This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP WAP-Web Application Protection"

From OWASP
Jump to: navigation, search
(Project Leader)
(Publications)
 
(88 intermediate revisions by the same user not shown)
Line 6: Line 6:
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
 
| valign="top"  style="border-right: 1px dotted gray;padding-right:25px;" |
  
 +
<!--
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
 
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
 
Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.
 
</span>
 
</span>
 +
-->
 +
==OWASP WAP - Web Application Protection Project==
 +
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.
  
==OWASP WAP - Web Application Protection Project==
+
==Introduction==
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives.
+
* OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
 +
* Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
 +
* Detects and corrects 8 types of input validation vulnerabilities.
 +
* Teaches the user to build secure software.
 +
* Works on Linux, Macintosh and Windows.
 +
* Requires JRE to run.
 +
* Portable, ready to run and no installation required.
  
 
==Description==
 
==Description==
 +
<!--
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
 
This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful.   
 
This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful.   
 
</span>
 
</span>
 +
-->
 +
WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.
  
 +
WAP detects and corrects the following vulnerabilities:
 +
* SQL Injection (SQLI)
 +
* Cross-site scripting (XSS)
 +
* Remote File Inclusion (RFI)
 +
* Local File Inclusion (LFI)
 +
* Directory Traversal or Path Traversal (DT/PT)
 +
* Source Code Disclosure (SCD)
 +
* OS Command Injection (OSCI)
 +
* PHP Code Injection
  
 +
This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.
 +
 +
 +
WAP is constituted by three modules:
 +
* Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.
 +
 +
* False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).
 +
 +
* Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.
  
 
==Licensing==
 
==Licensing==
Line 28: Line 59:
  
 
== Project Resources ==
 
== Project Resources ==
 +
<!--
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
 
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.  
 
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.  
 
</span>
 
</span>
 
+
-->
 
+
[http://awap.sourceforge.net http://awap.sourceforge.net]
 +
<!-- [http://sourceforge.net/projects/awap/ http://sourceforge.net/projects/awap/] -->
  
 
== Project Leader ==
 
== Project Leader ==
[[User:iberiam Ibéria Medeiros]]
+
[[User:iberiam| Ibéria Medeiros]]<br/>
[mailto:[email protected] Email]
+
<!--
 +
[mailto:[email protected] Email]<br/>
 
[https://sites.google.com/site/ibemed/ Homepage]
 
[https://sites.google.com/site/ibemed/ Homepage]
 +
-->
  
 
== Related Projects ==
 
== Related Projects ==
 +
<!--
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
 
This is where you can link to other OWASP Projects that are similar to yours.  
 
This is where you can link to other OWASP Projects that are similar to yours.  
 
</span>
 
</span>
 
+
-->
  
 
==Classifications==
 
==Classifications==
Line 62: Line 98:
  
 
== News and Events ==
 
== News and Events ==
 +
<!--
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
 
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.  
 
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.  
 
</span>
 
</span>
 +
-->
 +
*02.Out.2015 - A new version of WAP is available - WAP v2.0.2<br/>
 +
*WAP in Instituto Federal Catarinense, Blumenau, Brasil<br/>
 +
*WAP in Universidade Federal do Amazonas, Manaus, Brasil<br/>
 +
*[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]<br/>
 +
*[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]<br/>
 +
*[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]<br/>
 +
*[http://awap.sourceforge.net/news.html Many articles are talking about WAP]<br/>
 +
*[http://2014.dsn.org/ WAP in DSN Conference]<br/>
 +
*[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]<br/>
 +
*[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]<br/>
 +
*[http://www.indin2013.org/n/ WAP in INDIN Conference]<br/>
  
 
|}
 
|}
Line 71: Line 120:
  
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 
<!-- Instructions are in RED and should be removed from your document by deleting the text with the span tags.-->
 +
<!--
 
<span style="color:#ff0000">
 
<span style="color:#ff0000">
 
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
 
Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. ''The point of a document like this are the '''answers'''''. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'
 
</span>
 
</span>
 +
-->
  
 
+
None, for now...
  
