www.imperva.com
Open in
urlscan Pro
45.60.76.225
Public Scan
URL:
https://www.imperva.com/learn/application-security/web-shell/
Submission: On May 08 via manual from US — Scanned from DE
Submission: On May 08 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOM<form elem-id="" class="marketo-form" data-form-id="4994" data-form-args="form_args_1510834159" __bizdiag="202965345" __biza="WJ__"></form>
Text Content
Under DDoS Attack? 1-866-777-9980 Login LoginCloud Security ConsoleRASP Console EN EnglishENDeutschDEEspañolESFrançaisFRPortuguêsPT-BR日本語日本語한국어KR中文CN Under DDoS Attack? 1-866-777-9980 Start for FreeContact UsStart for FreeContact Us * Why Imperva * Products Products * Application Performance * Application Security * Data Security * Network Security * Imperva Plans Application Performance Application Performance Overview Optimize content delivery and user experience * Content Delivery Network Boost website performance with caching and compression * Waiting Room Virtual queuing to control visitor traffic THE IMPORTANCE OF A RESILIENT CDN FOR DIGITAL PERFORMANCE Get featured report Application Security Application Security Overview Industry-leading application and API protection * Web Application Firewall Instantly secure applications from the latest threats * Advanced Bot Protection Identify and mitigate the most sophisticated bad bot * API Security Discover shadow APIs and the sensitive data they handle * DDoS Protection Secure all assets at the edge with guaranteed uptime * Client-Side Protection Visibility and control over third-party JavaScript code * Runtime Protection Secure workloads from unknown threats and vulnerabilities * Serverless Protection Uncover security weaknesses on serverless environments * Attack Analytics Complete visibility into your latest attacks and threats IMPERVA NAMED A SECURITY LEADER IN THE SECUREIQLAB CYBERRISK REPORT Get featured report Data Security Data Security Overview Protect all data and ensure compliance at any scale * Data Security Fabric Multicloud, hybrid security platform protecting all data types * Business Capabilities * Data security at scale * Data security for multicloud * Risk analytics & insights * Data compliance at scale * Data discovery & classification * Cloud Data Security SaaS-based data posture management and protection * The Imperva Advantage * Broadest coverage * Protect any data source * Ecosystem integration * Unified visibility IDC SPOTLIGHT: EFFECTIVE MULTICLOUD DATA SECURITY Get featured report Network Security Network Security Overview Protection and control over your network infrastructure * DDoS Protection Secure all assets at the edge with guaranteed uptime GLOBAL DDOS THREAT LANDSCAPE REPORT Get featured report Imperva Plans * Solutions Solutions * By Use Case * By Industry * Imperva Plans By Use Case * Application Security * Stop software supply chain attacks * Mitigate account takeover attacks * Protect modern web applications * Secure API inventories * Protect against online fraud * Embed security into DevOps * Protect applications from business logic abuse * Data Security * Safeguard sensitive and personal data * Advance data governance * Assure data compliance and privacy * Securely move data to the cloud * Observe data risk management * Monitor user behavior analytics * Data encryption and cryptographic solutions * Network Security * Defend DDoS attacks at scale * Secure business continuity in the event of an outage * Application Performance * Ensure consistent application performance By Industry Solutions by Industry Defense-in-depth security for every industry * Government * Healthcare * Financial Services * Telecom & ISPs * Retail THE STATE OF SECURITY WITHIN ECOMMERCE 2022 Get free report Imperva Plans * Support Support Support Support Looking for technical support or services, please review our various channels below * Technical Support * Services * Imperva University * Community * Support Portal Login * Documentation * EOL Policy * Partners Partners * Channel Partners * Technology Alliance Partners Channel Partners Channel Partners Program Looking for an Imperva partner? Find an approved one with the expertise to help you * Channel Partners * Find a Partner * Partner Portal Login IMPERVA REIMAGINES PARTNER PROGRAM: IMPERVA ACCELERATE Learn how Technology Alliance Partners Technology Alliance Partners Imperva collaborates with the top technology companies * Technology Alliance Partners (TAP) * Become a TAP * Find a TAP PROTECT YOUR CLOUDERA DATA WITH IMPERVA Learn more * Customers Customers * Application Security Customer Stories * Data Security Customer Stories * See all Customer Stories Application Security Customer Stories Application Security Customer Stories Learn how Imperva enables and protects industry leaders * Tower ensures website visibility and uninterrupted business operations * Smallpdf protects its customers and ensures availability QUÁLITAS CONTINUES ITS QUALITY SERVICES USING IMPERVA APPLICATION SECURITY Learn how Data Security Customer Stories Data Security Customer Stories Learn how Imperva enables and protects industry leaders * Banco Popular streamlines operations and lowers operational costs * Discovery Inc. tackles data compliance in public cloud with Imperva Data Security Fabric DISCOVERY INC. TACKLES DATA COMPLIANCE IN PUBLIC CLOUD Learn how See all Customer Stories * Resources Resources * Resources * Threat Research * Learning Assets Resources Resources Get all the information you need about Imperva products and solutions * Resource Library * Blog * Webinars * Case Studies * Privacy, Compliance & Trust Center * Imperva Certifications NEW VULNERABILITY IN POPULAR WIDGET SHOWS RISKS OF THIRD-PARTY CODE Read more Threat Research Threat Research Stay informed on the latest threats and vulnerabilities * Threat Research Overview * Cyber Threat Index * Cyber Attack Map * Free Tools * Network Map CYBER THREAT INDEX Latest threat analysis Learning Assets Learning Assets Expand and share your knowledge * Learning Center * Application Security Guide * Data Security Guide * Imperva Community * Documentation Portal BROWSE THE IMPERVA LEARNING CENTER FOR THE LATEST CYBERSECURITY TOPICS Explore now * Company Company Company Company Get to know us, beyond our products and services * About Us * Events * Careers * Press & Awards * Contact Information IMPERVA ESG REPORTS Read more Home > Learning Center > Web Shell ARTICLE'S CONTENT * What Is a Web Shell? * How Are Web Shells Used by Attackers? * Web Shell Attacks on the Rise * How Web Shells Work * Web Shell Protection * Imperva Web Shell Protection WEB SHELL 42k views Web and Application Security WHAT IS A WEB SHELL? Web shells are malicious scripts that enable threat actors to compromise web servers and launch additional attacks. Threat actors first penetrate a system or network and then install a web shell. From this point onwards, they use it as a permanent backdoor into the targeted web applications and any connected systems. HOW ARE WEB SHELLS USED BY ATTACKERS? Threat actors use web shells for a range of scenarios: * Exfiltrating and harvesting sensitive information and credentials. * Uploading malware, which can potentially create a watering hole for further infection and scanning of other victims. * Defacing websites by modifying or adding files. A web shell can serve as a relay point for issuing commands to hosts located inside the network, without direct Internet access. Web shells can also participate in a command-and-control infrastructure—for example, a web shell can be used to compromise a host and enlist it into a botnet. Attackers can infect other systems on the network with the web shell, in order to compromise additional resources. Threat actors use a wide range of web application vulnerabilities and exploits to deliver web shells, including SQL injection (SQLi) and cross-site scripting (XSS). Actors also exploit vulnerabilities in services and applications, file processing vulnerabilities, exposed admin interfaces, as well as local file inclusion (LFI) and remote file inclusion (RFI) vulnerabilities. × May 22 Upcoming Webinar BATTLING BAD BOTS: THE LATEST TRENDS, STATS & DEFENSE STRATEGIES Register Now × WEB SHELL ATTACKS ON THE RISE Microsoft has identified an increase in web shell attacks by various groups, affecting both private and public organizations. These include advanced persistent threat (APT) teams using web shells to gain a foothold into the target networks. One such attack, discovered by Microsoft’s detection and response team, involved web shells installed in multiple folders on an organization’s misconfigured server, allowing the attacker to move laterally and install web shells on further systems. A DLL backdoor registered as a service allowed the attacker to persist on the email server, download malware payloads and send commands in the form of emails. If a web shell is successfully implanted into a web server, it enables a remote attacker to execute malicious commands and steal data. Hacker groups that have used web shells in their attacks include the Gallium group and the Lazarus group. HOW WEB SHELLS WORK Web shell attacks have several stages: first, the attacker creates a persistent mechanism on the server enabling remote access. Then, they attempt to escalate privileges, and leverage the backdoor to attack the organization, or use its resources for criminal activity. How a web shell attack works 1. PERSISTENT REMOTE ACCESS Web shell scripts provide a backdoor allowing attackers to remotely access an exposed server. Persistent attackers don’t have to exploit a new vulnerability for each malicious activity. Some attackers even fix the vulnerability they exploit to prevent others from doing the same and avoid detection. Some web shells use techniques such as password authentication to ensure that only specific attackers can access them. Web shells usually obfuscate themselves, including code that prevents search engines from blacklisting the website where the shell is installed. 