Shellshock (CVE-2014-6271, CVE-2014-7169) is a security bug discovered by Stephane Chazelas in the popular Bash Linux shell which allows an attacker to execute commands from environment variables. Essentially, when successfully exploited, the Shellshock vulnerability allows an attacker to attain remote code execution. While Bash is not a publicly exposed Internet service, operating system environment variables are used by many internet facing services such as web servers to pass configuration values.
The reason command execution is possible with the Shellshock bash vulnerability is that Bash did not sanitise environment variables before it executed them. As a result, an attacker can end up executing commands on the target server’s operating system through nothing but HTTP requests.
While the Shellshock bash bug is an old vulnerability, there are still thousands of webservers and applications vulnerable to it. Just like the Heartbleed vulnerability, leaving the Bash Shellshock vulnerability un-patched is a major security risk. This is where Acunetix can help.
Acunetix is a web application vulnerability scanner which automatically tests the security posture of your web applications, as well as any server security misconfigurations. Acunetix allows you to assess web application, and web server security by testing for thousands of vulnerabilities quickly and accurately on a regular basis. Acunetix achieves this by combining a re-engineered crawler and scanner with a vast array of highly tuned test cases, intelligently designed to run as fast and efficiently as possible.
Wide technology coverage
While some attacks may be detectable by server security software such as Intrusion Detection Systems (IDS) and Web Application Firewalls (WAF), these technologies are not able to stop client-side attacks such as DOM-based Cross-site Scripting (DOM XSS). Thanks to its DeepScan technology, Acunetix can combat this blind spot by detecting hard to find DOM XSS vulnerabilities together with other forms of cross-site scripting which would otherwise be invisible to the majority of server security software.
Say goodbye to boring reports
Finally, another area Acunetix excels in, which many other web vulnerability scanners sorely lag behind in is the ability to produce great reports. After a vulnerability scan is complete, Acunetix can instantly generate a wide variety of technical and regulatory and compliance reports such as PCI DSS, HIPAA, OWASP Top 10 and many others. Additionally, Acunetix also allows users to export discovered vulnerabilities to Issue Trackers such as Atlassian JIRA, GitHub and Microsoft Team Foundation Server (TFS).
Get the most out of your web security efforts with Acunetix. Sign up for the free trial of Acunetix Online or download it now to try it on premises, and give your security efforts a nudge in the right direction.
We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.