WAP 2.0 (Web Application Protection) is a source code static analysis and data mining tool to detect and correct input validation vulnerabilities in web applications written in PHP (version 4.0 or higher) with a low rate of false positives. This tool does taint analysis (data-flow analysis) to detect the input validation vulnerabilities. The aim of the taint analysis is to track malicious inputs inserted at the entry points of the web application ($_GET, $_POST arrays) and to verify if they reache some sensitive sink (PHP functions that can be exploited by malicious input). After the detection, the tool uses data mining to confirm if the vulnerabilities are real or false positives. At the end, the real vulnerabilities are automatically corrected with the insertion of the fixes (small pieces of code) in the source code.
