Talking a look at how AppScan Source creates WAFL files for ASP.NET ASMX WebServices

To try to understand how to improve AppScan’s Source support for ASP.NET based Frameworks (see Ian’s post Extending AppScan's Web Application Framework to support ASP.NET MVC) a good place to start is to look at how AppScan’s Source already does (a bit of) that for ASP.NET *.asmx based WebServices (where AppScan Source is able to successfully create Tainted Callbacks for methods tagged with the [WebMethod] attribute)

AppScan Source uses the powerful IBM research technology called F4F (Framework For Frameworks) which in practice is a bunch of *.jar files that create WAFL files.



If you have access to a box with of AppScan Source, find these files.



And drop them into a Java Decompiler like this 'JAD based' from O2 (used on the screenshot below)

And take a look at the com.ibm.appscan.frameworks.aspdotnet.jar file:



For example here is the function that seems to be doing all the heavy lifting:



References on F4F and WAFL:

• ASP.NET Support in SAST and IBM F4F (in this blog)
• From IBM Online Docs:
  • Framework for Frameworks handling APIs
  • Using the Framework for Frameworks APIs
  • Class F4FActions
• WALA:
  • http://sourceforge.net/projects/wala/
  • https://lists.sourceforge.net/lists/listinfo/wala-wala and https://groups.google.com/forum/#!forum/wala-sourceforge-net
  • https://twitter.com/WALALibs
  • WALA support for Javascript https://groups.google.com/forum/#!topic/wala-sourceforge-net/raEcVuQnmdA (code at https://github.com/wala/JS_WALA )
  • https://github.com/wala
• Research papers:
  • http://www.cs.tau.ac.il/~omertrip/issta11/paper-guarnieri.pdf
  • http://wala.sourceforge.net/files/PLDI_WALA_Tutorial.pdf