www.imperva.com
Open in
urlscan Pro
45.60.76.225
Public Scan
URL:
https://www.imperva.com/learn/application-security/web-shell/
Submission: On May 08 via manual from US — Scanned from DE
Submission: On May 08 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form elem-id="" class="marketo-form" data-form-id="4994" data-form-args="form_args_1510834159" __bizdiag="202965345" __biza="WJ__"></form>Text Content
Under DDoS Attack?
1-866-777-9980
Login
LoginCloud Security ConsoleRASP Console
EN
EnglishENDeutschDEEspañolESFrançaisFRPortuguêsPT-BR日本語日本語한국어KR中文CN
Under DDoS Attack?
1-866-777-9980
Start for FreeContact UsStart for FreeContact Us
* Why Imperva
* Products
Products
* Application Performance
* Application Security
* Data Security
* Network Security
* Imperva Plans
Application Performance
Application Performance Overview
Optimize content delivery and user experience
* Content Delivery Network
Boost website performance with caching and compression
* Waiting Room
Virtual queuing to control visitor traffic
THE IMPORTANCE OF A RESILIENT CDN FOR DIGITAL PERFORMANCE
Get featured report
Application Security
Application Security Overview
Industry-leading application and API protection
* Web Application Firewall
Instantly secure applications from the latest threats
* Advanced Bot Protection
Identify and mitigate the most sophisticated bad bot
* API Security
Discover shadow APIs and the sensitive data they handle
* DDoS Protection
Secure all assets at the edge with guaranteed uptime
* Client-Side Protection
Visibility and control over third-party JavaScript code
* Runtime Protection
Secure workloads from unknown threats and vulnerabilities
* Serverless Protection
Uncover security weaknesses on serverless environments
* Attack Analytics
Complete visibility into your latest attacks and threats
IMPERVA NAMED A SECURITY LEADER IN THE SECUREIQLAB CYBERRISK REPORT
Get featured report
Data Security
Data Security Overview
Protect all data and ensure compliance at any scale
* Data Security Fabric
Multicloud, hybrid security platform protecting all data types
* Business Capabilities
* Data security at scale
* Data security for multicloud
* Risk analytics & insights
* Data compliance at scale
* Data discovery & classification
* Cloud Data Security
SaaS-based data posture management and protection
* The Imperva Advantage
* Broadest coverage
* Protect any data source
* Ecosystem integration
* Unified visibility
IDC SPOTLIGHT: EFFECTIVE MULTICLOUD DATA SECURITY
Get featured report
Network Security
Network Security Overview
Protection and control over your network infrastructure
* DDoS Protection
Secure all assets at the edge with guaranteed uptime
GLOBAL DDOS THREAT LANDSCAPE REPORT
Get featured report
Imperva Plans
* Solutions
Solutions
* By Use Case
* By Industry
* Imperva Plans
By Use Case
* Application Security
* Stop software supply chain attacks
* Mitigate account takeover attacks
* Protect modern web applications
* Secure API inventories
* Protect against online fraud
* Embed security into DevOps
* Protect applications from business logic abuse
* Data Security
* Safeguard sensitive and personal data
* Advance data governance
* Assure data compliance and privacy
* Securely move data to the cloud
* Observe data risk management
* Monitor user behavior analytics
* Data encryption and cryptographic solutions
* Network Security
* Defend DDoS attacks at scale
* Secure business continuity in the event of an outage
* Application Performance
* Ensure consistent application performance
By Industry
Solutions by Industry
Defense-in-depth security for every industry
* Government
* Healthcare
* Financial Services
* Telecom & ISPs
* Retail
THE STATE OF SECURITY WITHIN ECOMMERCE 2022
Get free report
Imperva Plans
* Support
Support
Support
Support
Looking for technical support or services, please review our various channels
below
* Technical Support
* Services
* Imperva University
* Community
* Support Portal Login
* Documentation
* EOL Policy
* Partners
Partners
* Channel Partners
* Technology Alliance Partners
Channel Partners
Channel Partners Program
Looking for an Imperva partner? Find an approved one with the expertise to
help you
* Channel Partners
* Find a Partner
* Partner Portal Login
IMPERVA REIMAGINES PARTNER PROGRAM: IMPERVA ACCELERATE
Learn how
Technology Alliance Partners
Technology Alliance Partners
Imperva collaborates with the top technology companies
* Technology Alliance Partners (TAP)
* Become a TAP
* Find a TAP
PROTECT YOUR CLOUDERA DATA WITH IMPERVA
Learn more
* Customers
Customers
* Application Security Customer Stories
* Data Security Customer Stories
* See all Customer Stories
Application Security Customer Stories
Application Security Customer Stories
Learn how Imperva enables and protects industry leaders
* Tower ensures website visibility and uninterrupted business operations
* Smallpdf protects its customers and ensures availability
QUÁLITAS CONTINUES ITS QUALITY SERVICES USING IMPERVA APPLICATION SECURITY
Learn how
Data Security Customer Stories
Data Security Customer Stories
Learn how Imperva enables and protects industry leaders
* Banco Popular streamlines operations and lowers operational costs
* Discovery Inc. tackles data compliance in public cloud with Imperva Data
Security Fabric
DISCOVERY INC. TACKLES DATA COMPLIANCE IN PUBLIC CLOUD
Learn how
See all Customer Stories
* Resources
Resources
* Resources
* Threat Research
* Learning Assets
Resources
Resources
Get all the information you need about Imperva products and solutions
* Resource Library
* Blog
* Webinars
* Case Studies
* Privacy, Compliance & Trust Center
* Imperva Certifications
NEW VULNERABILITY IN POPULAR WIDGET SHOWS RISKS OF THIRD-PARTY CODE
Read more
Threat Research
Threat Research
Stay informed on the latest threats and vulnerabilities
* Threat Research Overview
* Cyber Threat Index
* Cyber Attack Map
* Free Tools
* Network Map
CYBER THREAT INDEX
Latest threat analysis
Learning Assets
Learning Assets
Expand and share your knowledge
* Learning Center
* Application Security Guide
* Data Security Guide
* Imperva Community
* Documentation Portal
BROWSE THE IMPERVA LEARNING CENTER FOR THE LATEST CYBERSECURITY TOPICS
Explore now
* Company
Company
Company
Company
Get to know us, beyond our products and services
* About Us
* Events
* Careers
* Press & Awards
* Contact Information
IMPERVA ESG REPORTS
Read more
Home > Learning Center > Web Shell
ARTICLE'S CONTENT
* What Is a Web Shell?
* How Are Web Shells Used by Attackers?
* Web Shell Attacks on the Rise
* How Web Shells Work
* Web Shell Protection
* Imperva Web Shell Protection
WEB SHELL
42k views
Web and Application Security
WHAT IS A WEB SHELL?
Web shells are malicious scripts that enable threat actors to compromise web
servers and launch additional attacks. Threat actors first penetrate a system or
network and then install a web shell. From this point onwards, they use it as a
permanent backdoor into the targeted web applications and any connected systems.
HOW ARE WEB SHELLS USED BY ATTACKERS?
Threat actors use web shells for a range of scenarios:
* Exfiltrating and harvesting sensitive information and credentials.
* Uploading malware, which can potentially create a watering hole for further
infection and scanning of other victims.
* Defacing websites by modifying or adding files.
A web shell can serve as a relay point for issuing commands to hosts located
inside the network, without direct Internet access. Web shells can also
participate in a command-and-control infrastructure—for example, a web shell can
be used to compromise a host and enlist it into a botnet. Attackers can infect
other systems on the network with the web shell, in order to compromise
additional resources.
Threat actors use a wide range of web application vulnerabilities and exploits
to deliver web shells, including SQL injection (SQLi) and cross-site scripting
(XSS). Actors also exploit vulnerabilities in services and applications, file
processing vulnerabilities, exposed admin interfaces, as well as local file
inclusion (LFI) and remote file inclusion (RFI) vulnerabilities.
×
May 22 Upcoming Webinar
BATTLING BAD BOTS: THE LATEST TRENDS, STATS & DEFENSE STRATEGIES
Register Now
×
WEB SHELL ATTACKS ON THE RISE
Microsoft has identified an increase in web shell attacks by various groups,
affecting both private and public organizations. These include advanced
persistent threat (APT) teams using web shells to gain a foothold into the
target networks.
One such attack, discovered by Microsoft’s detection and response team, involved
web shells installed in multiple folders on an organization’s misconfigured
server, allowing the attacker to move laterally and install web shells on
further systems. A DLL backdoor registered as a service allowed the attacker to
persist on the email server, download malware payloads and send commands in the
form of emails.
If a web shell is successfully implanted into a web server, it enables a remote
attacker to execute malicious commands and steal data. Hacker groups that have
used web shells in their attacks include the Gallium group and the Lazarus
group.
HOW WEB SHELLS WORK
Web shell attacks have several stages: first, the attacker creates a persistent
mechanism on the server enabling remote access. Then, they attempt to escalate
privileges, and leverage the backdoor to attack the organization, or use its
resources for criminal activity.
How a web shell attack works
1. PERSISTENT REMOTE ACCESS
Web shell scripts provide a backdoor allowing attackers to remotely access an
exposed server. Persistent attackers don’t have to exploit a new vulnerability
for each malicious activity. Some attackers even fix the vulnerability they
exploit to prevent others from doing the same and avoid detection.
Some web shells use techniques such as password authentication to ensure that
only specific attackers can access them. Web shells usually obfuscate
themselves, including code that prevents search engines from blacklisting the
website where the shell is installed.
2. PRIVILEGE ESCALATION
Web shells normally run with user permissions, which can be limited. Attackers
can escalate privileges through web shells by exploiting system vulnerabilities
to acquire root privileges. Root account access allows attackers to perform
almost any action—they can install software, change permissions, add or remove
users, read emails, steal passwords, etc.
3. PIVOTING AND LAUNCHING ATTACKS
Attackers can use web shells to pivot to additional targets both in and out of
the network. The process of sniffing network traffic to identify live hosts,
firewalls, or routers (enumeration) can take weeks, during which attackers will
keep a low profile to avoid detection.
An attacker that successfully persists on a network will move patiently,
possibly even using a compromised system to attack other targets. This allows
the attacker to remain anonymous, and pivoting through several systems can make
it virtually impossible to trace attacks to the source.
4. BOT HERDING
Web shells can be used to connect servers to a botnet (a network of systems
controlled by the attacker). The affected servers execute commands sent by
attackers through a command and control server connected to the web shell.
This is a common technique for DDoS attacks that require extensive bandwidth.
Attackers aren’t directly targeting the system where they’ve installed the web
shell, but are simply exploiting it for its resources to attack more valuable
targets.
WEB SHELL PROTECTION
Here are a few ways to protect your organization against the threat of web
shells.
FILE INTEGRITY MONITORING
File integrity monitoring (FIM) solutions are designed to block file changes on
web-accessible directories. Once a change is detected, FIM tools alert admins
and security staff. Implementing FIM can help detect issues in real-time, as
soon as files are saved to a directory. This can help security staff quickly
find and remove web shells.
Integrity monitoring solutions can be customized to allow certain file changes
while blocking others. If, for example, your web application typically handles
only portable document format (PDF) files, the integrity monitoring solution can
block uploads that do not end with the “.pdf” extension.
WEB APPLICATION PERMISSIONS
When defining permissions for web applications, it is important to employ the
least privilege concept. The main principle behind this concept is to provide
users with the bare minimum of privileges required to perform their role. The
goal is to ensure that each user does not have privileges they should not have
and that compromised accounts are restricted in their actions.
The least privilege principle can help prevent threat actors from uploading a
web shell to vulnerable applications. You can set it by not enabling web
applications to directly write to a web-accessible directory or modify
web-accessible code. This way, the server blocks the actor from accessing the
web-accessible directory.
INTRUSION PREVENTION AND WEB APPLICATION FIREWALLS
An intrusion prevention system (IPS) is a network security technology designed
to protect IT assets and environments against threats, by monitoring the flow of
network traffic. Web application firewalls (WAF) protect against threats by
filtering, monitoring, and blocking HTTP traffic flowing to and from web
services.
Organizations should employ several technologies when implementing intrusion
prevention. When used together, IPS and WAF solutions can each monitor the flow
of traffic and block known malicious uploads. Ideally, each security appliance
introduced into the ecosystem should be tailored to the specific needs of the
organization.
NETWORK SEGMENTATION
Network segmentation is a type of architecture that splits the network into
separated subnetworks. Each subnetwork is considered a segment, and each segment
has its own secured network. A network segregation architecture prevents
connections between unrelated segments. This separation can help prevent web
shell propagation.
There is a wide range of network segregation techniques. Isolating a
demilitarized zone (DMZ) subnet, for example, is a basic technique that can
quarantine internet-facing servers. There are also more advanced network
segregation techniques, such as software-defined networking (SDN), which can
help implement a zero-trust architecture.
A zero trust architecture requires explicit authorization before allowing
communication between nodes within a network. This type of technique can prevent
threat actors from chaining web shells in order to reach deeper into the
network. In this scenario, web shells can still affect the targeted server, but
attackers are blocked from moving laterally further into the network.
ENDPOINT DETECTION AND RESPONSE (EDR)
Certain endpoint detection and response (EDR) and host logging solutions can
help protect against web shell attacks. These solutions monitor system calls and
process lineage abnormalities and use patterns of malicious behavior to detect
web shells.
EDR solutions with web shell protection capabilities can monitor all processes
on endpoints, including invoked system calls. When web shells cause abnormal
behavior within a web server process, the solution recognizes it. For example,
the majority of web servers do not usually launch the ipconfig utility. This is
a common reconnaissance technique prompted by web shells, which can be
recognized via behavioral analysis.
