How would Apache or Compressed HTTP react to a zip bomb?

You can be absolutely certain that there are people out there who spend a significant amount of time trying to crash Apache web servers externally, just as you can be sure that the Apache Software Foundation spends a significant amount of time testing their software to ensure that this type of attack will not succeed.

To specifically address your question; Apache uses mod_deflate to compress and decompress data sent and received. So, the target here is not Apache but the module used for handling compressed files.

Given that zip bombs are a well known vector of attack, and that it is possible to craft a request containing a maliciously formed zip object, this type of attack would fail.

You can be certain that the day someone finds a way to attack in this manner the problem will be identified and patched in a very short period of time.

Some applications have specific detection routines to detect and handle zip bombs.

Underverse

Posted 2013-02-20T05:51:03.263

Reputation: 299

Ok. I have guessed myself, that they have tested it (at least i would be very, very surprised if they missed it). I just don't KNOW what they have tested and what not. – ChaosCakeCoder – 2013-02-21T08:07:42.607

That is a good question. Many open source projects use formal bug tracking or issue tracking software for this reason. Start here: https://issues.apache.org/ Bugzilla and Jira are common tool for this purpose. Have a search through their history.

– Underverse – 2013-02-22T01:11:30.807

Here is one of them: https://issues.apache.org/bugzilla/show_bug.cgi?id=50090 Bug 50090 - 'zip' bomb prevention

– Underverse – 2013-02-22T01:21:53.217

How would Apache or Compressed HTTP react to a zip bomb?

Answers