Shellshock protection using nginx?


I have seen eg. Netscaler response policy which can detect if someone is
trying shellshock bug using http headers.

I am using nginx as reverse proxy so is there good way to make a similar
protection using nginx features?
eg. checking http headers and drop/return 404 if shellshock code is

Pekka Panula

Untested but should work;

between http {}
map $request $shellshockblock {
default 0;
~*:; 1;
~ping 1;
/bash 1;

inside location {} if ($shellshockblock) { return 412; }

Posted at Nginx Forum:,253553,253554#msg-253554

curl -k -H ‘User-Agent: () { somedummytext; }; /usr/bin/wget -O


if, you should try to match for (regex-pattern) “() {”
#since this must be written like this;
an additional space between “() {” would render the exploiut

further more: you are missing all headers; attacks i’ve seen so far

  • UA
  • cookies
  • custom headers

customized attacks might work via POST-BODY too, but this is yet not

Posted at Nginx Forum:,253553,253557#msg-253557

hi pekka,

since the attack, esp. against CGI, is possible through (custom)
headers/cookies etc
you’d need some waf-functionalities (afaik)

naxsi, an nginx-based waf, has a signature for this since wednesday

MainRule “str:() {” “msg:Possible Remote code execution through Bash
CVE-2014-6271” “mz:BODY|HEADERS” “s:$ATTACK:8” id:42000393 ;

Posted at Nginx Forum:,253553,253555#msg-253555