Overview
Explore the devastating potential of decompression bomb attacks in this Black Hat conference talk. Learn about the history, misconceptions, and various types of compression algorithm exploits, including zip bombs, image bombs, and HTTP bombs. Discover how to audit compression algorithms for vulnerabilities, understand the highest compression ratios, and identify the sloppiest parsers. Gain insights into creating a library of open-source tools for security researchers and developers to test application vulnerabilities. Examine real-world examples, including JPEG demos and browser crashes, and learn essential security measures such as limiting resources, request sizes, and compression ratios. Equip yourself with knowledge to guard against this often-overlooked but potentially catastrophic denial of service attack.
Syllabus
Introduction
Topics
About Me
What is a decompression bomb
JPEG demo
Preview crashes
History
Misconceptions
Silicon Valley
Zip Bomb
Zip Cache
Compression Ratio
Security 101
Image bombs
JPEG2000
ZapFly
PNG
Image Dimensions
Separate Workers
HTTP Bombs
Firefox
broadly
crash
zip
compression chart
limiting resources
limiting request sizes
limiting compression ratio
testing
burp image extension
bombedcodes
discussion
Taught by
Black Hat