Hubbry Logo
Zip bombZip bombMain
Open search
Zip bomb
Community hub
Zip bomb
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Zip bomb
Zip bomb
Zip bomb
View on Wikipedia
from Wikipedia
Overview of some archive bombs, including 42.zip.

In computing, a zip bomb, also known as a decompression bomb or zip of death (ZOD), is a malicious archive file designed to crash or render useless the program or system reading it. The older the system or program, the less likely it is that the zip bomb will be detected. It is often employed to disable antivirus software, in order to create an opening for more traditional malware.[1]

A zip bomb allows a program to function normally, but, instead of hijacking the program's operation, it creates an archive that requires an excessive amount of time, disk space, computational power, or memory to unpack.[2]

Most modern antivirus programs can detect zip bombs and prevent the user from extracting anything from it.[3]

Details and use

[edit]

A zip bomb is usually a small file for ease of transport and to avoid suspicion. However, when the file is unpacked, its contents are more than the system can handle.

A famous example of a zip bomb is titled 42.zip, which is a zip file of unknown authorship[4] consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom-layer archive containing a 4.3-gigabyte (4294967295 bytes; GiB1 B) file for a total of 4.5 petabytes (4503599626321920 bytes; PiBMiB) of uncompressed data.[5]

In many anti-virus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out-of-memory condition, or exceed an acceptable amount of program execution time.[citation needed] Zip bombs often rely on repetition of identical files to achieve their extreme compression ratios. Dynamic programming methods can be employed to limit traversal of such files, so that only one file is followed recursively at each level, effectively converting their exponential growth to linear.[5]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Zip bomb

View on Grokipedia
from Grokipedia
A Zip bomb, also known as a decompression bomb or zip of death, is a maliciously constructed —typically in ZIP format—that appears innocuous due to its small size but is engineered to expand exponentially during decompression, overwhelming system resources such as disk space and memory to cause crashes or denial-of-service conditions. These files exploit vulnerabilities in compression algorithms by incorporating highly repetitive data or nested structures that lead to massive data inflation, often reaching terabytes or petabytes in uncompressed form from mere kilobytes. Zip bombs function primarily through two mechanisms: recursive designs, where archives contain multiple layers of self-referencing ZIP files that multiply in size with each unpacking level, and non-recursive variants that use overlapping or duplicated content within a single archive to achieve extreme compression ratios. For instance, the recursive approach leverages the ZIP format's ability to nest files, causing an exponential explosion—such as a 42 KB file ballooning to 4.5 petabytes across six layers—while non-recursive methods, as detailed in a 2019 technical analysis, overlap file segments to achieve compression ratios up to approximately 100 million-to-one without recursion, making them harder for traditional scanners to detect. A notorious example is , an anonymous creation from the early 2000s consisting of 42 kilobytes of compressed data with five to six nested layers, each containing 16 smaller ZIPs that reference identical repetitive text files, resulting in over 4.5 petabytes of output if fully extracted. These attacks are commonly deployed via email attachments disguised as legitimate documents, targeting antivirus software, email servers, or individual systems to disrupt operations, though they lack self-propagation and are not classified as traditional viruses. Beyond malice, Zip bombs serve legitimate purposes in software testing, such as evaluating decompression limits in tools like Apache Tika or cloud storage systems. To mitigate risks, modern antivirus solutions employ heuristics to flag suspiciously high compression ratios (e.g., above 1000:1), limit extraction to predefined size thresholds, or analyze file entropy without full unpacking, while users are advised to scan attachments with updated software like Windows Defender and avoid decompressing unknown files on resource-constrained devices. Despite advancements, evolving constructions like the 2019 non-recursive bomb highlight ongoing challenges in robust detection.

