Add README.md

This commit is contained in:
NJL
2026-06-26 15:42:37 +00:00
parent 52bdedb663
commit b16c9d2409
+24
View File
@@ -0,0 +1,24 @@
# brotli bomb PoC
A brotli "decompression bomb": a ~1 MB file on disk that expands to **50 GB** in the browser.
The decompressed payload starts with a real PNG, so the image renders — then the browser keeps
inflating the trailing 50 GB of zeros and runs **out of memory / crashes the tab**.
## Files
| File | What it does |
|------|--------------|
| `image.png` | The real image embedded at the front of the payload (input). |
| `create.py` | Builds the bomb: `[PNG] + 1 MB random + 50 GB zeros``bomb.png.br`. |
| `bomb.png.br` | The compressed bomb (~1 MB on disk, 50 GB decompressed). |
| `server.py` | Minimal Flask server that serves the bomb with `Content-Encoding: br`. |
| `slow_download.py` | Fuller server: inline `<img>` page + download route. |
## Usage
```sh
python create.py # build bomb.png.br (pass --rebuild to overwrite)
python server.py # serve on :8080, then open in a browser
```
> ⚠️ Opening the page makes the browser decompress 50 GB into memory. Expect the tab to hang and crash.