 
= Acknowledgements =
 
= Acknowledgements =
 
==Contributors==
 
==Contributors==
 +
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.
 +
<br/><br/>
 +
OWASP WAP - Web Application Protection project is led by [[user:iberiam| Ibéria Medeiros]], a software security developer and enthusiast.
 +
 +
==Volunteers==
 +
The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an [mailto:[email protected] email].
 +
 +
==Acknowledgements==
 +
We would like to thank the following people and organizations for their support:
 +
* [http://www.gsd.inesc-id.pt/~mpc/ Professor Miguel P. Correia]
 +
* [http://www.di.fc.ul.pt/~nuno/ Professor Nuno Neves]
 +
* EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).
 +
[[Image:FCT_H_color_v2011.png|FCT_H_color_v2011.png]]
 +
  
 +
<!--
 +
==Others==
  
 
* [mailto:[email protected] Ibéria Medeiros]
 
* [mailto:[email protected] Ibéria Medeiros]
 +
-->
  
 
= Road Map and Getting Involved =
 
= Road Map and Getting Involved =
 +
The main goals are:
 +
# Demonstrate using the tool that there is a lack of software security in the development of web applications,
 +
# Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
 +
# Help programmers learn how to build secure software.
 +
# Become a test bed for analyzing the QoS security of source code of web application.
 +
# Become a tool to teach software security in web application in a class room/lab environment.
 +
# Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,
 +
 +
 +
The phases of development of the WAP tool:
 +
 +
1. Build a PHP parser to create an abstract syntax tree (AST).<br/>
 +
(progress: concluded)<br/>
 +
2. Detect candidate vulnerabilities using taint analysis under the AST.<br/>
 +
(progress: concluded)<br/>
  
The roadmap and its progress is the following:
+
These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.
  
1. Build a PHP parser to create an abstract syntax tree (AST) (progress: concluded)
 
  
2. Detect vulnerabilities using taint analysis under the AST (progress: concluded)
+
3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set.<br/>
These two phases can be enhanced by implementation of the new characteristics of the PHP language, such as of object oriented.
+
(progress: concluded)<br/>
 +
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.
  
3. Predict false positives using data mining with a defined training data set (progress: concluded).
 
This phase could be modified if the training data set to grow vertically and/or horizontally, i.e. more instances are included it and/or new attributes that characterize false positives are added to the instances.
 
  
4. Correct the source code, removing the vulnerabilities inserting fixes in the right places of the source code (progress: partially concluded)
+
4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code.<br/>
 +
(progress: partially concluded)<br/>
 
This task needs some improvements when the line of the source code occupy more than 1 line.
 
This task needs some improvements when the line of the source code occupy more than 1 line.
  
5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted (progress: concluded)
+
 
Additional Comments
+
5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted.<br/>
WAP is a static analysis tool that uses taint analysis to detect vulnerabilities, tracking malicious users inputs and checking if they reach calls of sensitive functions. The tool uses data mining to predict if a vulnerability detected by taint analysis is a false positive or a real vulnerability. The real vulnerabilities are removed by the correction of the source code, inserting fixes (small PHP functions developed to the effect) in the right places in the source code.
+
(progress: concluded)
The tool outputs: the vulnerabilities found and how they are corrected and the new files with the corrections; reports the false positives predicted.
+
 
WAP detects the following vulnerabilities:
+
 
- SQL injection using MySQL, PostgreSQL and DB2 DBMS
 
- Reflected cross-site scripting (XSS)
 
- Stored XSS
 
- Remote file inclusion
 
- Local file inclusion
 
- Directory traversal
 
- Source code disclosure
 
- OS command injection
 
- PHP code injection
 
  
 
==Getting Involved==
 
==Getting Involved==
 +
Involvement in the development and promotion of OWASP WAP is actively encouraged!
 +
You do not have to be a security expert in order to contribute.
 +
Some of the ways you can help:
 +
* Spread the word - Facebook, Twitter, Google+ or any other communication platform.
 +
* Write about OWASP WAP on your web site, book or blog.
 +
* Make tutorials/videos of WAP tool in languages you know of.
 +
* Include it in your training materials, talks, laboratories etc.
  
  
 
