Does anyone know the WAS can detect the Webshell attack? Which QID is for detecting this vulnerability?
A webshell is essentially a host compromise such that an attacker can alter the web app code and choose any location on the web server to allow shell commands to be accepted, executed and processed. Guessing locations that might be commonly used is unlikely, as attackers would not make it available someplace that would be a default location. Again, once it is there, attackers have control of the box and can easily hide from black box scanners that can only guess at the paths they may be 'listening' for. Therefore I do not believe WAS is the correct tool for this discovery. I can however offer two alternative options.
First, this sounds like a job for a proper WAF solution. The Qualys WAF solution for example, does have controls to mitigate and detect webshell presence and usage and is probably best suited for the job.
Secondly this could also be better suited for a FIM solution running on the web server.
I hope this helps.
Retrieving data ...