https://github.com/m4tx/curl-bash-attack
Server-side detection of using curl | bash in the CLI
https://github.com/m4tx/curl-bash-attack
attack cot-framework cybersecurity web
Last synced: 8 months ago
JSON representation
Server-side detection of using curl | bash in the CLI
- Host: GitHub
- URL: https://github.com/m4tx/curl-bash-attack
- Owner: m4tx
- License: apache-2.0
- Created: 2024-09-17T23:21:58.000Z (almost 2 years ago)
- Default Branch: master
- Last Pushed: 2025-09-11T21:59:57.000Z (9 months ago)
- Last Synced: 2025-09-28T07:43:59.711Z (9 months ago)
- Topics: attack, cot-framework, cybersecurity, web
- Language: Rust
- Homepage:
- Size: 134 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE-APACHE
Awesome Lists containing this project
README
# curl-bash-attack
An implementation of an attack that detects a usage of `curl | bash` on the server side to serve a malicious script only to the users who run the command.
The attack utilizes the way `bash` scripts are executed and measures time between subsequent TCP packets are received to distinguish between running `curl | bash` vs just downloading the script. More details on how the attack works can be found in the [blog post](http://web.archive.org/web/20240423134349/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/).
## Quick Start
Make sure you have [cargo](https://doc.rust-lang.org/cargo/getting-started/installation.html) installed before proceeding.
```shell
cargo run
```
After that, in another terminal, you can test the attack by running:
```shell
curl -s http://localhost:8000 | bash
```
You should see `running rm -rf --no-preserve-root /...` in the terminal. Don't worry, the command is not actually executed, it's just a demonstration of the attack!
For comparison, you can run the following command:
```shell
curl -s http://localhost:8000 | cat
```
You should just see the following script in the terminal:
```shell
echo Hello!
sleep 2
echo nothing to do...
```
## License
The project is dual-licensed under the [MIT](LICENSE-MIT) and [Apache-2.0](LICENSE-APACHE) licenses.
## Attribution
The attack is based on [the blog post published on idontplaydarts.com](http://web.archive.org/web/20240423134349/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/).
The source code uses an experimental web framework [Cot](https://cot.rs).