YoVDO

Auditing the Compression Algorithm Weapon Cache

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Application Security Courses Compression Algorithms Courses Vulnerability Testing Courses

Course Description

Overview

Explore the devastating potential of decompression bomb attacks in this Black Hat conference talk. Learn about the history, misconceptions, and various types of compression algorithm exploits, including zip bombs, image bombs, and HTTP bombs. Discover how to audit compression algorithms for vulnerabilities, understand the highest compression ratios, and identify the sloppiest parsers. Gain insights into creating a library of open-source tools for security researchers and developers to test application vulnerabilities. Examine real-world examples, including JPEG demos and browser crashes, and learn essential security measures such as limiting resources, request sizes, and compression ratios. Equip yourself with knowledge to guard against this often-overlooked but potentially catastrophic denial of service attack.

Syllabus

Introduction
Topics
About Me
What is a decompression bomb
JPEG demo
Preview crashes
History
Misconceptions
Silicon Valley
Zip Bomb
Zip Cache
Compression Ratio
Security 101
Image bombs
JPEG2000
ZapFly
PNG
Image Dimensions
Separate Workers
HTTP Bombs
Firefox
broadly
crash
zip
compression chart
limiting resources
limiting request sizes
limiting compression ratio
testing
burp image extension
bombedcodes
discussion


Taught by

Black Hat

Related Courses

Data Representation in Computing: Bring Data to Life
Raspberry Pi Foundation via FutureLearn Systems Applications Proxy Pwnage
44CON Information Security Conference via YouTube Versatile Video Coding - Algorithms and Specification
IEEE Signal Processing Society via YouTube CLP - Efficient and Scalable Search on Compressed Text Logs
USENIX via YouTube DBREACH - Database Reconnaissance and Exfiltration via Adaptive Compression Heuristics
Black Hat via YouTube