Re: [boost] [beast] Security

On Mon, Jul 3, 2017 at 7:47 PM, Vinnie Falco via Boost wrote:

On Mon, Jul 3, 2017 at 9:42 AM, Phil Endecott via Boost wrote:

...

Has it been reviewed by anyone with specific experience of how HTTP can be attacked? Has it been "fuzzed"?

I would love for someone to do a security audit and in the absence of a volunteer I will likely take on the expense myself.

That said, I have made the tests quite extensive. 100% code coverage is always an ongoing goal. All branches which handle failure are checked,

I must say that security in WWW worlds is tricky thing to check. Also stuff like buffer overruns or integer overflows are common they are relatively simple to check using unit tests. The bigger problem is the stuff you do not check or assume already validated. Also Beast is too low level library to worry about CSRF or XSS. It still provides virtually no validation of what is going on automatically. No timeouts, no content-length till few days ago. It may give some sort of false security to user that may not be aware of wide range of potential issues around. This kind of design should provide a huge warning notice to all end users - all we do is parse protocol - the rest is up to you (which is 99% of all security stuff related to WWW) Artyom