Skip to content

Latest commit

 

History

History
28 lines (19 loc) · 1.24 KB

README.md

File metadata and controls

28 lines (19 loc) · 1.24 KB

pipe-to-sh Proof of Concept

The problem:

curl -s <insert_URL_here>/install.sh | sh

Piping direct to sh from the web has its obvious dangers along with some not so obvious hidden ones..

This project showcases a non-obvious problem with that workflow by sniffing the browser's user agent string to change a served .sh file dependent on whether or not the browser is curl/libcurl. This could allow a malicious person to point a user to a perfectly reasonable looking .sh file in their browser, while in the background providing a different, perhaps evil, .sh file to the user when downloading via curl/libcurl.

This source is running on a (sole) heroku worker so you can see for yourself. First visit the URL in a browser, then run the line below to see what curl would see:

curl -s http://pipe-to-sh-poc.herokuapp.com/install.sh | cat

N.B Piping to cat not sh; the file is harmless...but why are trusting me?

This is a proof of concept; no damaging code is contained within.

For more on this please see the post on djm.org.uk.