Boost logo

Boost :

Subject: Re: [boost] [beast] Security
From: Artyom Beilis (artyom.beilis_at_[hidden])
Date: 2017-07-03 19:12:03


On Mon, Jul 3, 2017 at 7:47 PM, Vinnie Falco via Boost
<boost_at_[hidden]> wrote:
> On Mon, Jul 3, 2017 at 9:42 AM, Phil Endecott via Boost
> <boost_at_[hidden]> wrote:
>> Has it been reviewed by anyone with specific experience of how
>> HTTP can be attacked? Has it been "fuzzed"?
>
> I would love for someone to do a security audit and in the absence of
> a volunteer I will likely take on the expense myself.
>
> That said, I have made the tests quite extensive. 100% code coverage
> is always an ongoing goal. All branches which handle failure are
> checked,

I must say that security in WWW worlds is tricky thing to check.

Also stuff like buffer overruns or integer overflows are common they
are relatively simple to check using unit tests. The bigger problem is
the stuff you do not check or assume already validated. Also Beast is
too low level library to worry about CSRF or XSS. It still provides
virtually no validation of what is going on automatically. No
timeouts, no content-length till few days ago. It may give some sort
of false security to user that may not be aware of wide range of
potential issues around.

This kind of design should provide a huge warning notice to all end
users - all we do is parse protocol - the rest is up to you (which is
99% of all security stuff related to WWW)

Artyom


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk