OWASP WAP-Web Application Protection

=Main=



{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

OWASP WAP - Web Application Protection Project
WAP is a tool to detect and correct input validation vulnerabilities in web applications written in PHP and predicts false positives. The tool combines source code static analysis and data mining to detect vulnerabilities and predict false positives. Then, corrects the source code to remove the real vulnerabilities inserting fixes (small functions) in the right places of the source e code.

Introduction

 * OWASP WAP is a security tool to detect and remove input validation vulnerabilities in web applications, and predict false positives.
 * Uses source code static analysis to detect vulnerabilities, data mining to predict false positives and inserts fixes to correct the source code.
 * Detects and corrects 8 types of input validation vulnerabilities.
 * Teaches the user to build secure software.
 * Works on Linux, Macintosh and Windows.
 * Requires JRE to run.
 * Portable, ready to run and no installation required.

Description
This is where you need to add your more robust project description. A project description should outline the purpose of the project, how it is used, and the value it provides to application security. Ideally, project descriptions should be written in such a way that there is no question what value the project provides to the software security community. This section will be seen and used in various places within the Projects Portal. Poorly written project descriptions therefore detract from a project’s visibility, so project leaders should ensure that the description is meaningful.

Licensing
This program is free software: you can redistribute it and/or modify it under the terms of the link GNU Affero General Public License 3.0 as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.


 * valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

Project Resources
http://awap.sourceforge.net

Project Leader
Ibéria Medeiros

Related Projects
This is where you can link to other OWASP Projects that are similar to yours.

Classifications

 * valign="top" style="padding-left:25px;width:200px;" |

News and Events
This is where you can provide project updates, links to any events like conference presentations, Project Leader interviews, case studies on successful project implementations, and articles written about your project.


 * }

=FAQs=

None, for now...

= Acknowledgements =

Contributors
OWASP WAP - Web Application Protection is brought to you by OWASP, a free and open software security community focusing on improving the security of software. Our goal with OWASP WAP project is to build secure software, by the detection of web application vulnerabilities and removing of them by the correction of web application source code. OWASP WAP - Web Application Protection project is led by Ibéria Medeiros, a software security developer and enthusiast.

Volunteers
The project is open source and who want to join to the development team, please contact the project leader by sending her an [mailto:ibemed@gmail.com email].

= Road Map and Getting Involved = The main goals are:
 * 1) Demonstrate using the tool that there is a lack of software security in the development of web applications,
 * 2) Help programmers to learn the need of secure codding practices, which are these practices and how they are implemented.
 * 3) Help programmers learn to build secure software.
 * 4) Become a test bed for analyzing the QoS security of source code of web application.
 * 5) Become a tool to teach software security in web application in a class room/lab environment.
 * 6) Attract people to extend the WAP tool to detect and correct new types of vulnerabilities,

The phases of development of the WAP tool:
 * 1) Build a PHP parser to create an abstract syntax tree (AST).
 * 2) Detect candidates vulnerabilities using taint analysis under the AST.
 * 3) Predict if the candidates vulnerabilities are false positives or not, using for this data mining with a defined training data set.
 * 4) Correct the source code, removing the real vulnerabilities inserting fixes in the right places of the source code.
 * 5) Output the results: vulnerabilities found, its correction and the new corrected files; and the false positives predicted.

Involvement in the development and promotion of OWASP WAP is actively encouraged! You do not have to be a security expert in order to contribute. Some of the ways you can help:
 * Spread the word - Facebook, Twitter, Google+ or any other communication platform.
 * Write about OWASP WAP on your web site, book or blog.
 * Mention it in your resume - It helps you, it helps the company and it helps us and thus everybody wins.
 * Make tutorials/videos of WAP tool in languages you know of.
 * Include it in your training materials, talks, laboratories etc.

However, you can also help if you wish extending the WAP tool with a new module or even improving some part (s) of it.

=Download= The delivery of the project is a zip or tar.gz file containing:
 * a jar file with the WAP tool;
 * plain text file with the indications how to install and use the tool;
 * vulnerable PHP example files to demonstrate how to work the tool;
 * the source code of the tool.

The tool works in different operating systems -- Linux, OSx and Windows -- and is available at http://awap.sourceforge.net

The requirements to run the tool are only the JRE (Java Runtime Enviroment), which can be downloaded at http://www.oracle.com. No installation required.