

===RIPS PHP Static Code Analysis Tool===
[[File:Rips.jpg|400px|thum|]]

===OWASP LAPSE+ Static Code Analysis Tool===
[[File:LapsePlusScreenshot.png|400px|thum|]]

== Tools ==

===OWASP Tools===
* [https://www.owasp.org/index.php/Category:OWASP_Code_Crawler OWASP Code Crawler] (.NET & Java)
* [https://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] (Java,PHP,C & JSP)
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]] (Java)
* [[OWASP O2 Platform]]

=== Open Source/Free ===

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] (Multiple)
* [http://pmd.sourceforge.net/ PMD] (Java)
* [http://www.dwheeler.com/flawfinder/ FlawFinder] (C/C++)
* [http://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx Microsoft FxCop] (.NET)
* [http://www.splint.org Splint] (C)
* [http://findbugs.sourceforge.net/ FindBugs] (Java)
* [http://sourceforge.net/projects/rips-scanner/ RIPS] (PHP)
* [https://www.owasp.org/index.php/OWASP_WAP-Web_Application_Protection/ OWASP WAP] (PHP)
* [http://sourceforge.net/projects/agnitiotool/ Agnitio] (Objective-C, C#, Java & Android)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx Microsoft PreFast] (C/C++)
* [https://www.fortify.com/ssa-elements/threat-intelligence/rats.html Fortify RATS] (C, C++, Perl, PHP & Python)
* [http://www.devbug.co.uk DevBug] (PHP)
* [http://brakemanscanner.org/ Brakeman] (Rails)
* [http://sourceforge.net/projects/visualcodegrepp/ VisualCodeGrepper] (C/C++, C#, VB, PHP, Java & PL/SQL)

=== Commercial ===

* [https://www.fortify.com/ Fortify] (OWASP Member)
* [https://www.veracode.com/ Veracode] (OWASP Member)
* [http://www.grammatech.com/ GrammaTech]
* [http://www.parasoft.com/jsp/home.jsp ParaSoft]
* [http://www.armorize.com/codesecure/ Armorize CodeSecure] (OWASP Member)
* [http://www.checkmarx.com/ Checkmarx Static Code Analysis] (OWASP Member)
* [http://www-01.ibm.com/software/rational/products/appscan/source/ Rational AppScan Source Edition]
* [http://www.coverity.com/products/static-analysis.html Coverity]
* [http://www.viva64.com/en/ PVS-Studio]
* [http://www.klocwork.com/products/insight.asp Insight]
* [http://www.mathworks.com/products/polyspace/ Polyspace Static Analysis]

===Other Tool Lists===

* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html NIST - Source Code Security Analyzers]
* [http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis Wikipedia - List of tools for static code analysis]

==References==

[0] Ministry of Defence (MoD). (1997) ''SAFETY RELATED SOFTWARE IN DEFENSE EQUIPMENT'' [Online]. Available at: http://www.software-supportability.org/Docs/00-55_Part_2.pdf (Accessed: 5 January 2012).

[1] Northumbria University. (2012) ''Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities'' [Online]. Available at: http://www.ethicalhack3r.co.uk/wp-content/uploads/2012/09/Implementing-Basic-Static-Code-Analysis-into-Integrated-Development-Environments-IDEs-to-Reduce-Software-Vulnerabilities.pdf (Accessed: 19 March 2013)

== Further Reading ==

* [https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf OWASP Code Review Guide v1.1]
* http://www.crosstalkonline.org/storage/issue-archives/2003/200311/200311-German.pdf
* http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf
* http://www.php-security.org/downloads/rips.pdf
* http://www.seclab.tuwien.ac.at/papers/pixy.pdf

[[Category:FIXME|

In addition, one should classify control based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Control]]</nowiki>

Availability Control

Authorization Control

Authentication Control

Concurrency Control

Configuration Control

Cryptographic Control

Encoding Control

Error Handling Control

Input Validation Control

Logging and Auditing Control

Session Management Control
]]
__FORCETOC__

[[Category:Control]]

OWASP WAP-Web Application Protection

2015-10-03T02:30:42Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*02.Out.2015 - A new version of WAP is available - WAP v2.0.2 
*WAP in Instituto Federal Catarinense, Blumenau, Brasil 
*WAP in Universidade Federal do Amazonas, Manaus, Brasil 
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
WAP in Instituto Federal Catarinense, Blumenau, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with the WAP Tool'''''. Aug 2015. 
 

