# brotli bomb PoC A brotli "decompression bomb": a ~1 MB file on disk that expands to **50 GB** in the browser. The decompressed payload starts with a real PNG, so the image renders — then the browser keeps inflating the trailing 50 GB of zeros and runs **out of memory / crashes the tab**. A gzip version (`bomb.png.gz`) is also built, so clients that don't accept `br` still get bombed. ## Files | File | What it does | |------|--------------| | `image.png` | The real image embedded at the front of the payload (input). | | `create.py` | Builds the bombs: `[PNG] + 1 MB random + 50 GB zeros` → `bomb.png.br` **and** `bomb.png.gz`. | | `bomb.png.br` | The brotli bomb (~1 MB on disk, 50 GB decompressed). | | `bomb.png.gz` | The gzip bomb (~50 MB on disk, 50 GB decompressed) — fallback for clients without `br`. | | `server.py` | Minimal Flask server. Loads both prebuilt bombs and picks `br` or `gzip` per the client's `Accept-Encoding`. | | `slow_download.py` | Fuller server: inline `` page + download route. | ## Usage ```sh python create.py # build bomb.png.br + bomb.png.gz (pass --rebuild to overwrite) python server.py # serve on :8080, then open in a browser ``` > ⚠️ Opening the page makes the browser decompress 50 GB into memory. Expect the tab to hang and crash.