2. PRIVILEGE ESCALATION Web shells normally run with user permissions, which can be limited. Attackers can escalate privileges through web shells by exploiting system vulnerabilities to acquire root privileges. Root account access allows attackers to perform almost any action—they can install software, change permissions, add or remove users, read emails, steal passwords, etc. 3. PIVOTING AND LAUNCHING ATTACKS Attackers can use web shells to pivot to additional targets both in and out of the network. The process of sniffing network traffic to identify live hosts, firewalls, or routers (enumeration) can take weeks, during which attackers will keep a low profile to avoid detection. An attacker that successfully persists on a network will move patiently, possibly even using a compromised system to attack other targets. This allows the attacker to remain anonymous, and pivoting through several systems can make it virtually impossible to trace attacks to the source. 4. BOT HERDING Web shells can be used to connect servers to a botnet (a network of systems controlled by the attacker). The affected servers execute commands sent by attackers through a command and control server connected to the web shell. This is a common technique for DDoS attacks that require extensive bandwidth. Attackers aren’t directly targeting the system where they’ve installed the web shell, but are simply exploiting it for its resources to attack more valuable targets. WEB SHELL PROTECTION Here are a few ways to protect your organization against the threat of web shells. FILE INTEGRITY MONITORING File integrity monitoring (FIM) solutions are designed to block file changes on web-accessible directories. Once a change is detected, FIM tools alert admins and security staff. Implementing FIM can help detect issues in real-time, as soon as files are saved to a directory. This can help security staff quickly find and remove web shells. Integrity monitoring solutions can be customized to allow certain file changes while blocking others. If, for example, your web application typically handles only portable document format (PDF) files, the integrity monitoring solution can block uploads that do not end with the “.pdf” extension. WEB APPLICATION PERMISSIONS When defining permissions for web applications, it is important to employ the least privilege concept. The main principle behind this concept is to provide users with the bare minimum of privileges required to perform their role. The goal is to ensure that each user does not have privileges they should not have and that compromised accounts are restricted in their actions. The least privilege principle can help prevent threat actors from uploading a web shell to vulnerable applications. You can set it by not enabling web applications to directly write to a web-accessible directory or modify web-accessible code. This way, the server blocks the actor from accessing the web-accessible directory. INTRUSION PREVENTION AND WEB APPLICATION FIREWALLS An intrusion prevention system (IPS) is a network security technology designed to protect IT assets and environments against threats, by monitoring the flow of network traffic. Web application firewalls (WAF) protect against threats by filtering, monitoring, and blocking HTTP traffic flowing to and from web services. Organizations should employ several technologies when implementing intrusion prevention. When used together, IPS and WAF solutions can each monitor the flow of traffic and block known malicious uploads. Ideally, each security appliance introduced into the ecosystem should be tailored to the specific needs of the organization. NETWORK SEGMENTATION Network segmentation is a type of architecture that splits the network into separated subnetworks. Each subnetwork is considered a segment, and each segment has its own secured network. A network segregation architecture prevents connections between unrelated segments. This separation can help prevent web shell propagation. There is a wide range of network segregation techniques. Isolating a demilitarized zone (DMZ) subnet, for example, is a basic technique that can quarantine internet-facing servers. There are also more advanced network segregation techniques, such as software-defined networking (SDN), which can help implement a zero-trust architecture. A zero trust architecture requires explicit authorization before allowing communication between nodes within a