Abstract: As the field of web security continues to expand, the widespread use of the Java language on the server side has led to the emergence of Tomcat fileless WebShell attacks, extending the attack surface of web security to encompass the entire framework and components related to web services. This paper conducts an in-depth analysis of the attack principles of Tomcat fileless WebShell and proposes a traffic detection evasion model based on traffic encryption and built-in sink points. To validate the effectiveness of these attack methods in bypassing detection, an automated exploitation tool is designed, and experiments are conducted to verify the feasibility of the attack principles and the effectiveness of the traffic monitoring evasion model. These research findings not only raise the bar for defense techniques but also provide valuable insights and references for subsequent security protection efforts.