GuruWS: A Hybrid Platform for Detecting Malicious Web Shells and Web Application Vulnerabilities

  • Van-Giap Le
  • Huu-Tung Nguyen
  • Duy-Phuc Pham
  • Van-On Phung
  • Ngoc-Hoa NguyenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11370)


Web application/service is now omnipresent but its security risks, such as malware and vulnerabilities, are indeed underestimated. In this paper, we propose a protective, extensible and hybrid platform, named GuruWS, for automatically detecting both web application vulnerabilities and malicious web shells. Based on the original PHP vulnerability scanner THAPS, we propose E-THAPS which implements a novel detection mechanism, an improved SQL injection, Cross-site Scripting and vulnerability detection capabilities. For malicious web shell detection, taint analysis and pattern matching methods are chosen to be implemented in GuruWS. A number of extensive experiments are carried out to prove the outstanding performance of our proposed platform in comparison with several existing solutions in detecting either web application vulnerabilities or malicious web shells.


White-box penetration testing Web application vulnerability Web shell Taint analysis Pattern matching SQLi detection XSS detection YARA rules 



The authors would like to thank the anonymous reviewers for their valuable comments and suggestions to improve this paper.

This work is partially supported by the national research project No. KC.01/16-20, granted by the Ministry of Science and Technology of Vietnam (MOST).


  1. 1.
    Internet Live Stats. Accessed 21 May 2017
  2. 2.
    Le, V.-G., Nguyen, H.-T., Lu, D.-N., Nguyen, N.-H.: A solution for automatically malicious web shell and web application vulnerability detection. In: Nguyen, N.-T., Manolopoulos, Y., Iliadis, L., Trawiński, B. (eds.) ICCCI 2016. LNCS (LNAI), vol. 9875, pp. 367–378. Springer, Cham (2016). Scholar
  3. 3.
    Mazumder, M., Braje, T.: Safe client/server web development with Haskell. In: 2016 IEEE Cybersecurity Development (SecDev), p. 150 (2016)Google Scholar
  4. 4.
    Bherde, G.P., Pund, M.A.: Recent attack prevention techniques in web service applications. In: International Conference on Automatic Control and Dynamic Optimization Techniques (ICACDOT), pp. 1174–1180 (2016)Google Scholar
  5. 5.
    Khari, M., Sangwan, P., Vaishali: Web-application attacks: a survey. In: 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, pp. 2187–2191 (2016)Google Scholar
  6. 6.
    Kals, S., Kirda, E., Kruegel, C., Jovanovich, N.: SecuBat: a web vulnerability scanner. In: 15th International Conference on World Wide Web, pp. 247–256 (2006)Google Scholar
  7. 7.
    Jensen, T., Pedersen, H., Olesen, M.C., Hansen, R.R.: THAPS: automated vulnerability scanning of PHP applications. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 31–46. Springer, Heidelberg (2012). Scholar
  8. 8.
    Dahse, J.: RIPS - a static source code analyser for vulnerabilities in PHP scripts. In: Seminar Work at Chair for Network and Data Security (2010)Google Scholar
  9. 9.
    Sasi, R.: Web backdoors - attack, evasion and detection. In: C0C0N Sec Conference (2011)Google Scholar
  10. 10.
    Petukhov, A., Dmitry, K.: Detecting security vulnerabilities in Web applications using dynamic analysis with penetration testing. In: OWASP Application Security Conference. Computing Systems Lab, Department of Computer Science, Moscow State University (2008)Google Scholar
  11. 11.
    Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 989–1003 (2014)Google Scholar
  12. 12.
    Starov, O., Dahse, J., Ahmad, S., Holz, T., Nikiforakis, N.: No honor among thieves: a large-scale analysis of malicious web shells. In: 25th International Conference on World Wide Web, pp. 1021–1032 (2016)Google Scholar
  13. 13.
    Le, H.H., Nguyen, N.H., Nguyen, T.T.: Exploiting GPU for large scale fingerprint identification. In: Nguyen, N.T., Trawiński, B., Fujita, H., Hong, T.-P. (eds.) ACIIDS 2016. LNCS (LNAI), vol. 9621, pp. 688–697. Springer, Heidelberg (2016). Scholar
  14. 14.
    Wang, H., Liu, T., Guan, X., Shen, C., Zheng, Q., Yang, Z.: Dependence guided symbolic execution. IEEE Trans. Softw. Eng. 43(3), 252–271 (2017)CrossRefGoogle Scholar
  15. 15.
    Bhme, M., Paul, S.: A probabilistic analysis of the efficiency of automated software testing. IEEE Trans. Softw. Eng. 42(4), 345–360 (2016)CrossRefGoogle Scholar
  16. 16.
    Web Technology Surveys. Accessed 21 May 2017
  17. 17.
    YARA - The pattern matching swiss knife for malware researchers. Accessed 10 May 2017
  18. 18.
    Popov, N.: PHP-parser introduction. Accessed 15 Apr 2016
  19. 19.
    The Open Web Application Security Project. Static Code Analysis. Accessed 22 May 2017
  20. 20.
    The Open Web Application Security Project. Attack Category: Command Injection. Accessed 18 May 2017
  21. 21.
    The Open Web Application Security Project. Attack Category: PHP Object Injection. Accessed 18 May 2017
  22. 22.
    The Open Web Application Security Project. Testing for Local File Inclusion. Accessed 18 May 2017
  23. 23.
    The Open Web Application Security Project. Attack Category: Direct Dynamic Code Evaluation (‘Eval Injection’).’Eval_Injection’). Accessed 18 May 2017
  24. 24.
    Bernardo Damele, A.G., Stampar, M.: SQLMap - automatic SQL injection and database takeover tool. Accessed 12 May 2017
  25. 25.
    Deng, W., Liu, Q., Cheng, H., Qin, Z.: A malware detection framework based on Kolmogorov complexity. J. Comput. Inf. Syst. 7, 2687–2694 (2011)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  • Van-Giap Le
    • 1
  • Huu-Tung Nguyen
    • 1
  • Duy-Phuc Pham
    • 1
  • Van-On Phung
    • 1
  • Ngoc-Hoa Nguyen
    • 1
    Email author
  1. 1.VNU University of Engineering and TechnologyHanoiVietnam

Personalised recommendations