IMPERVA WEB SHELL PROTECTION
Imperva prevents web shells and other threats that communicate with C&C servers,
via its industry-leading Web Application Firewall, which prevents attacks with
world-class analysis of web traffic to your applications.
Beyond the WAF, Imperva provides comprehensive protection for applications,
APIs, and microservices:
Runtime Application Self-Protection (RASP) – Real-time attack detection and
prevention from your application runtime environment goes wherever your
applications go. Stop external attacks and injections and reduce your
vulnerability backlog.
API Security – Automated API protection ensures your API endpoints are protected
as they are published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points
– websites, mobile apps, and APIs. Gain seamless visibility and control over bot
traffic to stop online fraud through account takeover or competitive price
scraping.
DDoS Protection – Block attack traffic at the edge to ensure business continuity
with guaranteed uptime and no performance impact. Secure your on-premises or
cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google
Public Cloud.
Attack Analytics – Ensures complete visibility with machine learning and domain
expertise across the application security stack to reveal patterns in the noise
and detect application attacks, enabling you to isolate and prevent attack
campaigns.
Client-Side Protection – Gain visibility and control over third-party JavaScript
code to reduce the risk of supply chain fraud, prevent data breaches, and
client-side attacks.
LATEST BLOGS
Application Security
How Cache Purge Helps Keep Your Website Content Fresh and Responsive
Luke Richardson
Dec 27, 2023 6 min read
Application Security
Shifting from reCAPTCHA to hCaptcha
Erez Hasson
Dec 21, 2023 2 min read
Application Security
Is Web Scraping Illegal? Depends on Who You Ask
Erez Hasson
Dec 7, 2023 6 min read
LATEST ARTICLES
App Security
...
* Web and Application Security
API Security
121.4k Views
App Security
...
* Web and Application Security
Web Application Security
97.4k Views
App Security
...
* Web and Application Security
Application Security: The Complete Guide
89.6k Views
App Security
...
* Web and Application Security
OWASP
86.9k Views
App Security
...
* Web and Application Security
Content Security Policy (CSP)
73k Views
App Security
...
* Web and Application Security
Google Dorking
60.6k Views
App Security
...
* Web and Application Security
Open-Source Intelligence (OSINT)
50.9k Views
App Security
...
* Web and Application Security
What Is WAF
47k Views
+1 866 926 4678
Partners
* Imperva Partner Ecosystem
* Channel Partners
* Technology Alliances
* Find a Partner
* Partner Portal Login
Resources
* Imperva Blog
* Resource Library
* Case Studies
* Learning Center
About Us
* Why Imperva
* Who We Are
* Events
* Careers
* Press & Awards
* Contact Information
Network
* Network Map
* System Status
Support
* Emergency DDoS Protection
* Support Portal
* Imperva Community
* Documentation Portal
* API Integration
* Trust Center
Cookies Settings Trust Center Modern Slavery Statement Privacy Legal
English
EnglishDeutschEspañolFrançaisPortuguês日本語中文
+1 866 926 4678
English
EnglishDeutschEspañolFrançaisPortuguês日本語中文
*
*
*
*
*
*
*
Cookies Settings Trust Center Modern Slavery Statement Privacy Legal
Copyright © 2024 Imperva. All rights reserved
×
2024 BAD BOT REPORT
Bad bots now represent almost one-third of all internet traffic
Download Now
×
THE STATE OF API SECURITY IN 2024
Learn about the current API threat landscape and the key security insights for
2024
Download Now
×
PROTECT AGAINST BUSINESS LOGIC ABUSE
Identify key capabilities to prevent attacks targeting your business logic
Download Now
×
THE STATE OF SECURITY WITHIN ECOMMERCE IN 2022
Learn how automated threats and API attacks on retailers are increasing
Free Report
×
PREVOTY IS NOW PART OF THE IMPERVA RUNTIME PROTECTION
* Protection against zero-day attacks
* No tuning, highly-accurate out-of-the-box
* Effective against OWASP top 10 vulnerabilities
Learn more here
× Want to see Imperva in action? Fill out the form and our experts will be in
touch shortly to book your personal demo.
THANK YOU!
An Imperva security specialist will contact you shortly.
×
“Imperva prevented 10,000 attacks in the first 4 hours of Black Friday weekend
with no latency to our online customers.”
Top 3 US Retailer
Imperva uses cookies to improve your experience, deliver personalized content
and analyze our traffic. You may modify your cookies settings at any time, as
explained in our Cookie Notice
Cookies Settings Reject All Accept All