Abstract: In order to study the semantic-based Web applications code audit, we designed such an audit system of Web application based on static analysis. This system was divided into two parts. The first phase was pre-compilation: we transformed the code of the Web application into abstract syntax tree by the technology of the static analysis. We transformed it into control flow graph, which was suitable for the second phase. The second phase was vulnerability exploitation: we located the potential vulnerable functions as well as trace back the flow for taint analysis, with the control flow graph. We proposed the lazed-stain analysis to optimize the process of static vulnerability analysis. Compared with the current popular vulnerability analysis software Rips commercial version, this method has a better vulnerability detection performance.