Skip to content

Instantly share code, notes, and snippets.

Created Jul 5, 2017
What would you like to do?
How to defend your website with ZIP bombs
// dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip
$agent = lower($_SERVER['HTTP_USER_AGENT']);
//check for nikto, sql map or "bad" subfolders which only exist on wordpress
if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/'))
function sendBomb(){
//prepare the client to recieve GZIP data. This will not be suspicious
//since most web servers use GZIP by default
header("Content-Encoding: gzip");
header("Content-Length: ".filesize('10G.gzip'));
//Turn off output buffering
if (ob_get_level()) ob_end_clean();
//send the gzipped file to the client
function startsWith($haystack,$needle){
return (substr($haystack,0,strlen($needle)) === $needle);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment