Web Application Protection with the WAP Tool

Abstract

Abstract—In two decades the web became a standard framework for Internet applications. This involved changing from an initially simple hypermedia access platform to a complex blob of different technologies. This complexity associated to the increasing filtering of TCP/UDP ports everywhere in the Internet, turned web applications into favourite targets for cyber-criminals. The Web Application Protection (WAP) tool aims to secure web applications by analysing and automatically fixing their source code [1] 1. WAP currently handles PHP code, in which most web applications are written. As of April 2014, WAP has been used to process more than 1.5 million lines of code. This short paper briefly presents the tool and ongoing work on evolving it. I. THE WAP APPROACH The WAP approach brings to source code analysis a tension observed in Intrusion Detection Systems (IDSs). These systems have been classified in two main categories. Knowledge-based IDSs contain a database of attack signatures created manually by human beings. Behaviour-based IDSs, on the contrary, learn about attacks – or normal behaviour – automatically using labelled data sets. Our approach uses a hybrid of two analog approaches. WAP searches for input validation vulnerabilities in PHP source code: cross-site scripting (XSS), SQL injection, remote and local file inclusion, path traversal, OS command injection, and a few more. First, the tool has knowledge crafted manually about how to find these vulnerabilities. More specifically, it does taint analysis: it verifies if inputs can reach sensitive functions (sensitive sinks) without proper sanitisation or validation (taint analysis in Fig. 1). The lists of input entry points, sensitive sinks, and sanitisation/validation functions are produced by humans. Examples for XSS are in Table I Entry points Sensitive sinks Sanitisation functions $GET echo htmlentities$ POST print htmlspecialchars $COOKIE printf strip tags$ REQUEST die urlencod