The (Decompression) Bomb Site
What is a decompression bomb?
A decompression bomb is a file designed to crash or render useless the program or system reading it, i.e. a denial of service. The following files can be used to test whether an application is vulnerable to this type of attack.
When testing, it's always better to start small and work your way up. Starting with the largest file available can seriously harm an application or system – use these bombs with caution.
When you see something that is technically sweet, you go ahead and do it and you argue about what to do about it only after you have had your technical success. That is the way it was with the atomic bomb.
– J. Robert Oppenheimer
Additional Resources
- I Came to Drop Bombs: Auditing the Compression Algorithm Weapon Cache (Video)
- HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol
- You’re not looking at the big picture
- In the Compression Hornet’s Nest: A Security Study of Data Compression in Network Services
- Evil HTTP Compression - Compression Bombs
- GzipBloat
- 42.zip
- Zip Files All The Way Down