Handling webshell attacks: A systematic mapping and survey

Hannousse, Abdelhakim; Yahiouche, Salima

doi:10.1016/j.cose.2021.102366

Cited by 15 publications

(8 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The interprocedural analysis of webshells is one of the contributions of this paper, which consists of two modules: Include file recursive detection (5) and User-defined functions detection (6).…”

Section: Overviewmentioning

confidence: 99%

“…User-defined functions detection (6) actually has the highest priority for execution. Compiler hook (1) first obtains the Opline sequences, which come from the user-defined functions in the target PHP codes, then it obtains the Opline sequences, which come from the user-defined functions of the user-defined class, and finally, it obtains the Opline sequences produced by the other parts.…”

Section: Overviewmentioning

confidence: 99%

“…Attackers can use webshells to carry out a series of malicious operations, such as accessing server databases and sensitive files, stealing and tampering with user data, modifying the home page of a website, and so on. In terms of website security, it is crucial to detect webshell files and delete them [6].…”

Section: Introductionmentioning

confidence: 99%

“…When the taint source is found to be imported, the variable used to store the taint source will be stored in Taint variable list (c), and a new linked list will be created with this variable as the header node. Then, the linked list will be saved in Taint propagation chain (d).Taint propagation (4) analyzes the propagation path of the taint variable in the Opline sequences, adds the tainted variable to Taint variable list (c), and adds the new taint variables to the corresponding taint propagation chain according to the propagation path.The interprocedural analysis of webshells is one of the contributions of this paper, which consists of two modules: Include file recursive detection(5) and User-defined functions detection(6).Include file recursive detection(5) will start the taint analysis subprocess when it meets the "include" expression, perform recursive detection on the included files, and return the detection results to the main process through the message queue (IPC[30]). User-defined functions detection(6) actually has the highest priority for execution.…”

mentioning

confidence: 99%

“…Then, the linked list will be saved in Taint propagation chain (d).Taint propagation (4) analyzes the propagation path of the taint variable in the Opline sequences, adds the tainted variable to Taint variable list (c), and adds the new taint variables to the corresponding taint propagation chain according to the propagation path.The interprocedural analysis of webshells is one of the contributions of this paper, which consists of two modules: Include file recursive detection(5) and User-defined functions detection(6).Include file recursive detection(5) will start the taint analysis subprocess when it meets the "include" expression, perform recursive detection on the included files, and return the detection results to the main process through the message queue (IPC[30]). User-defined functions detection(6) actually has the highest priority for execution. Compiler hook (1) first obtains the Opline sequences, which come from the user-defined functions in the target PHP codes, then it obtains the Opline sequences, which come from the user-defined functions of the user-defined class, and finally, it obtains the Opline sequences produced by the other parts.…”

mentioning

confidence: 99%

See 4 more Smart Citations

WTA: A Static Taint Analysis Framework for PHP Webshell

Zhao

Wang

et al. 2021

Applied Sciences

View full text Add to dashboard Cite

Webshells are a malicious scripts that can remotely control a webserver to execute arbitrary commands, steal sensitive files, and further invade the internal network. Existing webshell detection methods, such as using pattern matching for webshell detection, can be easily bypassed by attackers using the file include and user-defined functions. Furthermore, detecting unknown webshells has always been a problem in the field of webshell detection. In this paper, we propose a static webshell detection method based on taint analysis, which realizes accurate taint analysis based on ZendVM. We first converted the PHP code into Opline sequences, analyzed the Opline sequences in order, and marked the externally imported taint source. Then, the propagation of the taint variables was tracked, and the interprocedural analysis of the taint variables was performed. Finally, considering the dangerous functions’ call and the referencing of the taint variables at the point of the taint sink, we completed the webshell judgment. Based on this method, we constructed a taint analysis prototype system named WTA and evaluated it with a benchmark dataset by comparing its performance with popular webshell detection tools. The results showed that our method supports interprocedural analysis and has the ability to detect unknown webshells and that WTA’s performance surpasses well-known webshell detection tools such as D-shield, SHELLPUB, WebshellKiller, CloudWalker, ClamAV, LoKi, and findbot.pl.

show abstract

Section: Overviewmentioning

confidence: 99%

Section: Overviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations