This is the URL of the CGI script from the target server which will be scanned for the ShellShock vulnerability.

A single URL is scanned at once.



About this tool

The Bash ShellShock vulnerability scanner attempts to discover remotely which web servers are vulnerable to CVE-2014-6271 and CVE-2014-7169.

A target webserver is vulnerable if:

  • Runs on a Linux/Unix operating system
  • AND The operating system has a vulnerable Bash package installed
  • AND The web server is configured to run scripts as CGI (Common Gateway Interface)
  • AND One of the scripts calls Bash to execute any command

This is why, for the best accuracy of this scanner, you need to provide the URL to the actual CGI script from the target website which executes Bash. Otherwise, the scanner may produce false negatives.

Finding potentially vulnerable CGI scripts in a target web server could also be done using Google. For instance, to find CGI scripts from the domain .fr you could do a search such as: "site:fr inurl:cgi ext:sh".


  • Target URL (CGI script): This URL should point to a script on the server which executes Bash.

How it works

The scanner makes an HTTP request to the target URL, having a special Cookie header in the request.

The Cookie header sent in the request is: () { :; }; echo "Content-Type: text/plain";echo;echo;/usr/bin/id

Because the target script is run as CGI, the web server will pass to the script the environment variable HTTP_COOKIE containing the the value received in the header. When the vulnerable Bash will be called by the CGI script, it will automatically execute the command given in the specially crafted environment variable (/usr/bin/id) and the output will appear in the response html page.

For an exemplification of the results produced by this tool, please see the sample report.