Definition and Characteristics

Core Concept

A zip bomb is a maliciously crafted , typically in the ZIP format, that remains compact in its compressed state but expands dramatically upon decompression, potentially overwhelming system resources such as disk space, memory, and CPU cycles. This discrepancy arises from the exploitation of compression algorithms' ability to efficiently encode highly redundant data, allowing a small input file to generate an exponentially larger output. The primary purpose of a zip bomb is to execute a denial-of-service (DoS) attack, disrupting the target system or application by forcing it to allocate excessive resources during the unpacking process. By leveraging decompression algorithms' handling of repetitive or recursive structures, these files can cause crashes, slowdowns, or complete system failures without requiring active execution beyond the unpacking attempt. A basic example of a zip bomb involves creating a file filled with repeated null bytes or multiple identical small files, which compress to a minimal size but decompress to terabytes of redundant data, demonstrating significant growth in volume. The concept extends to other formats such as RAR or , where similar decompression vulnerabilities can be exploited.

Key Properties

A zip bomb exhibits a profound size discrepancy between its compressed and decompressed states, typically appearing as a small file under 1 MB that expands dramatically upon extraction, potentially reaching terabytes or more. For instance, the well-known 42.zip file measures only 42 KB when compressed but can expand to approximately 4.5 petabytes if fully decompressed through its nested structure. This extreme ratio, often exceeding 100 million to one in advanced cases, leverages the inherent efficiency of compression algorithms on redundant data. The effectiveness of zip bombs stems from repetition patterns in their construction, employing highly compressible data such as repeated strings of characters or sequences of null bytes (zeros) to achieve compression ratios up to the algorithm's limit of 1032:1 per stream. These patterns exploit the algorithm's ability to encode long runs of identical data succinctly, allowing a minimal compressed footprint while generating vast output during decompression. Empty files or uniform binary content further amplify this, as they compress to near-zero size relative to their decompressed volume. Upon extraction, zip bombs induce severe resource consumption, overwhelming system memory, disk space, and CPU cycles, which can trigger out-of-memory errors, complete disk fill-up, or processor exhaustion leading to denial-of-service conditions. This behavior manifests as system freezes, crashes, or significant performance degradation, particularly when antivirus scanners or file explorers attempt full decompression without limits. Zip bombs demonstrate platform independence, functioning across major operating systems including Windows, , and macOS, owing to their reliance on ubiquitous standard compression libraries such as zlib, which implement the ZIP format consistently. Variants of zip bombs differ in their data composition, with text-based examples utilizing repeated characters to form expansive plain-text outputs, contrasted against binary-based ones that employ null bytes for generating large blocks of empty or zero-filled files.

Technical Construction

File Format Mechanics

The ZIP file format, originally developed by for , organizes archived data through a structured layout that facilitates efficient storage and retrieval. At its core, a ZIP archive begins with a series of local file headers, each preceding the compressed or uncompressed data for an individual file entry. These headers contain metadata such as the filename, compression method, and timestamps. Following the local headers and their associated data blocks, the archive includes a central directory section, which aggregates metadata for all file entries in a single location for quick access during extraction. This directory is terminated by an end of central directory record, which specifies the offset to the central directory's start and the total number of entries, enabling parsers to locate and process the archive's contents without scanning the entire file. Compression in ZIP files is specified per entry and primarily employs the algorithm, a lossless method combining LZ77 sliding window matching with to reduce file sizes. is defined in RFC 1951 and allows for two modes relevant to archive construction: "stored" (method code 0, no compression applied to the data) or "deflated" (method code 8, where data is processed through the compression stream). This flexibility enables creators to embed repetitive or highly compressible payloads, such as sequences of identical bytes, which deflate efficiently while declaring large uncompressed sizes. Alternative methods like LZMA or are supported in extended ZIP variants, but remains the standard for broad compatibility. Each file entry in a ZIP archive includes critical fields in both local and central headers: the uncompressed size (indicating the original data length in bytes), the compressed size (the length of the stored data block), and a (a 32-bit computed over the uncompressed data for integrity verification). These fields, typically 4 bytes each in standard ZIP (with Zip64 extensions for larger values), must align with the actual data to ensure valid archives, though the data descriptor flag (bit 3 in the general purpose flag) allows deferring CRC-32, compressed size, and uncompressed size to a trailing record after the data block. In bomb construction, these elements are set accurately to the payload's properties, allowing small compressed files to declare expansive uncompressed dimensions without immediate detection. ZIP files inherently support nesting, where an archive can contain another ZIP file as an entry, treated as opaque binary data under the stored compression method. This recursive capability arises from the format's permission for arbitrary file inclusion, enabling inner archives to or embed outer structures, which amplifies decompression depth when extracted iteratively. Such nesting is standard in the format and does not require special flags, though excessive can strain limits in unpackers. Common tools for constructing ZIP-based archives, including those exploited for bombs, include open-source utilities like , which implements the full ZIP specification for creating and manipulating entries with specified compression levels. Additionally, programming libraries such as Python's built-in zipfile module provide programmatic control to generate archives by adding files or in-memory data streams, allowing precise control over headers, compression methods, and payload content for testing or development purposes.

