The invention discloses an attack detection method and system for WEB; the method comprises the following steps: firstly implementing attack characteristic detection to the url accessed by a user; then implementing misinformation analysis and fail-to-declare analysis treatment to the detection result, wherein the misinformation analysis mainly solves the misinformation caused by normal embedded resources of the website and the web crawlers, the fail-to-declare analysis is to treat the undetected abnormal behaviors conducted by the detected abnormal users. Based on the results of the treatment above, calculating the total normal access time of each abnormal user under each domain name; when the access time is less than the average value of all users, taking the ratio between the access time and the average value as an abnormality scoring index of the abnormal user; otherwise, the abnormality score is a weighted value w of the ratio between the access time and the maximum access time of all users. By the misinformation analysis and fail-to-declare analysis treatment, the efficiency of the attack detection method and system for WEB is significantly increased.