Re: [boost] [beast] Security

On Tue, Dec 12, 2017 at 7:26 PM, Vinnie Falco via Boost < boost@lists.boost.org> wrote:

On Mon, Jul 3, 2017 at 9:42 AM, Phil Endecott via Boost wrote:

...

To what extent do we think that Beast should be "secure"? I am thinking mostly about handling malicious input.

Has it been reviewed by anyone with specific experience of how HTTP can be attacked? Has it been "fuzzed"?

We now have the answer to this question:

<https://vinniefalco.github.io/BeastAssets/Beast%20-% 20Hybrid%20Application%20Assessment%202017%20-%20Assessment%20Report%20-% 2020171114.pdf>

Linked from

<http://www.boost.org/doc/libs/master/libs/beast/doc/ html/beast/reports.html#beast.reports.security_review_bishop_fox>

Bishop Fox did find one serious vulnerability in the processing of compressed websocket frames. This flaw was fixed in time for Boost 1.66.0.

I can heartily recommend the project OSS-Fuzz. https://github.com/google/oss-fuzz You figure out how to apply a byte stream to a call in your library, and they fuzz it. Over and over. Forever. I have hooked up several of the calls in libc++ (sorting, heap operations, regex parsers) and it has found a few bugs (all in the regex stuff) I'm glad to show people how to get started with this. -- Marshall