1. A metacharacter is one that represents some other concept rather than itself. For example, in entering in filenames, the metacharacter '*' doesn't represent an astrisk, but instead tells the system to match on any character. For example, looking for the filename "*.txt" will look for all files ending in the real characters ".txt". On UNIX, the most important characters are "shell" metacharacters. The reason they are important is because the shell is often used by one program to spawn another. This means that input provided to the parent program will be passed to the shell, then to the child program. If a hacker can craft special input using metacharacters, the hacker may be able to cause that shell to do something unexpected. E-mail address: A classic example is a webpage containing a FORM that asks for a user's e-mail address. The software (such as a CGI script) will often just invoke the 'mail' program using the shell. By inserting shell metacharacters into the field for the email address, a hacker may be able to execute some other program on the web server. Example: Some UNIX shell metacharacters are: [] () {} ~ # $ ^ & * \ | ; <> ? ` ' | (pipe) The pipe metacharacter links two command-line programs together, causing the output from the first program to become the input into the second program. Hackers don't care about redirecting input/output, but they will use the pipe simply as a way of confusing the shell into executing a second program. When a hacker attempts to break into a webserver, one of the first things they will do is to look for all the forms on the website and provide input containing pipe characters to see if they can force the system to execute commands. ; (semicolon) Similar to the pipe metacharacter in its ability to run multiple programs at once. However, the semicolon simply launches the programs without redirecting input/output. ` (back-quote, back-tick) The backwards quote metacharacter is similar to the pipe in that it can take the output from one command and pass it another. In this case, the output of the second program is provided as command-line input into the first. $ (dollar sign) The dollar sign prefixes a variable name. Thus, the string $FOO represents the value of the variable named "FOO" rather than the letters 'F', 'O', 'O'. In particular, you'll commonly see $IFS in attacks, where the IFS variable indicates the character used to separate lines in the shell. && and || These are logical operations used in shell programming. They look at the "result" of a program and "conditionally" execute other programs. A hacker doesn't care about this intended use, but can instead use these as yet another way to execute additional commands. See also: taint, CGI From Hacking-Lexicon