• Using the famous zip bomb concept (Silicon Valley S3E07), we can send a compressed web-page to the client.
• The browser will unzip the small compressed page into a very big file, potentially crashing it.
• This aims to disrupt or crash bots that scan websites to find vulnerabilities.

GZip HTTP Bombing in Python for everyone.

Uses Python Flask framework

Docker friendly

It even has it's own low effort logo.

Please keep in mind this is a counter-measure.

Based on this excellent piece by Christian Haschek

This repository contains the necessary files to:

• Host a quick & dirty Flask web server that responds to web requests with a GZip archive as a response page.

• The recommended way to use FlaskBomb is by deploying it with Docker. You can try it here:
  

• Quick and easy
• Fast deployment using Docker
• Lightweight Alpine based Docker container
• Generic code
  • Implement your own rules or payloads !
• (next)User-Agent evasion based on original work
• Choose classic payload generation or faster append generation method

docker run -it -p 80:5000 khanon/flaskbomb <normal|fast> <X> # X is the final payload's size in GB  
# Example:  
docker run -it -p 80:5000 khanon/flaskbomb fast 20

Default deployment sets options to normal 1

• Gzip's algorithm enables the possibility to append archives
  • normal method generates the payload in one single dd command
  • fast method generates a 1GB payload and appends itself n times. The final payload is bigger but generates much faster.
• Python 3
• Since this uses Flask's built-in web server, internal port is 5000
• The payload is generated using gzip and dd on Docker entrypoint.
  • *NIX based for now
  • Full python payload is up for next release
• Flask development server is used. It is recommended to deploy the application on a WGSI + HTTPD
• For those not using docker, generate the payload using the bash commands in entrypoint.sh and save it as ./static/cake.gzip
  • The python GZip implementation should make this easier in the future

• Evasion
• Python gzip implementation
• Load evasion URIs from DirBuster
• Fingerprinting JS before payload delivery