• Wafer stands for Web Application Framework for Exploring, Exposing and Eliminating Risks.

    How it works

    This project develops and uses static analysis techniques to detect several types of security flaws in large Java Enterprise Edition (JEE) web applications. Common security flaws detected by Wafer, as listed in the OWASP Top 10, include SQL injection, cross-site scripting and path traversal. To improve its detection power, Wafer adds support for constructs that are common in web applications, but are typically hard to analyse statically.

    Our main challenges

    As with many similar projects, scalability for large codebases is a major challenge. The highly dynamic and decoupled nature of JEE web applications is another challenge for static analysis because it makes their runtime behavior unpredictable.


    We initially branched off from the Parfait static bug detector to support analysis of server-side Java code in JEE applications, but web applications are composed of a server and a client. In the last year, we started looking at support for client-side JavaScript code too. JavaScript analysis poses great research challenges from a program analysis perspective. Our long-term goal is to develop analyses to track the flow of values from the browser code to the server code and back again.

    To find out more, contact François Gauthier.


  • Mar 2014 - Dec 2016: Chenyi Zhang
  • Feb 2015 - Oct 2016: Vladimir Silchanka


  • Aug 2016 - Jan 2017: Johannes Späth
  • Nov 2015 - Apr 2016: Anthony Steinhauser