This work addresses the low detection accuracy of Server-Side Request Forgery (SSRF) vulnerabilities in PHP web applications. We propose a large language model (LLM)-assisted, interprocedural, path-sensitive taint analysis method. To our knowledge, this is the first approach to integrate LLMs into PHP static analysis, enabling dynamic-type awareness, automatic construction of implicit call graphs, and LLM-driven semantic rule generation. Moreover, we introduce path-condition compatibility analysis to significantly reduce false positives. Evaluated on 250 real-world PHP projects, our method identifies 106 confirmed SSRF vulnerabilities—including 35 previously unknown ones—and has led to 24 assigned CVEs. It achieves a precision of 93.2% with only 15 false positives, substantially outperforming state-of-the-art tools.

Server-side request forgery (SSRF) vulnerabilities are inevitable in PHP web applications. Existing static tools in detecting vulnerabilities in PHP web applications neither contain SSRF-related features to enhance detection accuracy nor consider PHP's dynamic type features. In this paper, we present Artemis, a static taint analysis tool for detecting SSRF vulnerabilities in PHP web applications. First, Artemis extracts both PHP built-in and third-party functions as candidate source and sink functions. Second, Artemis constructs both explicit and implicit call graphs to infer functions' relationships.Third, Artemis performs taint analysis based on a set of rules that prevent over-tainting and pauses when SSRF exploitation is impossible.Fourth, Artemis analyzes the compatibility of path conditions to prune false positives.We have implemented a prototype of Artemis and evaluated it on 250 PHP web applications. Artemis reports 207 true vulnerable paths (106 true SSRFs) with 15 false positives. Of the 106 detected SSRFs, 35 are newly found and reported to developers, with 24 confirmed and assigned CVE IDs.