WAP in Universidade Federal do Amazonas, Manaus, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with Data Mining to Detect False Positives'''''. Jul 2015. 
 

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 
 

[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 
 

[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 
 

[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
 

[http://2014.dsn.org/ WAP in DSN Conference]
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 
 

[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 
 

[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 
 

[http://www.indin2013.org/n/ WAP in INDIN Conference]
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining'''''. IEEE Transactions on Reliability, (accepted for publication)

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-10-03T02:28:50Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*A new version of WAP is available - WAP v2.0.2 
*WAP in Instituto Federal Catarinense, Blumenau, Brasil 
*WAP in Universidade Federal do Amazonas, Manaus, Brasil 
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
WAP in Instituto Federal Catarinense, Blumenau, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with the WAP Tool'''''. Aug 2015. 
 

WAP in Universidade Federal do Amazonas, Manaus, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with Data Mining to Detect False Positives'''''. Jul 2015. 
 

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 
 

[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 
 

[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 
 

[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
 

[http://2014.dsn.org/ WAP in DSN Conference]
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 
 

[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 
 

[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 
 

[http://www.indin2013.org/n/ WAP in INDIN Conference]
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining'''''. IEEE Transactions on Reliability, (accepted for publication)

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-09-15T00:12:56Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*WAP in Instituto Federal Catarinense, Blumenau, Brasil 
*WAP in Universidade Federal do Amazonas, Manaus, Brasil 
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
WAP in Instituto Federal Catarinense, Blumenau, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with the WAP Tool'''''. Aug 2015. 
 

WAP in Universidade Federal do Amazonas, Manaus, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with Data Mining to Detect False Positives'''''. Jul 2015. 
 

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 
 

[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 
 

[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 
 

[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
 

[http://2014.dsn.org/ WAP in DSN Conference]
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 
 

[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 
 

[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 
 

[http://www.indin2013.org/n/ WAP in INDIN Conference]
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining'''''. IEEE Transactions on Reliability, (accepted for publication)

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-09-15T00:02:15Z

Iberiam: /* Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
WAP in Instituto Federal Catarinense, Blumenau, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with the WAP Tool'''''. Aug 2015. 
 

WAP in Universidade Federal do Amazonas, Manaus, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with Data Mining to Detect False Positives'''''. Jul 2015. 
 

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 
 

[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 
 

[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 
 

[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
 

[http://2014.dsn.org/ WAP in DSN Conference]
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 
 

[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 
 

[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 
 

[http://www.indin2013.org/n/ WAP in INDIN Conference]
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining'''''. IEEE Transactions on Reliability, (accepted for publication)

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-09-14T23:48:54Z

Iberiam: /* Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
WAP in Instituto Federal Catarinense, Blumenau, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with the WAP Tool'''''. Aug 2015. 
 

WAP in Universidade Federal do Amazonas, Manaus, Brasil
* Miguel Correia presented the comunication: '''''Protection of Web Applications with Data Mining to Detect False Positives'''''. Jul 2015. 
 

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 
 

[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 
 

[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 
 

[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
 

[http://2014.dsn.org/ WAP in DSN Conference]
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 
 

[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 
 

[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 
 

[http://www.indin2013.org/n/ WAP in INDIN Conference]
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-09-14T23:44:30Z

Iberiam: /* Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
WAP in Instituto Federal Catarinense, Blumenau, Brasil
* Miguel Correia presented the comunication: '''''Proteção de Aplicações Web com a Ferramenta WAP'''''. Aug 2015. 
 

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 
 

[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 
 

[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 
 

[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
 

[http://2014.dsn.org/ WAP in DSN Conference]
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 
 

[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 
 

[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 
 

[http://www.indin2013.org/n/ WAP in INDIN Conference]
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-30T00:56:42Z

Iberiam: /* Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 
 

[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 
 

[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 
 

[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
 

[http://2014.dsn.org/ WAP in DSN Conference]
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 
 

[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 
 

[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 
 

[http://www.indin2013.org/n/ WAP in INDIN Conference]
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-30T00:50:31Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
*[http://2014.dsn.org/ WAP in DSN Conference] 
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
*[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [http://2014.dsn.org/ WAP in DSN Conference]. Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T14:45:51Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[http://2014.dsn.org/ WAP in DSN Conference] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [http://2014.dsn.org/ WAP in DSN Conference]. Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T02:25:03Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[http://2014.dsn.org/ WAP in DSN Conference] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [http://2014.dsn.org/ WAP in DSN Conference]. Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T02:24:29Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[http://2014.dsn.org/ WAP in DSN Conference] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [http://2014.dsn.org/ WAP in DSN Conference]. Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. Web Application Protection with the WAP tool (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T02:22:27Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[http://2014.dsn.org/ WAP in DSN Conference] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [http://2014.dsn.org/ WAP in DSN Conference]. Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])

* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T02:16:21Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[http://2014.dsn.org/ WAP in DSN Conference] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [http://2014.dsn.org/ WAP in DSN Conference]. Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T02:14:48Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[http://2014.dsn.org/ WAP in DSN Conference] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T02:10:03Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www.indin2013.org/n/ WAP in INDIN Conference] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T02:09:13Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

* [http://www.indin2013.org/n/ WAP in INDIN Conference], Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:59:46Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:59:19Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

* [http://awap.sourceforge.net/news.html Many articles are talking about WAP] 

* [https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]. Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014. 

* [http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]. Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:48:38Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP] 
|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:40:43Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
[http://awap.sourceforge.net/news.html Many articles are talking about WAP] 
|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:37:41Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg] 
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL] 
|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:37:34Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

* [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]. Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. Narch 2015. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:30:27Z

Iberiam: /* Volunteers */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:29:28Z

Iberiam: /* Feedback */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:28:30Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015. 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015. 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:27:17Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Events and Publications=

===Events===
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]. Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool''''' 

* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]. Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP) 

===Publications===

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:24:05Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Events and Publications=
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
Miguel Correia presented the comunication: Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool 
 
* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP) 

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:22:43Z

Iberiam: /* Events and Publications */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Events and Publications=
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora] 
Miguel Correia presented the comunication: Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool 
 
* [https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 
Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP) 

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:14:25Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 

|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Events and Publications=

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:13:54Z

Iberiam:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==


|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Events and Publications=

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:12:56Z

Iberiam:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==


|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=News=

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T01:11:31Z

Iberiam:

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==


|}

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

User:Iberiam

2015-04-27T01:04:48Z

Iberiam:

<div style="font-size:100%;border:none;margin: 0;color:#000">
Ibéria Medeiros is Assistant Professor of the Universidade dos Açores (UAc), in Açores, Portugal.
I am a Ph.D student in Informatics at the Faculdade de Ciências of Universidade de Lisboa. My adivsors are [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia] and [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]. My research area is software security and my work is about detection and correction of web applications vulnerabilities. Since my master degree I have been working in source code static analysis, more precisely taint analysis, to detect vulnerabilities in source code. I have also been using data mining and machine learning to refine the detection made by taint analysis and to minimize the false positives rate.

I am also a researcher at LaSIGE research unit and member of the Navigators Group. My mains research interests are software security, security, computer networks, cloud computing, machine learning, data mining and natural language processing.

In 2008 I have finished my M.Sc on Detection of Integer Vulnerabilities in Software Portability from 32 to 64 bits, advised by Professor Miguel Pupo Correia. My thesis' contribution was a study on integer vulnerabilities in applications written in C language when they are ported from 32 to 64 bits, without any code adaptations. The main idea was use source code static analysis, using taint analysis, to find this type of vulnerabilities that originate, for example, buffer overflows, if any adaption in source code of applications written to 32 bits processors is not realized and these applications are ported to 64 bits processors.
 
More information about me at [https://sites.google.com/site/ibemed/ https://sites.google.com/site/ibemed/]. 
email: [mailto:iberia.medeiros@owasp.org| iberia.medeiros@owasp.org]
 
==Projects==
===[[OWASP WAP-Web Application Protection]]===
[[Image:wap_1_33.jpg|94px|wap_1_33.jpg.jpg]]
 
* A security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.
</div>

User:Iberiam

2015-04-27T01:04:06Z

Iberiam:

<div style="font-size:100%;border:none;margin: 0;color:#000">
Ibéria Medeiros is Assistant Professor of the Universidade dos Açores (UAc), in Açores, Portugal.
I am a Ph.D student in Informatics at the Faculdade de Ciências of Universidade de Lisboa. My adivsors are [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia] and [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]. My research area is software security and my work is about detection and correction of web applications vulnerabilities. Since my master degree I have been working in source code static analysis, more precisely taint analysis, to detect vulnerabilities in source code. I have also been using data mining and machine learning to refine the detection made by taint analysis and to minimize the false positives rate.

I am also a researcher at LaSIGE research unit and member of the Navigators Group. My mains research interests are software security, security, computer networks, cloud computing, machine learning, data mining and natural language processing.

