main
brotli bomb PoC
A brotli "decompression bomb": a ~1 MB file on disk that expands to 50 GB in the browser. The decompressed payload starts with a real PNG, so the image renders — then the browser keeps inflating the trailing 50 GB of zeros and runs out of memory / crashes the tab.
A gzip version (bomb.png.gz) is also built, so clients that don't accept br still get bombed.
Files
| File | What it does |
|---|---|
image.png |
The real image embedded at the front of the payload (input). |
create.py |
Builds the bombs: [PNG] + 1 MB random + 50 GB zeros → bomb.png.br and bomb.png.gz. |
bomb.png.br |
The brotli bomb (~1 MB on disk, 50 GB decompressed). |
bomb.png.gz |
The gzip bomb (~50 MB on disk, 50 GB decompressed) — fallback for clients without br. |
server.py |
Minimal Flask server. Loads both prebuilt bombs and picks br or gzip per the client's Accept-Encoding. |
slow_download.py |
Fuller server: inline <img> page + download route. |
Usage
python create.py # build bomb.png.br + bomb.png.gz (pass --rebuild to overwrite)
python server.py # serve on :8080, then open in a browser
⚠️ Opening the page makes the browser decompress 50 GB into memory. Expect the tab to hang and crash.
Description
Languages
Python
100%