OWASP WAP-Web Application Protection
OWASP WAP - Web Application Protection Project
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.
WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.
WAP detects and corrects the following vulnerabilities:
This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.
This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
News and Events
None, for now...
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
OWASP WAP - Web Application Protection project is led by Ibéria Medeiros, a software security developer and enthusiast.
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an email.
We would like to thank the following people and organizations for their support:
- Professor Miguel P. Correia
- Professor Nuno Neves
- EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
The main goals are:
- Demonstrate using the tool that there is a lack of software security in the development of web applications,
- Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
- Help programmers learn how to build secure software.
- Become a test bed for analyzing the QoS security of source code of web application.
- Become a tool to teach software security in web application in a class room/lab environment.
- Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,
The phases of development of the WAP tool:
1. Build a PHP parser to create an abstract syntax tree (AST).
2. Detect candidate vulnerabilities using taint analysis under the AST.
These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.
3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set.
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.
4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code.
(progress: partially concluded)
This task needs some improvements when the line of the source code occupy more than 1 line.
5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted.
Involvement in the development and promotion of OWASP WAP is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:
- Spread the word - Facebook, Twitter, Google+ or any other communication platform.
- Write about OWASP WAP on your web site, book or blog.
- Make tutorials/videos of WAP tool in languages you know of.
- Include it in your training materials, talks, laboratories etc.
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.
Feedback should be sent to the project leader by sending her an email.
WAP in Instituto Federal Catarinense, Blumenau, Brasil
- Miguel Correia presented the comunication: Protection of Web Applications with the WAP Tool. Aug 2015.
WAP in Universidade Federal do Amazonas, Manaus, Brasil
- Miguel Correia presented the comunication: Protection of Web Applications with Data Mining to Detect False Positives. Jul 2015.
- Miguel Correia presented the comunication: Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool. Apr 2015.
- Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015.
- Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015.
- Miguel Correia presented the comunication: Web Application Protection with the WAP tool. June 2014.
- Ibéria Medeiros presented a seminar: Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically. May 2014.
- Ibéria Medeiros presented the comunication: Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives. April 2014.
- Ibéria Medeiros presented the comunication: Securing Energy Metering Software with Automatic Source Code Correction. July 2013.
- Ibéria Medeiros, Nuno Neves, Miguel Correia. Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining. IEEE Transactions on Reliability, July 2015. (journal)
- Ibéria Medeiros, Nuno Neves, Miguel Correia. Web Application Protection with the WAP tool (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. (paper)
- Ibéria Medeiros, Nuno Neves, Miguel Correia. Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. (paper)
- Ibéria Medeiros, Nuno Neves, Miguel Correia. Securing Energy Metering Software with Automatic Source Code Correction. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. (paper)
The delivery of the project is a zip or tar.gz file containing:
- a jar file with the WAP tool;
- plain text file with the indications how to install and use the tool;
- vulnerable PHP example files to demonstrate how to work the tool;
- the source code of the tool.
The tool works in different operating systems -- Linux, OSx and Windows -- and is available at http://awap.sourceforge.net
The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at http://www.oracle.com.
No installation required.