===Coding===
 
===Coding===
 +
You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.
 +
  
 
===Feedback===
 
===Feedback===
 +
Feedback should be sent to the project leader by sending her an [mailto:[email protected] email].
 +
 +
=Events and Publications=
 +
 +
===Events===
 +
WAP in Instituto Federal Catarinense, Blumenau, Brasil
 +
* Miguel Correia presented the comunication: '''''Protection of Web Applications with the WAP Tool'''''. Aug 2015.<br/>
 +
<br/>
 +
 +
WAP in Universidade Federal do Amazonas, Manaus, Brasil
 +
* Miguel Correia presented the comunication: '''''Protection of Web Applications with Data Mining to Detect False Positives'''''. Jul 2015.<br/>
 +
<br/>
 +
 +
[https://www.facebook.com/semanadascienciasetecnologiasaaue/photos/pb.701934916585847.-2207520000.1430093295./720636151382390/?type=3&theater WAP in 4th SCT of University of Évora]
 +
* Miguel Correia presented the comunication: '''''Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool'''''. Apr 2015.<br/>
 +
<br/>
 +
 +
[https://paris-isp.uni.lu WAP in ParIS - ISP at University of Luxembourg]
 +
* Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015.<br/>
 +
<br/>
 +
 +
[http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]
 +
* Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015.<br/>
 +
<br/>
 +
 +
[http://awap.sourceforge.net/news.html Many articles are talking about WAP]<br/>
 +
<br/>
 +
 +
[http://2014.dsn.org/ WAP in DSN Conference]
 +
* Miguel Correia presented the comunication: '''''Web Application Protection with the WAP tool'''''. June 2014. <br/>
 +
<br/>
 +
 +
[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]
 +
* Ibéria Medeiros presented a seminar: '''''Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically'''''. May 2014.<br/>
 +
<br/>
 +
 +
[http://www2014.kr/ WAP in WWW Conference, in the research track Security 1]
 +
* Ibéria Medeiros presented the comunication: '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positive'''''s. April 2014.<br/>
 +
<br/>
 +
 +
[http://www.indin2013.org/n/ WAP in INDIN Conference]
 +
* Ibéria Medeiros presented the comunication: '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. July 2013.<br/>
  
=Minimum Viable Product=
+
===Publications===
 +
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining'''''.  IEEE Transactions on Reliability, July 2015. ([http://awap.sourceforge.net/papers/WAP_IEEE_TR_2015.pdf journal])
  
The delivery of the project is a zip or tar.gz file containing:
+
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Web Application Protection with the WAP tool''''' (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. ([http://awap.sourceforge.net/papers/DSN14-fa.pdf paper])
  
- a jar file with the WAP tool;
+
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives'''''. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. ([http://awap.sourceforge.net/papers/WWW14.pdf paper])
  
- plain text file with the indications how to install and use the tool;
+
* Ibéria Medeiros, Nuno Neves, Miguel Correia. '''''Securing Energy Metering Software with Automatic Source Code Correction'''''. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. ([http://awap.sourceforge.net/papers/INDIN13.pdf paper])
  
- vulnerable PHP example files to demonstrate how to work the tool;  
+
=Download=
 +
The delivery of the project is a zip or tar.gz file containing:
 +
* a jar file with the WAP tool;
 +
* plain text file with the indications how to install and use the tool;
 +
* vulnerable PHP example files to demonstrate how to work the tool;  
 +
* the source code of the tool.
  
- the source code of the tool.
 
  
 +
The tool works in different operating systems -- Linux, OSx and Windows -- and is available at [http://awap.sourceforge.net http://awap.sourceforge.net]
  
The tool works in different operating systems -- Linux, OSx and Windows -- and is available at http://awap.sourceforge.net
+
The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com].
  
The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at [http://www.oracle.com/us/downloads/index.html#menu-downloads http://www.oracle.com]
+
No installation required.
  
  

Latest revision as of 04:20, 17 January 2016

OWASP Project Header.jpg

OWASP WAP - Web Application Protection Project

WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

Introduction

  • OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
  • Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
  • Detects and corrects 8 types of input validation vulnerabilities.
  • Teaches the user to build secure software.
  • Works on Linux, Macintosh and Windows.
  • Requires JRE to run.
  • Portable, ready to run and no installation required.

Description

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:

  • SQL Injection (SQLI)
  • Cross-site scripting (XSS)
  • Remote File Inclusion (RFI)
  • Local File Inclusion (LFI)
  • Directory Traversal or Path Traversal (DT/PT)
  • Source Code Disclosure (SCD)
  • OS Command Injection (OSCI)
  • PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.


WAP is constituted by three modules:

  • Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.
  • False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).
  • Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Project Resources

http://awap.sourceforge.net

Project Leader

Ibéria Medeiros

Related Projects

Classifications

Project Type Files TOOL.jpg
Incubator Project Owasp-builders-small.png
Owasp-breakers-small.png
Affero General Public License 3.0

News and Events

None, for now...

Contributors

OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code.

OWASP WAP - Web Application Protection project is led by Ibéria Medeiros, a software security developer and enthusiast.

