As part of the infrastructure of the global economy, Web applications are of the utmost importance because they provide a virtual space where end users can communicate with one another. A negative aspect of this development is that the number of security vulnerabilities is growing constantly. One method used to solve such problems involves reviewing program code as a part of the development process. However, manual code verification is time-consuming, error-prone, and costly; and code auditors need a security background in order to audit the code. Thus, there is an urgent need for automated solutions to check whether Web applications are vulnerable. Verification tools have long implemented analysis methods in software applications and Web applications, but little research has been performed to evaluate the efficacy of each tool. Of course, developers claim that their tools are effective and efficient, but they do not compare their tool with others. In this thesis, our objective is to evaluate the efficacy of existing verification tools. To this end, we build benchmark cases of vulnerable code that may cause security problems, such as cross-site scripting and SQL injection, but some benchmark cases do not consist of vulnerable code to determine if a false positive occurs after the tool scans the code. Specifically, we use the developed benchmark cases to test four static analysis tools that generate reports of vulnerable program locations, and evaluate the performance of the tools statistically. Moreover, the benchmark cases enable us to identify the structures or control flow statements that cause false alarms in the four tools. As a result, we can determine which benchmark cases are not handled in the target tools.