b191ba7c6456d71b25cb65bbdfd20303.png
- Using the famous zip bomb concept (Silicon Valley S3E07), we can send a compressed web-page to the client.
- The browser will unzip the small compressed page into a very big file, potentially crashing it.
- This aims to disrupt or crash bots that scan websites to find vulnerabilities.
GZip HTTP Bombing in Python for everyone.
Uses Python Flask framework
Docker friendly
It even has it's own low effort logo.
Please keep in mind this is a counter-measure.
Based on this excellent piece by Christian Haschek
This repository contains the necessary files to:
-
Host a quick & dirty Flask web server that responds to web requests with a GZip archive as a response page.
-
The recommended way to use FlaskBomb is by deploying it with Docker. You can try it here:
Try with Play-with-Docker
- Quick and easy
- Fast deployment using Docker
- Lightweight Alpine based Docker container
- Generic code
- Implement your own rules or payloads !
- (next)User-Agent evasion based on original work
- Choose classic payload generation or faster append generation method
docker run -it -p 80:5000 khanon/flaskbomb <normal|fast> <X> # X is the final payload's size in GB # Example: docker run -it -p 80:5000 khanon/flaskbomb fast 20
Default deployment sets options to normal 1
- Gzip's algorithm enables the possibility to append archives
normalmethod generates the payload in one singleddcommandfastmethod generates a 1GB payload and appends itself n times. The final payload is bigger but generates much faster.
- Python 3
- Since this uses Flask's built-in web server, internal port is
5000 - The payload is generated using
gzipandddon Docker entrypoint.- *NIX based for now
- Full python payload is up for next release
- Flask development server is used. It is recommended to deploy the application on a WGSI + HTTPD
- For those not using docker, generate the payload using the bash commands in
entrypoint.shand save it as./static/cake.gzip- The python GZip implementation should make this easier in the future
- Evasion
- Python gzip implementation
- Load evasion URIs from DirBuster
- Fingerprinting JS before payload delivery