I've been learning more and more about web security recently and today I came across the concept of a web shell.
I was going through a course on secure JavaScript coding which mentioned two prime examples for attack vectors in JS: the usage of the eval
function or the Function constructor.
Both of those evaluate strings as JavaScript code, which can be a huge security risk, especially if unsanitized user data or query params are passed to them.
That way an attacker could send a denial of service attack, for example, or inject... a web shell.
Ok, that was a long winded way of starting my explanation of what a web shell is.
A web shell is a bit of code that enables a shell like interface but through a web browser. It needs to be written in the language supported by the server that it wants to connect to. Once this code is running on the server, an attacker can run unix commands through any browser. Let's say our web shell runs on localhost:8000
then we can run an ls
command like this localhost:8000/?cmd=ls
and the server will return to us a list of all the files it has.
Web shells are often used for reconnaissance, so for hackers to understand how the system is built and how they can later attack it.