OWASP WAP-Web Application Protection

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

Instructions are in RED text and should be removed from your document by deleting the text with the span tags. This document is intended to serve as an example of what is required of an OWASP project wiki page. The text in red serves as instructions, while the text in black serves as an example. Text in black is expected to be replaced entirely with information specific to your OWASP project.

OWASP WAP - Web Application Protection Project
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives.

Description
This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful.

Licensing
This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Project Resources
This is where you can link to the key locations for project files, including setup programs, the source code repository, online documentation, a Wiki Home Page, threaded discussions about the project, and Issue Tracking system, etc.

Project Leader
Ibéria Medeiros [mailto:ibemed@gmail.com Email] Homepage

Related Projects
This is where you can link to other OWASP Projects that are similar to yours.

Classifications

 * valign="top" style="padding-left:25px;width:200px;" |

News and Events
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.


 * }

=FAQs=

Many projects have "Frequently Asked Questions" documents or pages. However, the point of such a document is not the questions. The point of a document like this are the answers. The document contains the answers that people would otherwise find themselves giving over and over again. The idea is that rather than laboriously compose and post the same answers repeatedly, people can refer to this page with pre-prepared answers. Use this space to communicate your projects 'Frequent Answers.'

= Acknowledgements =

Contributors

 * [mailto:ibemed@gmail.com Ibéria Medeiros]

= Road Map and Getting Involved =

The roadmap and its progress is the following:

1. Build a PHP parser to create an abstract syntax tree (AST) (progress: concluded)

2. Detect vulnerabilities using taint analysis under the AST (progress: concluded) These two phases can be enhanced by implementation of the new characteristics of the PHP language, such as of object oriented.

3. Predict false positives using data mining with a defined training data set (progress: concluded). This phase could be modified if the training data set to grow vertically and/or horizontally, i.e. more instances are included it and/or new attributes that characterize false positives are added to the instances.

4. Correct the source code, removing the vulnerabilities inserting fixes in the right places of the source code (progress: partially concluded) This task needs some improvements when the line of the source code occupy more than 1 line.

5. Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted (progress: concluded) Additional Comments WAP is a static analysis tool that uses taint analysis to detect vulnerabilities, tracking malicious users inputs and checking if they reach calls of sensitive functions. The tool uses data mining to predict if a vulnerability detected by taint analysis is a false positive or a real vulnerability. The real vulnerabilities are removed by the correction of the source code, inserting fixes (small PHP functions developed to the effect) in the right places in the source code. The tool outputs: the vulnerabilities found and how they are corrected and the new files with the corrections; reports the false positives predicted. WAP detects the following vulnerabilities: - SQL injection using MySQL, PostgreSQL and DB2 DBMS - Reflected cross-site scripting (XSS) - Stored XSS - Remote file inclusion - Local file inclusion - Directory traversal - Source code disclosure - OS command injection - PHP code injection

Feedback
=Minimum Viable Product=

The delivery of the project is a zip or tar.gz file containing:

- a jar file with the WAP tool;

- plain text file with the indications how to install and use the tool;

- vulnerable PHP example files to demonstrate how to work the tool;

- the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at http://awap.sourceforge.net

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at http://www.oracle.com