2026-06-26 17:29:28 +00:00
2026-06-26 15:39:14 +00:00
2026-06-26 16:12:04 +00:00
2026-06-26 16:11:09 +00:00
2026-06-26 16:11:23 +00:00
2026-06-26 17:29:28 +00:00
2026-06-26 16:13:47 +00:00

brotli bomb PoC

A brotli "decompression bomb": a ~1 MB file on disk that expands to 50 GB in the browser. The decompressed payload starts with a real PNG, so the image renders — then the browser keeps inflating the trailing 50 GB of zeros and runs out of memory / crashes the tab.

A gzip version (bomb.png.gz) is also built, so clients that don't accept br still get bombed.

Files

File What it does
image.png The real image embedded at the front of the payload (input).
create.py Builds the bombs: [PNG] + 1 MB random + 50 GB zerosbomb.png.br and bomb.png.gz.
bomb.png.br The brotli bomb (~1 MB on disk, 50 GB decompressed).
bomb.png.gz The gzip bomb (~50 MB on disk, 50 GB decompressed) — fallback for clients without br.
server.py Minimal Flask server. Loads both prebuilt bombs and picks br or gzip per the client's Accept-Encoding.
slow_download.py Fuller server: inline <img> page + download route.

Usage

python create.py        # build bomb.png.br + bomb.png.gz (pass --rebuild to overwrite)
python server.py        # serve on :8080, then open in a browser

⚠️ Opening the page makes the browser decompress 50 GB into memory. Expect the tab to hang and crash.

S
Description
A simple brotli-bomb
Readme 2.5 MiB
Languages
Python 100%