Check for Shellshock using Qualys FreeScan

Will Bechtel

Last updated on: September 6, 2020

The news is out and and everyone is talking about it… Shellshock is a major vulnerability that has wide ramifications for most enterprises. Understanding the risk to its customers, Qualys quickly developed authenticated tests for its Vulnerability Management (VM) solution that can definitively identify the vulnerability. This was followed by the development of a remote check that detects the presence of the Apache CGI attack vector in common locations on web servers.  Qualys Continuous Monitoring (CM) customers were immediately able to create alerts based on these detections.  Qualys then moved on to develop a more comprehensive remote check via the Web Application Scanning (WAS) solution. Qualys also confirmed that the new Web Application Firewall (WAF) solution is able to protect websites that may be vulnerable. So as of today, Qualys customers have a number of ways to not only detect this high risk vulnerability, but also to get automated alerts and protect their organization’s websites.

But what if you are not yet a Qualys customer? It just so happens that Qualys has an app for that!  Qualys FreeScan is a free service that provides vulnerability detection capabilities which enables customers to see how secure a single system is, even if they are not yet a Qualys customer. FreeScan already includes the authenticated and remote checks that are included in the full Qualys Vulnerability Management solution as well as the more thorough remote Apache CGI check via Qualys Web Application Scanning.

It is easy to get started – just follow these easy steps:

Step 1 – Sign Up or Log In

Navigate to and create a new account or login if you already have an account.


Step 2 – Choose the Scan Type

There are 3 types of scans available – Vulnerability, OWASP and Patch Tuesday that can identify the issue. Here is what you get from each:

  • Vulnerability – provides the unauthenticated remote checks for the vulnerability via the Apache CGI attack vector.  Checks via VM and WAS.
  • OWASP – provides the unauthenticated remote check for the vulnerability via the Apache CGI attack vector via WAS.
  • Patch Tuesday – provides either unauthenticated VM check as in Vulnerability scan, or a definitive authenticated check if you provide credentials.

*Note:  Vulnerability testing can have impacts on services and any scanning should be coordinated with operational groups at your organization.


3.  Run the Scan

The scan can take a few minutes.


4.  View the Results


So as you can see – Qualys FreeScan makes it easy to find out if a single system is vulnerable to Shellshock, and easy to experience quickly and easily the full power of the security intelligence solutions available on the Qualys Platform. If you liked the insights from Qualys FreeScan, we recommend as a next step you get a free trial of the Qualys Suite, allowing you to detect BASH Shellshock and thousands of other vulnerabilities across multiple target systems.

For more information, view the BASH Shellshock overview or the BASH Shellshock blog post.

Share your Comments


Your email address will not be published. Required fields are marked *