nerdexam
EC-Council

312-50V13 · Question #358

What is the most common method to exploit the "Bash Bug" or "Shellshock" vulnerability?

The correct answer is C. Through Web servers utilizing CGI (Common Gateway Interface) to send a malformed. The 'Bash Bug' or 'Shellshock' vulnerability was most commonly exploited through web servers using CGI to pass malformed HTTP headers as environment variables to Bash.

Submitted by satoshi_tk· Mar 6, 2026System Hacking

Question

What is the most common method to exploit the "Bash Bug" or "Shellshock" vulnerability?

Options

  • ASYN Flood
  • BSSH
  • CThrough Web servers utilizing CGI (Common Gateway Interface) to send a malformed
  • DManipulate format strings in text fields

How the community answered

(53 responses)
  • A
    2% (1)
  • C
    94% (50)
  • D
    4% (2)

Why each option

The 'Bash Bug' or 'Shellshock' vulnerability was most commonly exploited through web servers using CGI to pass malformed HTTP headers as environment variables to Bash.

ASYN Flood

SYN Flood is a Denial of Service (DoS) attack that overwhelms a target by exploiting the TCP three-way handshake, and is unrelated to the Shellshock vulnerability.

BSSH

While Bash is used with SSH, direct exploitation of Shellshock for *initial access* was primarily through web servers; an attacker already having SSH access could leverage Shellshock, but it wasn't the most common method for *exploiting* the bug to gain initial unauthorized access.

CThrough Web servers utilizing CGI (Common Gateway Interface) to send a malformedCorrect

The 'Shellshock' vulnerability allowed attackers to execute arbitrary commands by injecting malicious code into environment variables processed by the Bash shell. This was most widely exploited via web servers that use CGI (Common Gateway Interface) scripts, as HTTP headers (like User-Agent or Referer) are often passed as environment variables, providing a direct vector for malicious Bash code injection.

DManipulate format strings in text fields

Manipulating format strings exploits vulnerabilities in how programs handle string formatting functions (e.g., `printf`), which is a different class of vulnerability from Shellshock's environment variable parsing flaw.

Concept tested: Shellshock (Bash Bug) exploitation

Source: https://access.redhat.com/articles/1200223

Topics

#Shellshock#Bash vulnerability#CGI exploitation#Web server attacks

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice