TridentShell: An enhanced covert and scalable backdoor injection attack on web applications
Saved in:
| Title: | TridentShell: An enhanced covert and scalable backdoor injection attack on web applications |
|---|---|
| Authors: | Yu, Xiaobo, Meng, Weizhi, Liu, Yining, Zhou, Fei |
| Source: | Yu , X , Meng , W , Liu , Y & Zhou , F 2024 , ' TridentShell: An enhanced covert and scalable backdoor injection attack on web applications ' , Journal of Network and Computer Applications , vol. 223 , 103823 . https://doi.org/10.1016/j.jnca.2023.103823 |
| Publication Year: | 2024 |
| Collection: | Technical University of Denmark: DTU Orbit / Danmarks Tekniske Universitet |
| Subject Terms: | Backdoor attack, Java application, Static feature detection, Web security, Web shell |
| Description: | Web backdoor attack is an increasingly prevalent network attack that can result in substantial losses for webmasters. During a cyber-attack, system vulnerabilities and web application flaws are usually used to implant a web shell inside victim servers. To mitigate the many threats posed by web shells, research has focused on static feature detection, which has evolved rapidly in recent years. However, static feature detection has inherent limitations and security risks. In this paper, we present TridentShell, a novel web backdoor attack that can inject an invisible backdoor into a victim server without leaving any traces of the attack. Furthermore, TridentShell can circumvent almost all static detection methods. Unlike existing approaches, which leverage traditional encryption and obfuscation technologies to avoid detection, our proposed attack is intended to blend into the web application server naturally. In this work, we introduce enhancements to the original TridentShell, which is not traceable—in theory—since it uses a blockchain-based decentralized C&C server with better presentation capability. The experimental results show that our TridentShell can effectively compromise five different types of Java application servers (covering around 87% Java application servers in the market), and can scrub any attack traces from the server, making it especially difficult to detect. |
| Document Type: | article in journal/newspaper |
| File Description: | application/pdf |
| Language: | English |
| DOI: | 10.1016/j.jnca.2023.103823 |
| Availability: | https://orbit.dtu.dk/en/publications/94a4fd1c-3bda-4945-b335-b7c06fd4cd25 https://doi.org/10.1016/j.jnca.2023.103823 https://backend.orbit.dtu.dk/ws/files/378712767/1-s2.0-S1084804523002424-main.pdf |
| Rights: | info:eu-repo/semantics/openAccess |
| Accession Number: | edsbas.447F86B4 |
| Database: | BASE |
Nájsť tento článok vo Web of Science | Abstract: | Web backdoor attack is an increasingly prevalent network attack that can result in substantial losses for webmasters. During a cyber-attack, system vulnerabilities and web application flaws are usually used to implant a web shell inside victim servers. To mitigate the many threats posed by web shells, research has focused on static feature detection, which has evolved rapidly in recent years. However, static feature detection has inherent limitations and security risks. In this paper, we present TridentShell, a novel web backdoor attack that can inject an invisible backdoor into a victim server without leaving any traces of the attack. Furthermore, TridentShell can circumvent almost all static detection methods. Unlike existing approaches, which leverage traditional encryption and obfuscation technologies to avoid detection, our proposed attack is intended to blend into the web application server naturally. In this work, we introduce enhancements to the original TridentShell, which is not traceable—in theory—since it uses a blockchain-based decentralized C&C server with better presentation capability. The experimental results show that our TridentShell can effectively compromise five different types of Java application servers (covering around 87% Java application servers in the market), and can scrub any attack traces from the server, making it especially difficult to detect. |
|---|---|
| DOI: | 10.1016/j.jnca.2023.103823 |