Abstract: As the field of web security continues to expand, the high usage of Java language on the server side has led to the emergence of Tomcat fileless webshell attacks, which have enlarged the attack surface of web security to the entire web service-related frameworks and components. In this paper, we investigate the attack principle of Tomcat fileless webshell and propose a traffic detection evasion model based on traffic encryption and built-in sink. We design an automated exploitation tool and conduct experiments to validate the feasibility of the attack principle and the effectiveness of the traffic detection evasion model. Our findings highlight the need for higher requirements on subsequent defense techniques.