Volunteers

The project is free and open source, and if you want to join to the development team, please contact the project leader by sending her an email.

Acknowledgements

We would like to thank the following people and organizations for their support:

  • Professor Miguel P. Correia
  • Professor Nuno Neves
  • EC through project FP7-607109 (SEGRID), and by national funds through Fundação para a Ciência e a Tecnologia (FCT) with references UID/CEC/50021/2013 (INESC-ID) and UID/CEC/00408/2013 (LaSIGE).

FCT_H_color_v2011.png


The main goals are:

  1. Demonstrate using the tool that there is a lack of software security in the development of web applications,
  2. Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
  3. Help programmers learn how to build secure software.
  4. Become a test bed for analyzing the QoS security of source code of web application.
  5. Become a tool to teach software security in web application in a class room/lab environment.
  6. Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,


The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST).
(progress: concluded)
2. Detect candidate vulnerabilities using taint analysis under the AST.
(progress: concluded)

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.


3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set.
(progress: concluded)
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.


4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code.
(progress: partially concluded)
This task needs some improvements when the line of the source code occupy more than 1 line.


5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted.
(progress: concluded)


Getting Involved

Involvement in the development and promotion of OWASP WAP is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

  • Spread the word - Facebook, Twitter, Google+ or any other communication platform.
  • Write about OWASP WAP on your web site, book or blog.
  • Make tutorials/videos of WAP tool in languages you know of.
  • Include it in your training materials, talks, laboratories etc.


Coding

You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.


Feedback

Feedback should be sent to the project leader by sending her an email.

Events

WAP in Instituto Federal Catarinense, Blumenau, Brasil

  • Miguel Correia presented the comunication: Protection of Web Applications with the WAP Tool. Aug 2015.


WAP in Universidade Federal do Amazonas, Manaus, Brasil

  • Miguel Correia presented the comunication: Protection of Web Applications with Data Mining to Detect False Positives. Jul 2015.


WAP in 4th SCT of University of Évora

  • Miguel Correia presented the comunication: Cyber-attacks againts PHP Web Applications and How avoid them with the WAP tool. Apr 2015.


WAP in ParIS - ISP at University of Luxembourg

  • Ibéria Medeiros presented WAP and realized a lab in the Intensive Study Programmed (ISP). March 2015.


WAP in ACM Student Chapter at ISCTE-IUL

  • Ibéria Medeiros presented the WAP tool in the ACM Student Chapter. March 2015.


Many articles are talking about WAP

WAP in DSN Conference

  • Miguel Correia presented the comunication: Web Application Protection with the WAP tool. June 2014.


Seminar about WAP

  • Ibéria Medeiros presented a seminar: Hybrid Methods to Detect and Correct Web Application Vulnerabilities Automatically. May 2014.


WAP in WWW Conference, in the research track Security 1

  • Ibéria Medeiros presented the comunication: Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives. April 2014.


WAP in INDIN Conference

  • Ibéria Medeiros presented the comunication: Securing Energy Metering Software with Automatic Source Code Correction. July 2013.

Publications

  • Ibéria Medeiros, Nuno Neves, Miguel Correia. Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining. IEEE Transactions on Reliability, July 2015. (journal)
  • Ibéria Medeiros, Nuno Neves, Miguel Correia. Web Application Protection with the WAP tool (fast abstract). Proceedings of the 44th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'14), Atlanta, Georgia USA, June 2014. (paper)
  • Ibéria Medeiros, Nuno Neves, Miguel Correia. Automatic Detection and Correction of Web Application Vulnerabilities using Data Mining to Predict False Positives. Proceedings of the 23rd International Conference on World Wide Web (WWW), Seoul, Korea, 11 pages, April 2014. (paper)
  • Ibéria Medeiros, Nuno Neves, Miguel Correia. Securing Energy Metering Software with Automatic Source Code Correction. Proceedings of the IEEE International Conference on Industrial Informatics (INDIN), Bochum, Germany, 6 pages, July 2013. (paper)

The delivery of the project is a zip or tar.gz file containing:

  • a jar file with the WAP tool;
  • plain text file with the indications how to install and use the tool;
  • vulnerable PHP example files to demonstrate how to work the tool;
  • the source code of the tool.


The tool works in different operating systems -- Linux, OSx and Windows -- and is available at http://awap.sourceforge.net

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at http://www.oracle.com.

No installation required.


Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_WAP-Web_Application_Protection&oldid=206682"