Decompression Exploitation

Zip bombs exploit vulnerabilities inherent in the compression algorithm, which combines LZ77 dictionary-based compression with to achieve high compression ratios under normal conditions but enables massive output expansion during decompression. The LZ77 component maintains a sliding window of up to 32 KB of previously decompressed data, allowing back-references that copy sequences from within this window to the output stream; by crafting the compressed data to repeatedly reference and copy nearly the entire window—often overlapping with the current position—the decompressor generates redundant output that grows exponentially, filling memory far beyond the input size. further facilitates this by efficiently encoding these frequent back-references and literal bytes in the compressed stream, permitting a small file to trigger billions of output bytes through minimal input. During runtime, ZIP extractors such as those implemented in libraries like Info-ZIP or allocate output buffers primarily on the heap based on the uncompressed sizes declared in the ZIP central directory headers, assuming these sizes are accurate and manageable; however, in bomb constructions, recursive or chained embeddings—where ZIP files contain other ZIP files—bypass size limits if the extractor recursively processes without enforcing global checks, leading to cascading buffer allocations that exhaust available or cause out-of-memory errors. Heap usage predominates for large decompressions to avoid stack overflows, but without safeguards, this results in system-wide resource denial through exhaustion, while stack-based temporary buffers for LZ77 window management can contribute to crashes in constrained environments. A common construction technique involves recursive embedding to achieve geometric multiplication of output size, where each layer compresses multiple copies of the previous layer's content. The following pseudocode illustrates a basic recursive ZIP bomb generator in Python, creating nested archives starting from repetitive leaf files:

python

import zipfile import os def create_bomb_layer(num_copies, depth): if depth == 0: # Base case: create innermost ZIP with multiple large repetitive files leaf_size = 4 * 1024 * 1024 * 1024 # ~4 GB; approximate for 42.zip's 4.3 GB leaves base_file = 'leaf.txt' # Write large repetitive file (in practice, use streaming for memory efficiency) with open(base_file, 'wb') as f: f.write(b'a' * leaf_size) # Create innermost ZIP inner_zip = 'innermost.zip' with zipfile.ZipFile(inner_zip, 'w') as zf: for i in range(num_copies): zf.write(base_file, f'leaf_{i}.txt') os.remove(base_file) return inner_zip # Recurse to create inner layer first inner = create_bomb_layer(num_copies, depth - 1) # Create current layer ZIP with copies of inner current_zip = f'layer_{depth}.zip' with zipfile.ZipFile(current_zip, 'w') as zf: for i in range(num_copies): zf.write(inner, f'inner_{i}.zip') # Optionally remove inner for chaining # os.remove(inner) return current_zip # Generate 4 nesting levels atop the base (total 5 multiplications): top ~42 KB expands to ~4.5 PB bomb = create_bomb_layer(16, 4)

import zipfile import os def create_bomb_layer(num_copies, depth): if depth == 0: # Base case: create innermost ZIP with multiple large repetitive files leaf_size = 4 * 1024 * 1024 * 1024 # ~4 GB; approximate for 42.zip's 4.3 GB leaves base_file = 'leaf.txt' # Write large repetitive file (in practice, use streaming for memory efficiency) with open(base_file, 'wb') as f: f.write(b'a' * leaf_size) # Create innermost ZIP inner_zip = 'innermost.zip' with zipfile.ZipFile(inner_zip, 'w') as zf: for i in range(num_copies): zf.write(base_file, f'leaf_{i}.txt') os.remove(base_file) return inner_zip # Recurse to create inner layer first inner = create_bomb_layer(num_copies, depth - 1) # Create current layer ZIP with copies of inner current_zip = f'layer_{depth}.zip' with zipfile.ZipFile(current_zip, 'w') as zf: for i in range(num_copies): zf.write(inner, f'inner_{i}.zip') # Optionally remove inner for chaining # os.remove(inner) return current_zip # Generate 4 nesting levels atop the base (total 5 multiplications): top ~42 KB expands to ~4.5 PB bomb = create_bomb_layer(16, 4)

This approach leverages 's efficiency on repetitive data, where each layer's copies compress to a fraction of their expanded size, but decompression multiplies the output geometrically across layers. A non-recursive alternative, introduced in a technical , constructs bombs within a single ZIP archive using multiple overlapping files that share compressed data segments from a small "kernel." This technique reuses the kernel across file entries via non-compressed blocks quoting local headers, resulting in quadratic output growth during extraction. It achieves compression ratios exceeding 28 million-to-one (e.g., 10 MB compressed to 281 TB uncompressed) in standard ZIP, with even higher ratios possible using Zip64 extensions for 64-bit sizes, up to around 10^11:1. This method evades recursion-based detection while exploiting limits. Similar exploitation is possible in other formats using , such as , where LZ77 back-references enable comparable memory ballooning, while bzip2's block-based structure with can be abused for redundancy attacks; however, ZIP's widespread use in archives and its support for multiple files make it the primary vector for such bombs.

History and Development

Origins

The origins of zip bombs can be traced to 1996, when the first known example was uploaded to a (BBS). This malicious ZIP file, measuring 42 kilobytes, expanded to 4.5 petabytes upon decompression, exploiting the computational overhead to overwhelm the BBS server and cause crashes. As detailed in a 2015 Security Symposium paper on data compression vulnerabilities, such attacks highlighted the risks of uncompressed processing in networked environments. Preceding zip bombs, similar disruptive techniques appeared in Unix systems during the through " bombs," which involved tar archives designed to extract files with absolute paths or recursive structures, potentially overwriting existing directories and consuming excessive disk space. This Unix lore, stemming from the era of early file-sharing on multi-user systems, underscored the hazards of unchecked archive extraction and influenced later compression-based exploits. Zip bombs emerged in mid-1990s hacker communities as proof-of-concept tools to demonstrate denial-of-service vulnerabilities in systems and later attachments. Anonymous developers in open-source and underground scenes crafted these files to exploit decompression algorithms, revealing how small inputs could trigger massive resource exhaustion. No single inventor is credited, reflecting the decentralized, collaborative development typical of early cybersecurity experimentation. The conceptual foundation builds on theoretical work in data compression limits from the .

Evolution and Variants

Following the initial development of zip bombs in the mid-1990s, advancements from the early focused on enhancing compression ratios and evasion techniques to counter improving detection mechanisms in decompression software and tools. A key shift involved deeper nesting of archives, allowing for exponential expansion without relying solely on single-layer repetition. For instance, around 2010, structures with multiple layers of self-reproducing zip files were demonstrated, where each archive contained copies of itself, potentially leading to infinite decompression loops that overwhelmed systems like mail servers. To bypass early detectors optimized for ZIP files, creators began employing multi-format bombs, such as embedding ZIP archives within RAR or containers, which complicated automated scanning by requiring support for multiple decompression algorithms. This approach gained traction around as antivirus engines struggled with hybrid formats. Notable variants include non-recursive designs introduced in , which use overlapping file references within a single ZIP to achieve compression ratios exceeding the algorithm's theoretical limit of 10^32:1, expanding a 46 MB file to 4.5 petabytes without nested recursion. Open-source tools for generating zip bombs proliferated on platforms like , with scripts enabling customization of overlap and parameters for targeted attacks. These tools have been available since the early amid growing interest in proof-of-concept exploits. In the 2020s, zip bombs integrated with in campaigns, where small archives disguise trojans or , exploiting email gateways that fully decompress attachments for scanning. For example, threat actors used AI-assisted to deliver bombs that crash security proxies, facilitating secondary infections.

