Subject: [boost] [beast] Security Review: Hybrid Application Assessment
From: Vinnie Falco (vinnie.falco_at_[hidden])
Date: 2017-12-09 02:15:14
Since 2005, Bishop Fox has provided security consulting services to
the Fortune 1000, high-tech startups, and financial institutions
worldwide. The author of Beast, Vinnie Falco, engaged Bishop Fox to
assess the security of the Boost C++ Beast HTTP/S networking library.
The following report details the findings identified during the course
of the engagement, which started on September 11, 2017.
The assessment team conducted a hybrid application assessment of the
Beast library. Bishop Foxâs hybrid application assessment methodology
leverages the real-world attack techniques of application penetration
testing in combination with targeted source code review to thoroughly
identify application security vulnerabilities. These full-knowledge
assessments begin with automated scans of the deployed application and
source code. Next, analyses of the scan results are combined with
manual review to thoroughly identify potential application security
vulnerabilities. In addition, the team performs a review of the
application architecture and business logic to locate any design-level
issues. Finally, the team performs manual exploitation and review of
these issues to validate the findings.
Note: The permessage-deflate vulnerability described in the report is
confirmed to be fixed in the version of Beast which is included in
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk