OWASP WAP-Web Application Protection

Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.

OWASP WAP - Web Application Protection Project

WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives.

Description

This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful.

Licensing

This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

Project Resources

This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.

Project Leader

Ibéria Medeiros

Related Projects

This is where you can link to other OWASP Projects that are similar to yours.

Classifications

News and Events

This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.

The roadmap and its progress is the following: 1. Build a PHP parser to create an abstract syntax tree (AST) (progress: concluded) 2. Detect vulnerabilities using taint analysis under the AST (progress: concluded) These two phases can be enhanced by implementation of the new characteristics of the PHP language, such as of object oriented.

3. Predict false positives using data mining with a defined training data set (progress: concluded). This phase could be modified if the training data set to grow vertically and/or horizontally, i.e. more instances are included it and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the vulnerabilities inserting fixes in the right places of the source code (progress: partially concluded) This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted (progress: concluded) Additional Comments WAP is a static analysis tool that uses taint analysis to detect vulnerabilities, tracking malicious users inputs and checking if they reach calls of sensitive functions. The tool uses data mining to predict if a vulnerability detected by taint analysis is a false positive or a real vulnerability. The real vulnerabilities are removed by the correction of the source code, inserting fixes (small PHP functions developed to the effect) in the right places in the source code. The tool outputs: the vulnerabilities found and how they are corrected and the new files with the corrections; reports the false positives predicted. WAP detects the following vulnerabilities: - SQL injection using MySQL, PostgreSQL and DB2 DBMS - Reflected cross-site scripting (XSS) - Stored XSS - Remote file inclusion - Local file inclusion - Directory traversal - Source code disclosure - OS command injection - PHP code injection

Getting Involved

Coding

Feedback

OWASP WAP-Web Application Protection