7

A Zip bomb (concept here) seems quite a "smart" and easy vulnerability to websites where uploading ZIP files is allowed. Such sites are under a threat (at least to make some degree of damage to them) - someone uploads i.e. a 100 KB file [ 50 GB compressed] to your site and when your site extracts (or whoever opens that) runs out of resources, causing the consequent damages.

Antivirus software is said to detect such zip bombs by detecting the recursion depth and common patterns, but i dont ask about Windows OS or like that (where we could be protected by AV) but i speak on websites (i.e. vps or shared hosting) where we just use programming languages (I'm interested in PHP, but for other people might Java or ASP also needed).

  1. Are there any kind of builtin solutions in PHP(etc..), which already prevents happening that? if not how can we limit that? (any code example)

  2. How can we detect these kinds of files on our servers (without extracting them)?

  3. Another layer of attack seems to send a request with a Gzip bomb. How can we protect against that?

T.Todua
  • 2,677
  • 4
  • 19
  • 28
  • This seems obsolete to me. It should have quite some countermeasures in any coding language by now. I used to do such thins for fun in MS-DOS era and I would't need multiple files, just one intelligently packed. – Overmind Feb 08 '19 at 11:59

1 Answers1

3
  1. Zip bombs are harmless if you don't extract them. Antivirus software will go through them a file at a time.
  2. You don't even need malice to get this effect - lots of poorly coded websites cause browsers to freeze or crash.
  3. The defense is described in your link: cap the memory allocated to a parser thread and have it stop once the limit is reached.

An anecdote: I had to implement method (3) in a system with all trusted users. "Trusted" is a bit of an understatement; it involved five different layers of assurance. The defense was required against many models of paper scanners defaulting to their maximum resolution and no compression, and the users subsequently uploading... check the typical scanner resolution limit and do the math.

While it's not only the most naive of software that would be affected by such attacks, their effect is no different from what already happens to it regularly through incompetence without malice.

ZOMVID-21
  • 2,450
  • 11
  • 17
  • sry,but i dont think your 1 or 2 nd answers question. i neither asked "if i dont open" and neither "if browsers to crash", i am concernded when website uploader(aftwr uplaoding) unzips files in background, or while triggering preview action. – T.Todua Feb 08 '19 at 23:15
  • 1
    @T.Todua Then you need to be more specific. While zip bombs are a nonexistent threat, if you're concerned about it, have a senior rather than a junior write the routines. Or write it yourself and do it right. They are only a threat to extremely naive code. – ZOMVID-21 Feb 09 '19 at 16:37
  • Therac, i am more than thankful that you took time to answer my question. dont take it seriously, but just i think i've been specific, and your answers are not related to what i am asking. you've repeated that "this is not a threat", without any further proofs or investigation of what i actually asked, and without directly answering the direct problems i described. (or one of your answer was "limit the resources to process" while i 've actually asked that "how to do" that). however,thanks again. – T.Todua Feb 09 '19 at 22:40
  • 1
    @T.Todua Wish I could help, but it's been years since I've touched PHP. In my environment, I'd have the container limited by Kubernetes already. You'll probably have better luck asking at StackOverflow with a snippet of your current code. Hopefully the above will serve as a pointer for what to ask for. From what I recall, this probably won't be a php solution alone. – ZOMVID-21 Feb 10 '19 at 11:32