In this work, we focus on the automatic detection and verification of unexpected behaviors on the Web. The ultimate goal is to produce an end-to-end automated tool for both detection and verification. We split it into two parts and achieve them stage by stage: detection and verification. For the detection, we focus on front-end application, browser extensions, We propose a framework, BEG, to identify malicious extensions and extensions with privacy violations by the combination of static and dynamic analysis, and conduct a lagre-scale analysis of the whole browser extension ecosystem. Meanwhile, for the verification, we focus on web servers and propose a framework, MyDOP, to automatically generate exploits to memory corruption in web servers. MyDOP automatically verifies vulnerabilities by producing executable attack payloads. We conduct several case studies to illustrate the basic concept of MyDOP. Finally, we will dicuss some potential future works.