As time goes by, information becomes essential and indispensable. Various industries utilize information technology and the internet to increase production ability or decrease labor costs. However, as more enterprises and organizations digitize their services and data, information security becomes a more significant issue for modern society. Some hackers may covet valuable data from enterprises and resell them to hostile or unscrupulous organizations or enterprises. Furthermore, customers do not expect that their data will be stolen and distributed to another place. Hence, enterprises and organizations should keep their data safe. Web services developers should ensure that their web applications are impeccable for unscrupulous attackers to prevent data breaches. One of the practical solutions is checking web applications by penetration testing. Through penetration testing, developers can discover whether their web applications are vulnerable to penetration. In addition, automatized checking tools can decrease the burden on developers of web applications. Thus, automatic penetration testing tools are helpful for developers to examine their web applications. However, current tools have some problems. Although several tools are automatic, they have coverage shortages in some cases. Shortage of coverage may reduce the precision of checking, which invalidates the checking tools. Moreover, those tools have a low percentage of successful detection and a high misjudgment ratio on directory traversal attacks and remote file inclusion. Thus, this thesis proposes another tool that surpasses current tools on precision and performance on both directory traversal attack and remote file inclusion. We also conduct some experiments to prove our tool’s abilities.