A Global, Empirical Analysis of the Shellshock Vulnerability in Web Applications

Large-scale Internet scanning has become increasingly common in the research community shedding light on the state of security at a global level. However, scans in the past have typically focused on addressing on the adoption of services and the ubiquity of protocols, with few focusing on the extent of vulnerability and exposures on the Internet. This paper explores the shellshock vulnerability in web applications by analysing the Alexa Top 1 Million, public-facing websites in the world to ascertain the pervasiveness and severity of shellshock. We achieved this by developing an algorithm that uses simple heuristics with multi-threading capabilities empowering us to perform rapid large-scale web application scanning across various hosts over the HTTP protocol. The results of our global scan were interesting, and illustrated the pervasiveness of shellshock and the potential impact it can have on an organisation -- despite this vulnerability being a known vulnerability at the time of our global scan. The results of which show that certain Web server configurations are particularly susceptible, and illustrates which popular top level domains and country´s were most affected. Our findings also showed that while shellshock is easily detectable from an observational standpoint, there exists certain server configurations that allow the bug to be exploited even where cgi scripts are non-existent in the web server. We also discuss remediation guidelines and defensive security practices to protect hosts and organisations from such web-based attack vectors.