Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's unlikely any of the parsers would apply recursive decompression, so a ZipQuine isn't going to help exhaust resources.


Indeed. ZipQuines are not targeted against servers, but against middleware. More precisely, these try to attack certain kinds of "security scanners". Those security scanners want to unpack as much as possible, by design(!), otherwise bad code could hide behind yet another round of compressed container formats.


Yes scanners and AV is what's targetted by quines.


At least none of the Java libraries seemed to fall for this when I tried.


True. I wonder what's the largest file you can decompress to given some bound on the compressed result.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: