Difference between revisions of "OWASP WAP-Web Application Protection"

Revision as of 01:48, 27 April 2015

OWASP WAP - Web Application Protection Project

WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

Introduction

OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
Detects and corrects 8 types of input validation vulnerabilities.
Teaches the user to build secure software.
Works on Linux, Macintosh and Windows.
Requires JRE to run.
Portable, ready to run and no installation required.

Description

WAP is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives.

WAP detects and corrects the following vulnerabilities:

SQL Injection (SQLI)
Cross-site scripting (XSS)
Remote File Inclusion (RFI)
Local File Inclusion (LFI)
Directory Traversal or Path Traversal (DT/PT)
Source Code Disclosure (SCD)
OS Command Injection (OSCI)
PHP Code Injection

This tool semantically analyses the source code. More precisely, it does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted by entry points ($_GET, $_POST arrays) and to verify if they reach some sensitive sink (PHP functions that can be exploited by malicious input, such as mysql_query). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are corrected by the insertion of the fixes (small pieces of code) in the source code.

WAP is constituted by three modules:

Code Analyzer: composed by tree generator and taint analyser. The tool has integrated a lexer and a parser generated by ANTLR, and based in a grammar and a tree grammar written to PHP language. The tree generator uses the lexer and the parser to build the AST (Abstract Sintatic Tree) to each PHP file. The taint analyzer performs the taint analysis navigating through the AST to detect potentials vulnerabilities.

False Positives Predictor: composed by a supervised trained data set with instances classified as being vulnerabilities and false positives and by the Logistic Regression machine learning algorithm. For each potential vulnerability detected by code analyser, this module collects the presence of the attributes that define a false positive and creates with them an instance. Then, the Logistic Regression algorithm receives the instances and classifies them as being a false positive or not (real vulnerability).

Code Corrector: each real vulnerability is removed by correction of its source code. This module for the type of vulnerability selects the fix that removes the vulnerability and signalizes the places in the source code where the fix will be inserted. Then, the code is corrected with the insertion of the fixes and new files are created. Fixes are small pieces of the code (small PHP functions developed to the effect) that performing sanitization or validation of the user inputs, depending of the vulnerability type.

Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Project Resources

http://awap.sourceforge.net

Project Leader

Ibéria Medeiros

Related Projects

Classifications

News and Events

WAP in 4th SCT of University of Évora
WAP in ParIS - ISP at University of Luxembourg
WAP in ACM Student Chapter at ISCTE-IUL
Many articles are talking about WAP
Seminar about WAP

The main goals are:

Demonstrate using the tool that there is a lack of software security in the development of web applications,
Help programmers learn the need of secure codding practices, which are the practices and how they are implemented.
Help programmers learn how to build secure software.
Become a test bed for analyzing the QoS security of source code of web application.
Become a tool to teach software security in web application in a class room/lab environment.
Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:

1. Build a PHP parser to create an abstract syntax tree (AST).
(progress: concluded)
2. Detect candidate vulnerabilities using taint analysis under the AST.
(progress: concluded)

These two phases can be improved by implementing the new characteristics of the PHP language, such as of object oriented.

3. Predict if the candidate vulnerabilities are false positives or not, using for this data mining with a defined training data set.
(progress: concluded)
This phase could be modified if the training data set grows vertically and/or horizontally, i.e. more instances are included and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code.
(progress: partially concluded)
This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted.
(progress: concluded)

Getting Involved

Involvement in the development and promotion of OWASP WAP is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:

Spread the word - Facebook, Twitter, Google+ or any other communication platform.
Write about OWASP WAP on your web site, book or blog.
Make tutorials/videos of WAP tool in languages you know of.
Include it in your training materials, talks, laboratories etc.

Coding

You can also help if you wish to extend the WAP tool with a new module or even improving some part(s) of it.

Feedback

Feedback should be sent to the project leader by sending her an email.

@@ Line 107: / Line 107: @@
 [http://iscte.acm.org/event/web-application-protection/ WAP in ACM Student Chapter at ISCTE-IUL]<br/>
 [http://awap.sourceforge.net/news.html Many articles are talking about WAP]<br/>
+[https://mocho.di.fc.ul.pt/mod/resource/view.php?id=13019 Seminar about WAP]<br/>
 |}

Difference between revisions of "OWASP WAP-Web Application Protection"

Revision as of 01:48, 27 April 2015

OWASP WAP - Web Application Protection Project

Introduction

Description

Licensing

Project Resources

Project Leader

Related Projects

Classifications

News and Events

Contributors

Volunteers

Acknowledgements

Getting Involved

Coding

Feedback

Events

Publications

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools