TridentShell: A Covert and Scalable Backdoor Injection Attack on Web Applications

Web backdoor attack is a kind of popular network attack, which can cause a serious damage to websites. In practice, cyber attackers often exploit vulnerabilities in the system or web applications to implant a backdoor to a web server. To address this challenge, static feature detection is believed to be an effective solution. However, it may also leave a potential security "hole" that could be exploited by intruders. In this paper, we propose a novel backdoor attack method called TridentShell, which can inject a webshell into the memory of web application server without leaving attack traces. Our attack is able to bypass almost all types of static detection methods. In particular, it attempts to blend itself into the web server and erase attack traces automatically, instead of encrypting or obfuscating the content of webshell to avoid detection. Besides, TridentShell can still be executed even when the webmasters restrict the access to web directory. In the evaluation, we showcase how TridentShell can successfully inject a webshell into five different types of Java application servers (covering around 87% Java application servers in the market), and can remove the attack traces on the server (increasing the detection difficulty).