Modern web applications are often built atop web frameworks, which ease development by automatically handling common tasks such as unmarshalling request data into an object and connecting business logic to display code. Web applications based on such frameworks are often assembled via configuration files that are separate from the source code of the web application. These configuration files can control how the application code is invoked, what data is passed to the application, and the like. This architecture makes traditional static analysis of such applications ineffective because traditional static analysis methods only process the source code of the web application and libraries and do not process the configuration files. While a static analysis engine can be enhanced to parse and understand the semantics of the configuration files, this technique requires modifying the analysis engine for each new framework, which is error-prone and requires significant implementation effort.