In 2008 I have finished my M.Sc on Detection of Integer Vulnerabilities in Software Portability from 32 to 64 bits, advised by Professor Miguel Pupo Correia. My thesis' contribution was a study on integer vulnerabilities in applications written in C language when they are ported from 32 to 64 bits, without any code adaptations. The main idea was use source code static analysis, using taint analysis, to find this type of vulnerabilities that originate, for example, buffer overflows, if any adaption in source code of applications written to 32 bits processors is not realized and these applications are ported to 64 bits processors.
 
More information about me at [https://sites.google.com/site/ibemed/ https://sites.google.com/site/ibemed/]. 
email: [mailto:iberia.medeiros@owasp.org|iberia.medeiros@owasp.org]
 
==Projects==
===[[OWASP WAP-Web Application Protection]]===
[[Image:wap_1_33.jpg|94px|wap_1_33.jpg.jpg]]
 
* A security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.
</div>

OWASP WAP-Web Application Protection

2015-04-27T00:58:21Z

Iberiam: Undo revision 193990 by Iberiam (talk)

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==


=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T00:55:37Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[dsfsf]

=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T00:55:02Z

Iberiam: Undo revision 193981 by Iberiam (talk)

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==


=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T00:53:05Z

Iberiam: Undo revision 193982 by Iberiam (talk)

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==


=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:ibemed@gmail.com email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T00:31:53Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==


=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T00:31:38Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 


=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T00:27:26Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 


=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]

OWASP WAP-Web Application Protection

2015-04-27T00:26:13Z

Iberiam: /* News and Events */

=Main=

<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div>

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |


==OWASP WAP - Web Application Protection Project==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

==Introduction==
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
* Detects and corrects 8 types of input validation vulnerabilities.
* Teaches the user to build secure software.
* Works on Linux, Macintosh and Windows.
* Requires JRE to run.
* Portable, ready to run and no installation required.

==Description==

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:
* SQL Injection (SQLI)
* Cross-site scripting (XSS)
* Remote File Inclusion (RFI)
* Local File Inclusion (LFI)
* Directory Traversal or Path Traversal (DT/PT)
* Source Code Disclosure (SCD)
* OS Command Injection (OSCI)
* PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

==Licensing==

This program is free software: you can redistribute it and/or modify it under the terms of the [http://www.gnu.org/licenses/agpl-3.0.html link GNU Affero General Public License 3.0] as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== Project Resources ==

[http://awap.sourceforge.net http://awap.sourceforge.net]


== Project Leader ==
[[User:iberiam| Ibéria Medeiros]] 


== Related Projects ==


==Classifications==

{| width="200" cellpadding="2"
|-
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=Builders]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-breakers-small.png|link=Breakers]]
|-
| colspan="2" align="center" | [[File:Agplv3-155x51.png|link=http://www.gnu.org/licenses/agpl-3.0.html|Affero General Public License 3.0]]
|}

| valign="top" style="padding-left:25px;width:200px;" |

== News and Events ==

[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora by Miguel Correia] 
[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in ParIS - ISP at University of Luxembourg, by Ibéria Medeiros] 



=FAQs=




None, for now...

= Acknowledgements =
==Contributors==
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.

==Volunteers==
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

==Acknowledgements==
We would like to thank the following people and organizations for their support:
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]



= Road Map and Getting Involved =
The main goals are:
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
# Help programmers learn how to build secure software.
# Become a test bed for analyzing the QoS security of source code of web application.
# Become a tool to teach software security in web application in a class room/lab environment.
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST). 
(progress: concluded) 
2. Detect candidate vulnerabilities using taint analysis under the AST. 
(progress: concluded) 

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set. 
(progress: concluded) 
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code. 
(progress: partially concluded) 
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted. 
(progress: concluded)

==Getting Involved==
Involvement in the development and promotion of OWASP WAP is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
* Write about OWASP WAP on your web site, book or blog.
* Make tutorials/videos of WAP tool in languages you know of.
* Include it in your training materials, talks, laboratories etc.

===Coding===
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

===Feedback===
Feedback should be sent to the project leader by sending her an [mailto:iberia.medeiros@owasp.org email].

=Download=
The delivery of the project is a zip or tar.gz file containing:
* a jar file with the WAP tool;
* plain text file with the indications how to install and use the tool;
* vulnerable PHP example files to demonstrate how to work the tool;
* the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].

No installation required.

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Tool]]