• Wafer stands for Web Application Framework for Exploring, Exposing and Eliminating Risks.

    How it works

    This project develops and uses static analysis techniques to detect several types of security flaws in large Java Enterprise Edition (JEE) web applications. Common security flaws detected by Wafer, as listed in the OWASP Top 10, include SQL injection, cross-site scripting and path traversal. To improve its detection power, Wafer extends the Parfait static bug detector by adding support for constructs that are common in web applications, but are typically hard to analyse statically.

    Key Research Challenges

    As with many similar projects, scalability for large codebases is a major challenge. The highly dynamic and decoupled nature of JEE web applications is another challenge for static analysis.

    We are investigating techniques that will enable Wafer to support different frameworks and libraries so as to improve the accuracy and performance of the analysis. We are also exploring modular and incremental analysis in order to be able to provide timely feedback to the developer.

    To find out more, contact Paddy Krishnan.



  • Aug 2016 - Jan 2017: Johannes Sp├Ąth
  • Nov 2015 - Apr 2016: Anthony Steinhauser