Applications and Impacts

Malicious Deployment

Zip bombs are commonly deployed through innocuous-looking vectors such as email attachments, malicious web downloads, or platforms like torrents, targeting unsuspecting users or automated systems on servers. These methods exploit the trust users place in compressed files for sharing documents or software, allowing attackers to distribute the bomb without raising immediate suspicion until decompression occurs. An early example dates to 1996, when a zip bomb was uploaded to the network to crash administrator systems. A later notorious example is .zip, consisting of 42 kilobytes of compressed data that expands to 4.5 petabytes upon full decompression, demonstrating the potential for severe resource disruption. While detailed public records of large-scale attacks remain limited due to their niche nature, discussions in security forums and presentations, such as those at the Workshop on Offensive Technologies in 2019, have highlighted their use in targeted denial-of-service scenarios against antivirus scanners and file-processing systems. The primary goals of malicious zip bomb deployments include resource exhaustion to cause crashes or slowdowns, particularly in environments where automatic decompression of uploaded files can lead to excessive storage and compute costs. For instance, in services like AWS S3, unvalidated archive processing can trigger denial-of-service by overwhelming CPU and memory during extraction. On endpoints, these bombs aim to crash local applications or entire devices by filling available disk space with expanded data. In the United States, deployment of zip bombs may be prosecutable under the (CFAA) if it involves unauthorized access or results in damage exceeding $5,000, similar to other DoS tactics that have led to convictions. In the , such attacks fall under the Directive (2013/40/EU), which criminalizes illegal system interference, including DoS attacks. In legitimate applications, zip bombs are used in to evaluate decompression safeguards in systems like Apache Tika or , ensuring they handle extreme expansion without failure. Beyond malicious uses, zip bombs have been employed in ethical hacking contexts, such as controlled penetration testing, to evaluate the resilience of file upload mechanisms and decompression handlers since around 2010. Security professionals use them to simulate DoS conditions, testing whether web applications or email gateways properly limit extraction ratios or detect high-compression anomalies, as outlined in established testing frameworks. Impacts include potential financial costs from resource exhaustion in auto-scaling cloud services, such as unexpected billing for storage and compute.

Defensive Measures

Policy-level defenses against zip bombs often involve imposing strict file size limits on incoming attachments through email gateways and similar systems. For instance, enforces a 25 MB cap on total attachment sizes, which blocks many potential zip bombs that rely on small compressed files expanding to consume excessive resources upon decompression. Additionally, email gateways commonly integrate auto-scan policies that route attachments through antivirus engines to detect and suspicious archives before they reach users. Antivirus software provides a key line of defense by incorporating decompression limits and to halt the extraction of malicious archives. Suites such as and Norton analyze compressed files for signs of zip bombs, such as recursive nesting or overlapping data structures, preventing full inflation that could overwhelm system resources; these capabilities have been standard in modern versions since the late 2000s. By setting thresholds on expansion ratios—typically rejecting files that would exceed 100:1 uncompressed-to-compressed size—these tools mitigate denial-of-service risks without requiring user intervention. Organizations can further protect against zip bombs by adopting sandboxing practices for handling high-risk files, where extractions occur in isolated virtual machines to contain any potential resource exhaustion. This approach ensures that even if a bomb activates, it affects only the sandboxed environment, preserving the integrity of the primary system. Virtual machines allow administrators to monitor decompression behavior in real-time, discarding the instance after analysis if threats are confirmed. Emerging defensive trends leverage AI-based , particularly through file analysis, to identify zip bombs without full decompression; post-2020 advancements in scanner engines use to flag unusually high indicative of extreme compression ratios. These methods integrate with existing antivirus frameworks to provide proactive alerts on subtle patterns that traditional heuristics might miss. Despite these measures, no universal fix exists for zip bombs, as legitimate archives—such as those containing highly compressible data like logs or images—can exhibit similar traits, necessitating a balance between security and usability to avoid blocking valid files. Overly restrictive policies may disrupt workflows, requiring ongoing updates to defenses as attackers evolve their techniques.

