Skip to main content
Springer Nature Link
Log in

GuruWS: A Hybrid Platform for Detecting Malicious Web Shells and Web Application Vulnerabilities

  • Chapter
  • First Online:
Transactions on Computational Collective Intelligence XXXII

Part of the book series: Lecture Notes in Computer Science ((TCCI,volume 11370))

  • 687 Accesses

Abstract

Web application/service is now omnipresent but its security risks, such as malware and vulnerabilities, are indeed underestimated. In this paper, we propose a protective, extensible and hybrid platform, named GuruWS, for automatically detecting both web application vulnerabilities and malicious web shells. Based on the original PHP vulnerability scanner THAPS, we propose E-THAPS which implements a novel detection mechanism, an improved SQL injection, Cross-site Scripting and vulnerability detection capabilities. For malicious web shell detection, taint analysis and pattern matching methods are chosen to be implemented in GuruWS. A number of extensive experiments are carried out to prove the outstanding performance of our proposed platform in comparison with several existing solutions in detecting either web application vulnerabilities or malicious web shells.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    http://sourceforge.net/projects/rips-scanner/.

  2. 2.

    https://github.com/nikic/PHP-Parser.

  3. 3.

    https://en.wikipedia.org/wiki/Abstract_syntax_tree.

  4. 4.

    https://github.com/plusvic/yara/releases/latest.

  5. 5.

    http://112.137.130.56/guruws/.

  6. 6.

    https://github.com/giaplv57/GuruWebScanner/.

  7. 7.

    https://virustotal.com/.

  8. 8.

    https://sourceforge.net/p/laudanum/code/25/tree/, Github: /tennc/webshell,/shiqiaomu/webshell-collector, /tdifg/WebShell, /BlackArch/webshells, /JohnTroony/other-webshells, /lhlsec/webshell, /fuzzdb-project/fuzzdb, /JohnTroony/php-webshells.

  9. 9.

    https://wordpress.org/plugins/browse/popular/.

  10. 10.

    https://ctftime.org/ctf/112.

  11. 11.

    https://wordpress.org/plugins/browse/featured/.

  12. 12.

    https://wpvulndb.com/plugins.

  13. 13.

    https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/.

References

  1. Internet Live Stats. http://www.internetlivestats.com/. Accessed 21 May 2017

  2. Le, V.-G., Nguyen, H.-T., Lu, D.-N., Nguyen, N.-H.: A solution for automatically malicious web shell and web application vulnerability detection. In: Nguyen, N.-T., Manolopoulos, Y., Iliadis, L., Trawiński, B. (eds.) ICCCI 2016. LNCS (LNAI), vol. 9875, pp. 367–378. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45243-2_34

    Chapter  Google Scholar 

  3. Mazumder, M., Braje, T.: Safe client/server web development with Haskell. In: 2016 IEEE Cybersecurity Development (SecDev), p. 150 (2016)

    Google Scholar 

  4. Bherde, G.P., Pund, M.A.: Recent attack prevention techniques in web service applications. In: International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT), pp. 1174–1180 (2016)

    Google Scholar 

  5. Khari, M., Sangwan, P., Vaishali: Web-application attacks: a survey. In: 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, pp. 2187–2191 (2016)

    Google Scholar 

  6. Kals, S., Kirda, E., Kruegel, C., Jovanovich, N.: SecuBat: a web vulnerability scanner. In: 15th International Conference on World Wide Web, pp. 247–256 (2006)

    Google Scholar 

  7. Jensen, T., Pedersen, H., Olesen, M.C., Hansen, R.R.: THAPS: automated vulnerability scanning of PHP applications. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 31–46. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34210-3_3

    Chapter  Google Scholar 

  8. Dahse, J.: RIPS - a static source code analyser for vulnerabilities in PHP scripts. In: Seminar Work at Chair for Network and Data Security (2010)

    Google Scholar 

  9. Sasi, R.: Web backdoors - attack, evasion and detection. In: C0C0N Sec Conference (2011)

    Google Scholar 

  10. Petukhov, A., Dmitry, K.: Detecting security vulnerabilities in Web applications using dynamic analysis with penetration testing. In: OWASP Application Security Conference. Computing Systems Lab, Department of Computer Science, Moscow State University (2008)

    Google Scholar 

  11. Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 989–1003 (2014)

