From b16c9d2409996b9e4f17e26a547deb30f80dcede Mon Sep 17 00:00:00 2001 From: NJL <23+njl@noreply.git.churchofmalware.org> Date: Fri, 26 Jun 2026 15:42:37 +0000 Subject: [PATCH] Add README.md --- README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..3653076 --- /dev/null +++ b/README.md @@ -0,0 +1,24 @@ +# brotli bomb PoC + +A brotli "decompression bomb": a ~1 MB file on disk that expands to **50 GB** in the browser. +The decompressed payload starts with a real PNG, so the image renders — then the browser keeps +inflating the trailing 50 GB of zeros and runs **out of memory / crashes the tab**. + +## Files + +| File | What it does | +|------|--------------| +| `image.png` | The real image embedded at the front of the payload (input). | +| `create.py` | Builds the bomb: `[PNG] + 1 MB random + 50 GB zeros` → `bomb.png.br`. | +| `bomb.png.br` | The compressed bomb (~1 MB on disk, 50 GB decompressed). | +| `server.py` | Minimal Flask server that serves the bomb with `Content-Encoding: br`. | +| `slow_download.py` | Fuller server: inline `` page + download route. | + +## Usage + +```sh +python create.py # build bomb.png.br (pass --rebuild to overwrite) +python server.py # serve on :8080, then open in a browser +``` + +> ⚠️ Opening the page makes the browser decompress 50 GB into memory. Expect the tab to hang and crash.