Can display a GIF in <img> tag causing Client-side DOS



  • SVG image can be used in DOS user browser with billion laugh attack. Can we do the same with other image types? especially GIF?

    Thanks everyone.



  • Possibly, though not so dramatically. The real trick of billion laughs attacks is that they're exponential: increasing the number of layers of recursion increases the total size (for the classic example) by a factor of 10. That's much more impressive than usual expansion relationships, such as linear (doubling input doubles the size) or quadratic (doubling input quadruples the size). As far as I know, no image format - definitely not GIF - allows the recursive expansion necessary for such exponential growth.

    With that said, GIF is a compressed format, and thus you can attempt decompression bombs with it. Formats that allow more dramatic compression will do better, but GIF might still do something interesting. There exist sites around the Internet, such as this one, which store decompression bombs for testing purposes. They have what they claim is a 100Kx100K GIF - which would take 10GB even at only 256 colors, if you tried to expand it to a bitmap - that is only 7MB (after removing the BZ2 compression). That's not a small image but it's not enormous; some sites will let you host bigger than that. Similarly, 10GB isn't an enormous amount of memory - many PCs and I think some phones have at least that much RAM these days - but it could certainly choke a lower-resource machine.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2