network. This type of technique can prevent threat actors from chaining web shells in order to reach deeper into the network. In this scenario, web shells can still affect the targeted server, but attackers are blocked from moving laterally further into the network. ENDPOINT DETECTION AND RESPONSE (EDR) Certain endpoint detection and response (EDR) and host logging solutions can help protect against web shell attacks. These solutions monitor system calls and process lineage abnormalities and use patterns of malicious behavior to detect web shells. EDR solutions with web shell protection capabilities can monitor all processes on endpoints, including invoked system calls. When web shells cause abnormal behavior within a web server process, the solution recognizes it. For example, the majority of web servers do not usually launch the ipconfig utility. This is a common reconnaissance technique prompted by web shells, which can be recognized via behavioral analysis. IMPERVA WEB SHELL PROTECTION Imperva prevents web shells and other threats that communicate with C&C servers, via its industry-leading Web Application Firewall, which prevents attacks with world-class analysis of web traffic to your applications. Beyond the WAF, Imperva provides comprehensive protection for applications, APIs, and microservices: Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog. API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation. Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps, and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping. DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on-premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud. Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns. Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks. LATEST BLOGS Application Security How Cache Purge Helps Keep Your Website Content Fresh and Responsive Luke Richardson Dec 27, 2023 6 min read Application Security Shifting from reCAPTCHA to hCaptcha Erez Hasson Dec 21, 2023 2 min read Application Security Is Web Scraping Illegal? Depends on Who You Ask Erez Hasson Dec 7, 2023 6 min read LATEST ARTICLES App Security ... * Web and Application Security API Security 121.4k Views App Security ... * Web and Application Security Web Application Security 97.4k Views App Security ... * Web and Application Security Application Security: The Complete Guide 89.6k Views App Security ... * Web and Application Security OWASP 86.9k Views App Security ... * Web and Application Security Content Security Policy (CSP) 73k Views App Security ... * Web and Application Security Google Dorking 60.6k Views App Security ... * Web and Application Security Open-Source Intelligence (OSINT) 50.9k Views App Security ... * Web and Application Security What Is WAF 47k Views +1 866 926 4678 Partners * Imperva Partner Ecosystem * Channel Partners * Technology Alliances * Find a Partner * Partner Portal Login Resources * Imperva Blog * Resource Library * Case Studies * Learning Center About Us * Why Imperva * Who We Are * Events * Careers * Press & Awards * Contact Information Network * Network Map * System Status Support * Emergency DDoS Protection * Support Portal * Imperva Community * Documentation Portal * API Integration * Trust Center Cookies Settings Trust Center Modern Slavery Statement Privacy Legal English EnglishDeutschEspañolFrançaisPortuguês日本語中文 +1 866 926 4678 English EnglishDeutschEspañolFrançaisPortuguês日本語中文 * * * * * * * Cookies Settings Trust Center Modern Slavery Statement Privacy Legal Copyright © 2024 Imperva. All rights reserved × 2024 BAD BOT REPORT Bad bots now represent almost one-third of all internet traffic Download Now × THE STATE OF API SECURITY IN 2024 Learn about the current API threat landscape and the key security insights for 2024 Download Now × PROTECT AGAINST BUSINESS LOGIC ABUSE Identify key capabilities to prevent attacks targeting your business logic Download Now × THE STATE OF SECURITY WITHIN ECOMMERCE IN 2022 Learn how automated threats and API attacks on retailers are increasing Free Report × PREVOTY IS NOW PART OF THE IMPERVA RUNTIME PROTECTION * Protection against zero-day attacks * No tuning, highly-accurate out-of-the-box * Effective against OWASP top 10 vulnerabilities Learn more here × Want to see Imperva in action? Fill out the form and our experts will be in touch shortly to book your personal demo. THANK YOU! An Imperva security specialist will contact you shortly. × “Imperva prevented 10,000 attacks in the first 4 hours of Black Friday weekend with no latency to our online customers.” Top 3 US Retailer Imperva uses cookies to improve your experience, deliver personalized content and analyze our traffic. You may modify your cookies settings at any time, as explained in our Cookie Notice Cookies Settings Reject All Accept All