TridentShell: a Covert and Scalable Backdoor Injection Attack on Web Applications

Xiaobo  Yu; Weizhi Meng; Lei  Zhao; Yining Liu

doi:10.1007/978-3-030-91356-4_10

TridentShell: a Covert and Scalable Backdoor Injection Attack on Web Applications

Xiaobo Yu, Weizhi Meng, Lei Zhao, Yining Liu

Department of Applied Mathematics and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

Abstract

Web backdoor attack is a kind of popular network attack, which can cause a serious damage to websites. In practice, cyber attackers often exploit vulnerabilities in the system or web applications to implant a backdoor to a web server. To address this challenge, static feature detection is believed to be an effective solution. However, it may also leave a potential security “hole” that could be exploited by intruders. In this paper, we propose a novel backdoor attack method called TridentShell, which can inject a webshell into the memory of web application server without leaving attack traces. Our attack is able to bypass almost all types of static detection methods. In particular, it attempts to blend itself into the web server and erase attack traces automatically, instead of encrypting or obfuscating the content of webshell to avoid detection. Besides, TridentShell can still be executed even when the webmasters restrict the access to web directory. In the evaluation, we showcase how TridentShell can successfully inject a webshell into five different types of Java application servers (covering around 87% Java application servers in the market), and can remove the attack traces on the server (increasing the detection difficulty).

Original language	English
Title of host publication	International Conference on Information Security
Publisher	Springer
Publication date	2021
Pages	177-194
ISBN (Print)	978-3-030-91355-7
DOIs	https://doi.org/10.1007/978-3-030-91356-4_10
Publication status	Published - 2021
Event	24^th International Conference on Information Security - Grand Mirage Resort, Denpasar, Indonesia Duration: 10 Nov 2021 → 12 Nov 2021

Conference

Conference	24^th International Conference on Information Security
Location	Grand Mirage Resort
Country/Territory	Indonesia
City	Denpasar
Period	10/11/2021 → 12/11/2021

Series	Lecture Notes in Computer Science
Volume	13118
ISSN	0302-9743

Keywords

Backdoor attack
Webshell
Web security
Java application
Static feature detection

Access to Document

10.1007/978-3-030-91356-4_10

OpenUrl availability

Full text

Cite this

@inproceedings{498e7183ad7943389a9c94a7295364b8,

title = "TridentShell: a Covert and Scalable Backdoor Injection Attack on Web Applications",

abstract = "Web backdoor attack is a kind of popular network attack, which can cause a serious damage to websites. In practice, cyber attackers often exploit vulnerabilities in the system or web applications to implant a backdoor to a web server. To address this challenge, static feature detection is believed to be an effective solution. However, it may also leave a potential security “hole” that could be exploited by intruders. In this paper, we propose a novel backdoor attack method called TridentShell, which can inject a webshell into the memory of web application server without leaving attack traces. Our attack is able to bypass almost all types of static detection methods. In particular, it attempts to blend itself into the web server and erase attack traces automatically, instead of encrypting or obfuscating the content of webshell to avoid detection. Besides, TridentShell can still be executed even when the webmasters restrict the access to web directory. In the evaluation, we showcase how TridentShell can successfully inject a webshell into five different types of Java application servers (covering around 87% Java application servers in the market), and can remove the attack traces on the server (increasing the detection difficulty).",

keywords = "Backdoor attack, Webshell, Web security, Java application, Static feature detection",

author = "Xiaobo Yu and Weizhi Meng and Lei Zhao and Yining Liu",

year = "2021",

doi = "10.1007/978-3-030-91356-4_10",

language = "English",

isbn = "978-3-030-91355-7",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "177--194",

booktitle = "International Conference on Information Security",

note = "24<sup>th</sup> International Conference on Information Security, ISC 2021 ; Conference date: 10-11-2021 Through 12-11-2021",

}

Yu, X, Meng, W, Zhao, L & Liu, Y 2021, TridentShell: a Covert and Scalable Backdoor Injection Attack on Web Applications. in International Conference on Information Security. Springer, Lecture Notes in Computer Science, vol. 13118, pp. 177-194, 24^th International Conference on Information Security, Denpasar, Indonesia, 10/11/2021. https://doi.org/10.1007/978-3-030-91356-4_10

TridentShell: a Covert and Scalable Backdoor Injection Attack on Web Applications. / Yu, Xiaobo ; Meng, Weizhi; Zhao, Lei et al.
International Conference on Information Security. Springer, 2021. p. 177-194 (Lecture Notes in Computer Science, Vol. 13118).

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

TY - GEN

T1 - TridentShell: a Covert and Scalable Backdoor Injection Attack on Web Applications

AU - Yu, Xiaobo

AU - Meng, Weizhi

AU - Zhao, Lei

AU - Liu, Yining

PY - 2021

Y1 - 2021

N2 - Web backdoor attack is a kind of popular network attack, which can cause a serious damage to websites. In practice, cyber attackers often exploit vulnerabilities in the system or web applications to implant a backdoor to a web server. To address this challenge, static feature detection is believed to be an effective solution. However, it may also leave a potential security “hole” that could be exploited by intruders. In this paper, we propose a novel backdoor attack method called TridentShell, which can inject a webshell into the memory of web application server without leaving attack traces. Our attack is able to bypass almost all types of static detection methods. In particular, it attempts to blend itself into the web server and erase attack traces automatically, instead of encrypting or obfuscating the content of webshell to avoid detection. Besides, TridentShell can still be executed even when the webmasters restrict the access to web directory. In the evaluation, we showcase how TridentShell can successfully inject a webshell into five different types of Java application servers (covering around 87% Java application servers in the market), and can remove the attack traces on the server (increasing the detection difficulty).

AB - Web backdoor attack is a kind of popular network attack, which can cause a serious damage to websites. In practice, cyber attackers often exploit vulnerabilities in the system or web applications to implant a backdoor to a web server. To address this challenge, static feature detection is believed to be an effective solution. However, it may also leave a potential security “hole” that could be exploited by intruders. In this paper, we propose a novel backdoor attack method called TridentShell, which can inject a webshell into the memory of web application server without leaving attack traces. Our attack is able to bypass almost all types of static detection methods. In particular, it attempts to blend itself into the web server and erase attack traces automatically, instead of encrypting or obfuscating the content of webshell to avoid detection. Besides, TridentShell can still be executed even when the webmasters restrict the access to web directory. In the evaluation, we showcase how TridentShell can successfully inject a webshell into five different types of Java application servers (covering around 87% Java application servers in the market), and can remove the attack traces on the server (increasing the detection difficulty).

KW - Backdoor attack

KW - Webshell

KW - Web security

KW - Java application

KW - Static feature detection

U2 - 10.1007/978-3-030-91356-4_10

DO - 10.1007/978-3-030-91356-4_10

M3 - Article in proceedings

SN - 978-3-030-91355-7

T3 - Lecture Notes in Computer Science

SP - 177

EP - 194

BT - International Conference on Information Security

PB - Springer

T2 - 24<sup>th</sup> International Conference on Information Security

Y2 - 10 November 2021 through 12 November 2021

ER -

TridentShell: a Covert and Scalable Backdoor Injection Attack on Web Applications

Abstract

Conference

Keywords

Access to Document

OpenUrl availability

Fingerprint

Cite this