• Wafer stands for Web Application Framework for Exploring, Exposing and Eliminating Risks.

    How it works

    This project develops and uses static analysis techniques to detect several types of security flaws in large Java Enterprise Edition (JEE) web applications. Common security flaws detected by Wafer, as listed in the OWASP Top 10, include SQL injection, cross-site scripting and path traversal. To improve its detection power, Wafer adds support for constructs that are common in web applications, but are typically hard to analyse statically.

    Our main challenges

    As with many similar projects, scalability for large codebases is a major challenge. The highly dynamic and decoupled nature of JEE web applications is another challenge for static analysis because it makes their runtime behavior unpredictable.


    We initially branched off from the Parfait static bug detector to support analysis of server-side Java code in JEE applications. One of the key challenges is to support different frameworks and libraries so as to improve the accuracy and performance of the analysis.

    To find out more, contact Paddy Krishnan.



  • Aug 2016 - Jan 2017: Johannes Späth
  • Nov 2015 - Apr 2016: Anthony Steinhauser