Detection and Mitigation

Identification Techniques

Identification techniques for zip bombs primarily involve pre-decompression analysis to assess potential risks without fully extracting the archive, focusing on structural anomalies and statistical properties that indicate malicious inflation potential. These methods leverage the ZIP file format's header information, which declares uncompressed and compressed sizes for each entry, allowing inspectors to evaluate decompression overhead early. and analytical approaches are commonly implemented in tools to flag suspicious files, balancing detection efficacy with minimal resource use. Heuristic scanning examines compression ratios by comparing declared uncompressed sizes against the overall archive size, often flagging ratios exceeding 100:1 as potentially malicious since legitimate files rarely achieve such extremes without repetition. Tools like zipinfo, part of the Info-ZIP suite, enable this by listing entry details including compressed and uncompressed sizes without extraction, allowing manual or scripted calculation of ratios via the formula uncompressed size divided by compressed size. For instance, antivirus engines apply thresholds to deny processing if the projected expansion surpasses configurable limits, such as 1000 times the input size, to prevent denial-of-service attempts. Entropy analysis evaluates the randomness of data within ZIP entries, where low Shannon —typically below 1 bit per byte—signals repetitive patterns common in bombs, such as concatenated identical segments. Scripts using Python's zipfile library can partially read compressed data streams via ZipFile.open() and compute on sampled payloads without full decompression, identifying suspiciously uniform content that legitimate diverse files avoid. This method complements checks by detecting non-obvious repetition in non-recursive variants. Header inspection parses the ZIP central directory and local file headers to verify consistency between declared sizes, offsets, and compression methods, detecting overlaps or inflated claims indicative of bombs. Algorithms scan sequential headers for adjacent entries with suspiciously large uncompressed sizes relative to minimal compressed data, using partial file reads to confirm without inflating payloads; for example, non-recursive bombs often show overlapping offsets that exceed limits when aggregated. This approach, detailed in detection frameworks, sets flags for archives where cumulative uncompressed size implies . Open-source detectors implement these techniques programmatically; for instance, the Archive Bomb Scanner on uses to parse headers and enforce size limits during validation, while incorporates signatures and decompression caps to identify zip bombs via bounded scanning that halts on high-ratio entries. 's 0.101.3 release specifically patched non-recursive bomb vulnerabilities by limiting header processing to prevent CPU exhaustion during inspection. These tools provide extensible detection for integration into gateways or file upload systems. False positives arise when legitimate highly compressible files, such as log archives or text databases with redundant entries, trigger thresholds; for example, verbose application logs can yield ratios over 50:1 due to repetitive patterns, mimicking bomb structures. involves contextual whitelisting or combined heuristics, like verifying file extensions against expected profiles, to distinguish benign high-compression cases from threats.

Prevention Strategies

To mitigate the risks posed by zip bombs, runtime controls in decompression software and libraries play a critical role by imposing strict limits on resource usage during extraction. These controls typically include caps on maximum output , depth for nested archives, and CPU or allocation to abort the process early if thresholds are exceeded. For instance, antivirus and tools can be configured to limit extracted to a maximum of 1 GB and restrict nested levels to five or fewer, preventing exponential expansion from overwhelming the system. Similarly, programming environments like recommend decompressing files in bounded chunks rather than loading entire archives into , using streams such as ZipInputStream to enforce size limits and avoid denial-of-service vulnerabilities. System hardening provides additional layers of protection by configuring the to constrain extraction impacts. On systems, disk quotas can be enforced via tools like quota(8) to restrict the storage space available to a user or , ensuring that even if extraction begins, it cannot consume the entire filesystem. Extracting to a tmpfs-mounted directory, which operates in , limits expansion to available RAM; if the bomb attempts to generate excessive data, the operation fails with an out-of-space error without affecting persistent storage. Monitoring utilities such as can watch for rapid file creation or size changes during decompression, triggering alerts or halts to intervene before full resource exhaustion occurs. In the event of a partial extraction, recovery procedures emphasize rapid containment and analysis. Partial files should be safely deleted using commands like rm with verification to avoid further system strain, while ensuring no residual processes continue running. Comprehensive logging of extraction attempts, including timestamps, file paths, and resource metrics, enables forensic investigation; for network-delivered zip bombs, packet captures with tools like Wireshark can trace the origin, payload details, and transmission anomalies for attribution. Adopting best practices further reduces exposure to zip bombs. Users should be educated on the dangers of extracting archives from untrusted sources, emphasizing verification of senders and avoidance of unsolicited files. In enterprise settings, deploying endpoint protection solutions like Symantec Messaging Gateway, which automatically sidelines deeply nested or oversized archives, integrates seamlessly with and file scanners to block threats proactively.

References

  1. https://www.mimecast.com/content/what-is-a-zip-bomb/
  2. https://us.norton.com/blog/malware/zip-bomb
  3. https://www.expressvpn.com/blog/zip-bomb/
  4. https://www.usenix.org/system/files/woot19-paper_fifield_0.pdf
  5. https://www.huntress.com/cybersecurity-101/topic/what-is-zip-bomb
  6. https://www.nordvpn.com/blog/what-is-a-zip-bomb/
  7. https://www.safeaeon.com/security-blog/zip-bomb/
  8. https://documentation.coremedia.com/cmcc-10/current/webhelp/search-en/content/configuringTikaZipBombPrevention.html
  9. https://www.microsoft.com/en-us/windows/learning-center/what-is-a-zip-bomb
  10. https://abnormal.ai/blog/zip-bomb-download
  11. https://docs.aws.amazon.com/codeguru/detector-library/go/decompression-bomb/
  12. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files
  13. https://trebledj.me/posts/attack-of-the-zip/
  14. https://www.huntress.com/cybersecurity-101/topic/what-is-a-zip-bomb
  15. https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT
  16. https://www.loc.gov/preservation/digital/formats/fdd/fdd000354.shtml
  17. https://datatracker.ietf.org/doc/html/rfc1951
  18. https://docs.python.org/3/library/zipfile.html
  19. https://security.stackexchange.com/questions/51071/zlib-deflate-decompression-bomb
  20. https://zlib.net/feldspar.html
  21. https://stackoverflow.com/questions/1459673/how-does-one-make-a-zip-bomb
  22. https://www.baeldung.com/cs/zip-bomb
  23. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-pellegrino.pdf
  24. https://www.linfo.org/tarbomb.html
  25. https://www.bamsoftware.com/hacks/zipbomb/
  26. https://nordvpn.com/blog/what-is-a-zip-bomb/
  27. https://www.microsoft.com/en-us/windows/learning-center/what-is-a-zip-bomb/
  28. https://www.vice.com/en/article/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes/
  29. https://docs.aws.amazon.com/codeguru/detector-library/python/zip-bomb-attack/
  30. https://www.law.cornell.edu/uscode/text/18/1030
  31. https://support.google.com/mail/answer/6584
  32. https://www.techtarget.com/searchsecurity/definition/decompression-bomb-zip-bomb-zip-of-death-attack
  33. https://www.paloaltonetworks.com/cyberpedia/sandboxing
  34. https://www.openedr.com/blog/disable-windows-security-on-zip-files/
  35. https://personales.upv.es/thinkmind/dl/conferences/securware/securware_2020/securware_2020_2_30_30012.pdf
  36. https://bugs.python.org/issue36260
  37. https://github.com/selective-php/archive-bomb-scanner
  38. https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html
  39. https://community.sonarsource.com/t/incorrect-security-remedy-for-adm-zip/97929
  40. https://www.oracle.com/java/technologies/javase/seccodeguide.html
  41. https://techdocs.broadcom.com/us/en/symantec-security-software/email-security/messaging-gateway/10-9-0/about-detecting-viruses-malware-malicious-attacks/setting-limits-on-nested-files.html
Add your contribution
Related Hubs
User Avatar
No comments yet.