Recently, the WAS scan engine began testing for the presence of known web shells via QID 150239. This QID is included in Core detection scope. If a web shell is found, it means the scanned application has already been compromised and immediate action is required. If you're unfamiliar with web shells, you can find more information at US-CERT Alert #TA15-314A.
Here is the list of known web shells that WAS tests for when QID 150239 is enabled:
- Antichat Shell.php
- PHP Shell.php
Each of these files is tested at the specified base location of the web app's target URL and two directory levels deep inside the web app. If the response contains a match with a regular expression, then QID 150239 will be reported.