jehna 

A server can detect if you're piping curl in to a shell like `curl | bash` and send a different payload 

https://web.archive.org/web/20230325190353/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

Detecting the use of "curl | bash" server side | Application Security

Another reason not to pipe from curl to bash. Detecting curl | bash serverside.

May 25, 2023 at 7:54pmWeb
Show threadJason Parker (he/they)May 25, 2023

@jehna That's kind of amazing.

I bet there's stuff you could add on top of that to detect the type of system that the script is running on. Maybe something like a `dd if=/dev/urandom of=/dev/null bs=1M count=1024` to determine performance of the RNG.

Show threadRichad AMay 26, 2023
@jehna Does it use the http header? I would assume it does, but from how the article is written I am not sure.
I see the "User-Agent: curl/7.35.0" line, so theoretically this answers my question.
Show threadjehna May 26, 2023
@richardazia nope, timing. This is the graph you want to be looking for the answer – see how it takes a lot more time for curl to get to chunk 6. So if you send \n until that, you can pretty much detect the piping and change the whole script: