Weverca – Web verification for PHP


David Hauzar david.hauzar<at-sign>d3s.mff.cuni.cz
Jan Kofroň jan.kofron<at-sign>d3s.mff.cuni.cz
Pavel Bašteckýanebril<at-sign>seznam.cz
Matyáš Brennermatyas.brenner<at-sign>post.cz
Marcel Kiktamaki007<at-sign>gmail.com
David Škorvagadave-skorvaga<at-sign>seznam.cz
Miroslav Vodolánmiravod<at-sign>centrum.cz
Natália Tyrpákovánatalia.tyrpakova<at-sign>gmail.com


Weverca is a static analysis framework for web applications written in PHP. The aim of the framework is to allow easy specification of precise static analyses. The framework has been used to develop a tool for securing web applications by reporting suspicious code constructs and commands.

Live demo

You can try out our tool via a web interface here (frequently updated developer build): http://perun.ms.mff.cuni.cz/weverca


Framework and tool

Source codes, version 20150804

Binary distribution, version 20150528 (requires .NET 4.5+ or Mono 3+)

User documentation

Programmer documentation

Eclipse plugin

Update site, version 20140829 (requires framework, version 20140829)

User documentation

Programmer documentation

Student projects

We offer bachelor and master thesis focusing on PHP verification. This includes:

  • Searching for security holes in wide-spread PHP frameworks, such as WordPress and Drupal.
  • Implementation of new techniques and algorithm for PHP analysis.
  • Implementation of new optimizations to existing algorithms.
  • Any related work of student interest.

If interested, please drop an email to jan.kofron (at) d3s.mff.cuni.cz or come to the office 309, Mala Strana.


2015 (1)

Refereed (journals/proceedings)

PDF Hauzar D., Kofroň J.: Framework for Static Analysis of PHP Applications,
In Proceedings of the 29th European Conference on Object-Oriented Programming (ECOOP 2015), July 2015

2014 (3)

Refereed (journals/proceedings)

PDF Hauzar D., Kofroň J., Baštecký P.: Data-flow Analysis of Programs with Associative Arrays,
In Proceedings of the International Workshop on Engineering Safety and Security Systems (ESSS'14), Singapore, EPTCS, May 2014
PDF Hauzar D., Kofroň J.: WeVerca: Web Applications Verification for PHP (Tool Paper),
In proceedings of the 12th International Conference on Software Engineering and Formal Methods (SEFM'14), Grenoble, France. LNCS, September 2014

Ph.D. Theses

PDF Hauzar D.: Towards Static Analysis of Languages with Dynamic Features,
Ph.D. thesis, advisor: František Plášil, September 2014

2012 (1)

Refereed (journals/proceedings)

PDF Hauzar D., Kofroň J.: On Security Analysis of PHP Web Applications,
In Proceedings of STPSA 2012, Izmir, Turkey. IEEE, July 2012

2011 (1)

Technical Reports

PDF Hauzar D., Kofroň J.: Hunting Bugs Inside Web Applications,
Formal Verification of Object-Oriented Software, Technical report, Department of Informatics, KIT, 2011-26, October 2011
Logo of Faculty of Mathematics and Physics
  • Phone: +420 951 554 267, +420 951 554 236
  • Email: info<at-sign>d3s.mff.cuni.cz
  • How to find us?
Modified on 2016-02-11