    Google Scholar 

  12. Starov, O., Dahse, J., Ahmad, S., Holz, T., Nikiforakis, N.: No honor among thieves: a large-scale analysis of malicious web shells. In: 25th International Conference on World Wide Web, pp. 1021–1032 (2016)

    Google Scholar 

  13. Le, H.H., Nguyen, N.H., Nguyen, T.T.: Exploiting GPU for large scale fingerprint identification. In: Nguyen, N.T., Trawiński, B., Fujita, H., Hong, T.-P. (eds.) ACIIDS 2016. LNCS (LNAI), vol. 9621, pp. 688–697. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49381-6_66

    Chapter  Google Scholar 

  14. Wang, H., Liu, T., Guan, X., Shen, C., Zheng, Q., Yang, Z.: Dependence guided symbolic execution. IEEE Trans. Softw. Eng. 43(3), 252–271 (2017)

    Article  Google Scholar 

  15. Bhme, M., Paul, S.: A probabilistic analysis of the efficiency of automated software testing. IEEE Trans. Softw. Eng. 42(4), 345–360 (2016)

    Article  Google Scholar 

  16. Web Technology Surveys. http://w3techs.com/technologies/overview/programming_language/all/. Accessed 21 May 2017

  17. YARA - The pattern matching swiss knife for malware researchers. http://virustotal.github.io/yara/. Accessed 10 May 2017

  18. Popov, N.: PHP-parser introduction. https://github.com/nikic/PHP-Parser/blob/master/doc/0_Introduction.markdown. Accessed 15 Apr 2016

  19. The Open Web Application Security Project. Static Code Analysis. https://www.owasp.org/index.php/Static_Code_Analysis. Accessed 22 May 2017

  20. The Open Web Application Security Project. Attack Category: Command Injection. https://www.owasp.org/index.php/Command_Injection. Accessed 18 May 2017

  21. The Open Web Application Security Project. Attack Category: PHP Object Injection. https://www.owasp.org/index.php/PHP_Object_Injection. Accessed 18 May 2017

  22. The Open Web Application Security Project. Testing for Local File Inclusion. https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion. Accessed 18 May 2017

  23. The Open Web Application Security Project. Attack Category: Direct Dynamic Code Evaluation (‘Eval Injection’). https://www.owasp.org/index.php/Direct_Dynamic_Code_Evaluation_(’Eval_Injection’). Accessed 18 May 2017

  24. Bernardo Damele, A.G., Stampar, M.: SQLMap - automatic SQL injection and database takeover tool. http://www.sqlmap.org/. Accessed 12 May 2017

  25. Deng, W., Liu, Q., Cheng, H., Qin, Z.: A malware detection framework based on Kolmogorov complexity. J. Comput. Inf. Syst. 7, 2687–2694 (2011)

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank the anonymous reviewers for their valuable comments and suggestions to improve this paper.

This work is partially supported by the national research project No. KC.01/16-20, granted by the Ministry of Science and Technology of Vietnam (MOST).

Author information

Authors and Affiliations

  1. VNU University of Engineering and Technology, Hanoi, Vietnam

    Van-Giap Le, Huu-Tung Nguyen, Duy-Phuc Pham, Van-On Phung & Ngoc-Hoa Nguyen

Authors
  1. Van-Giap Le
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Huu-Tung Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Duy-Phuc Pham
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Van-On Phung
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ngoc-Hoa Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ngoc-Hoa Nguyen .

Editor information

Editors and Affiliations

  1. Institute of Informatics, Wrocław University of Technology, Wrocław, Poland

    Ngoc Thanh Nguyen

  2. Swinburne University of Technology, Hawthorn, VIC, Australia

    Ryszard Kowalczyk

  3. Wrocław University of Economics, Wrocław, Poland

    Marcin Hernes

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer-Verlag GmbH Germany, part of Springer Nature

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Le, VG., Nguyen, HT., Pham, DP., Phung, VO., Nguyen, NH. (2019). GuruWS: A Hybrid Platform for Detecting Malicious Web Shells and Web Application Vulnerabilities. In: Nguyen, N., Kowalczyk, R., Hernes, M. (eds) Transactions on Computational Collective Intelligence XXXII. Lecture Notes in Computer Science(), vol 11370. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58611-2_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-58611-2_5

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-58610-5

  • Online ISBN: 978-3-662-58611-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics