A Solution for Automatically Malicious Web Shell and Web Application Vulnerability Detection

Le, Van-Giap; Nguyen, Huu-Tung; Lu, Dang-Nhac; Nguyen, Ngoc-Hoa

doi:10.1007/978-3-319-45243-2_34

Cited by 11 publications

(7 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Le et al [47,48] combined taint analysis and pattern matching to detect webshells. Taint analysis is performed to divide the code into tokens during the lexical analysis phase.…”

Section: Static Methodsmentioning

confidence: 99%

WTA: A Static Taint Analysis Framework for PHP Webshell

Zhao

Wang

et al. 2021

Applied Sciences

View full text Add to dashboard Cite

Webshells are a malicious scripts that can remotely control a webserver to execute arbitrary commands, steal sensitive files, and further invade the internal network. Existing webshell detection methods, such as using pattern matching for webshell detection, can be easily bypassed by attackers using the file include and user-defined functions. Furthermore, detecting unknown webshells has always been a problem in the field of webshell detection. In this paper, we propose a static webshell detection method based on taint analysis, which realizes accurate taint analysis based on ZendVM. We first converted the PHP code into Opline sequences, analyzed the Opline sequences in order, and marked the externally imported taint source. Then, the propagation of the taint variables was tracked, and the interprocedural analysis of the taint variables was performed. Finally, considering the dangerous functions’ call and the referencing of the taint variables at the point of the taint sink, we completed the webshell judgment. Based on this method, we constructed a taint analysis prototype system named WTA and evaluated it with a benchmark dataset by comparing its performance with popular webshell detection tools. The results showed that our method supports interprocedural analysis and has the ability to detect unknown webshells and that WTA’s performance surpasses well-known webshell detection tools such as D-shield, SHELLPUB, WebshellKiller, CloudWalker, ClamAV, LoKi, and findbot.pl.

show abstract

“…Le et al [47,48] combined taint analysis and pattern matching to detect webshells. Taint analysis is performed to divide the code into tokens during the lexical analysis phase.…”

Section: Static Methodsmentioning

confidence: 99%

WTA: A Static Taint Analysis Framework for PHP Webshell

Zhao

Wang

et al. 2021

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…These known vulnerable pieces of code are called fingerprint data in [85]. Le et al [86] analyzed the token list of each file to identify potentially dangerous functions, and Shahriar et al [87] applied information retrieval methods to search known method calls that are related to object injection vulnerabilities. For approaches (e.g., [61]) using taint analysis, the sensitive sources, sinks, or sanitization points always come from analyzing known vulnerable code.…”

Section: 21mentioning

confidence: 99%

“…• Match Fingerprint with Elements Extracted from a Model (MFM). WAVD methods in this category [6,7,11,12,23,52,53,55,60,61,64,69,71,76,77,80,81,86,108,142,145,147,150] usually begin by deriving models, e.g., CFG, DDG, AST, browsing behavior models, navigation graphs, and navigation paths. The WAVD approaches then traverse the model to extract code elements to compare with known fingerprints.…”

Section: The Classifications Of Wavd Approachesmentioning

confidence: 99%

See 1 more Smart Citation

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

et al. 2021

View full text Add to dashboard Cite

Most existing surveys and reviews on web application vulnerability detection (WAVD) approaches focus on comparing and summarizing the approaches’ technical details. Although some studies have analyzed the efficiency and effectiveness of specific methods, there is a lack of a comprehensive and systematic analysis of the efficiency and effectiveness of various WAVD approaches. We conducted a systematic literature review (SLR) of WAVD approaches and analyzed their efficiency and effectiveness. We identified 105 primary studies out of 775 WAVD articles published between January 2008 and June 2019. Our study identified 10 categories of artifacts analyzed by the WAVD approaches and 8 categories of WAVD meta-approaches for analyzing the artifacts. Our study’s results also summarized and compared the effectiveness and efficiency of different WAVD approaches on detecting specific categories of web application vulnerabilities and which web applications and test suites are used to evaluate the WAVD approaches. To our knowledge, this is the first SLR that focuses on summarizing the effectiveness and efficiencies of WAVD approaches. Our study results can help security engineers choose and compare WAVD tools and help researchers identify research gaps.

show abstract

“…Due to the high usage of webshell in cyberattacks, there has been much previous research in this eld. But most researchers focus on the contents of suspicious les [4][5][6] or POST contents in HTTP requests [7] and thus ignore features in a sequence of web server logs. With the development of encryption and obfuscation technology [8,9], it is quite di cult to detect webshell in thousands of website source les, but when we only need to deal with the sequence of several elds in the web logs without considering complex text processing, the problem becomes much simpler.…”

Section: Introductionmentioning

confidence: 99%

Session-Based Webshell Detection Using Machine Learning in Web Logs

Sun

Huang

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

Attackers upload webshell into a web server to achieve the purpose of stealing data, launching a DDoS attack, modifying files with malicious intentions, etc. Once these objects are accomplished, it will bring huge losses to website managers. With the gradual development of encryption and confusion technology, the most common detection approach using taint analysis and feature matching might become less useful. Instead of applying source file codes, POST contents, or all received traffic, this paper demonstrated an intelligent and efficient framework that employs precise sessions derived from the web logs to detect webshell communication. Features were extracted from the raw sequence data in web logs while a statistical method based on time interval was proposed to identify sessions specifically. Besides, the paper leveraged long short-term memory and hidden Markov model to constitute the framework, respectively. Finally, the framework was evaluated with real data. The experiment shows that the LSTM-based model can achieve a higher accuracy rate of 95.97% with a recall rate of 96.15%, which has a much better performance than the HMM-based model. Moreover, the experiment demonstrated the high efficiency of the proposed approach in terms of the quick detection without source code, especially when it only considers detecting for a period of time, as it takes 98.5% less time than the cited related approach to get the result. As long as the webshell behavior is detected, we can pinpoint the anomaly session and utilize the statistical method to find the webshell file accurately.

show abstract

A Solution for Automatically Malicious Web Shell and Web Application Vulnerability Detection

Cited by 11 publications

References 4 publications

WTA: A Static Taint Analysis Framework for PHP Webshell

WTA: A Static Taint Analysis Framework for PHP Webshell

Efficiency and Effectiveness of Web Application Vulnerability Detection Approaches: A Review

Session-Based Webshell Detection Using Machine Learning in Web Logs

Contact Info

Product

Resources

About