WeVerca

Overview

Weverca is a static analysis framework for web applications written in PHP. The aim of the framework is to allow easy specification of precise static analyses. The framework has been used to develop a tool for securing web applications by reporting suspicious code constructs and commands.

Student projects

We offer bachelor and master thesis focusing on PHP verification. These include:

• Searching for security holes in wide-spread PHP frameworks, such as WordPress and Drupal.
• Implementation of new techniques and algorithm for PHP analysis.
• Implementation of new optimizations to existing algorithms.
• Any related work of student interest.

If interested, please drop an email to jan.kofron (at) d3s.mff.cuni.cz or come to the office 309, Mala Strana.

Related publications

Contributors

• Jan Kofroň <jan.kofron@d3s.mff.cuni.cz>
• David Hauzar <david.hauzar@d3s.mff.cuni.cz>
• Pavel Baštecký <anebril@seznam.cz)>
• Matyáš Brenner <matyas.brenner@post.cz>
• Marcel Kikta <maki007@gmail.com>
• David Škorvaga <dave-skorvaga@seznam.cz>
• Miroslav Vodolán <miravod@centrum.cz>
• Natália Tyrpáková <natalia.tyrpakova@gmail.com>

Repositories

• https://github.com/d3sformal/weverca

Downloads

• User documentation
• Developer Documentation
• Eclipse plugin
• Eclipse plugin Developer Documentation
• Eclipse plugin User Documentation
• WeVerca Binary

Contact

• Jan Kofroň

 @inproceedings{hauzar_dataflow_2014,
    title = {{Data-flow Analysis of Programs with Associative Arrays}},
    author = {Hauzar, David and Kofroň , Jan and Baštecký, Pavel},
    year = {2014},
    booktitle = {{Proceedings of ESSS 2014}},
    publisher = {EPTCS},
    doi = {10.4204/EPTCS.150.6},
    url = {https://arxiv.org/abs/1405.1116},
}
 

 @inproceedings{hauzar_framework_2015,
    title = {{Framework for Static Analysis of PHP Applications}},
    author = {Hauzar, David and Kofroň, Jan},
    year = {2015},
    booktitle = {{Proceedings of ECOOP 2015}},
    editor = {Boyland, John Tang},
    publisher = {Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik},
    series = {{Leibniz International Proceedings in Informatics (LIPIcs)}},
    location = {Dagstuhl, Germany},
    doi = {10.4230/LIPIcs.ECOOP.2015.689},
    isbn = {978-3-939897-86-6},
    pages = {689--711},
    url = {http://drops.dagstuhl.de/opus/volltexte/2015/5243},
    volume = {37},
}
 

 @techreport{hauzar_hunting_report_2011,
    title = {{Hunting Bugs Inside Web Applications}},
    author = {Hauzar, David and Kofroň, Jan},
    year = {2011},
    institution = {Department of Informatics, KIT},
    number = {2011-26},
}
 

 @inproceedings{hauzar_security_2012,
    title = {{On Security Analysis of PHP Web Applications}},
    author = {Hauzar, David and Kofroň, Jan},
    year = {2012},
    booktitle = {{Proceedings of STPSA 2012}},
    doi = {10.1109/COMPSACW.2012.106},
    isbn = {978-1-4673-2714-5},
    pages = {577--582},
    url = {https://ieeexplore.ieee.org/document/6341638},
}
 

 @inproceedings{hauzar_weverca_2014,
    title = {{WeVerca: Web Applications Verification for PHP}},
    author = {Hauzar, David and Kofroň, Jan},
    year = {2014},
    booktitle = {{Proceedings of SEFM 2014}},
    editor = {Giannakopoulou, Dimitra and Salaün, Gwen},
    publisher = {Springer International Publishing},
    series = {{Lecture Notes in Computer Science}},
    doi = {10.1007/978-3-319-10431-7_24},
    isbn = {978-3-319-10430-0},
    pages = {296--301},
    url = {https://link.springer.com/chapter/10.1007/978-3-319-10431-7_24},
    shorttitle = {WeVerca},
}