# brotli bomb PoC A brotli "decompression bomb": a ~1 MB file on disk that expands to **50 GB** in the browser. The decompressed payload starts with a real PNG, so the image renders — then the browser keeps inflating the trailing 50 GB of zeros and runs **out of memory / crashes the tab**. ## Files | File | What it does | |------|--------------| | `image.png` | The real image embedded at the front of the payload (input). | | `create.py` | Builds the bomb: `[PNG] + 1 MB random + 50 GB zeros` → `bomb.png.br`. | | `bomb.png.br` | The compressed bomb (~1 MB on disk, 50 GB decompressed). | | `server.py` | Minimal Flask server that serves the bomb with `Content-Encoding: br`. | | `slow_download.py` | Fuller server: inline `` page + download route. | ## Usage ```sh python create.py # build bomb.png.br (pass --rebuild to overwrite) python server.py # serve on :8080, then open in a browser ``` > ⚠️ Opening the page makes the browser decompress 50 GB into memory. Expect the tab to hang and crash.