A Non-Traditional Source Code Review Securing the Foundation of Thousands of Web Applications.
Since tens of thousands of users across the internet rely on the Beast library as the foundation of their code, security and peer review is crucial and mandatory to identify and remove dangerous security vulnerabilities. Watch Vinnie Falco, the creator of Beast, explain how he reached out to Bishop Fox to assess the security of the Boost.Beast C++ HTTP/S and WebSockets networking library.
Since tens of thousands of users across the Internet rely on the Beast library as the foundation of their code, security and peer review are crucial and mandatory to identify and remove dangerous security vulnerabilities. Vinnie Falco, the creator of Beast, reached out to Bishop Fox to assess the security of the Boost C++ Beast HTTP/S networking library. The Bishop Fox team conducted a hybrid application assessment of the Beast library. The team used its hybrid application assessment methodology to conduct automated scans of the deployed application and source code, detailed inspection of the scan results and manual code review to thoroughly identify potential application security vulnerabilities. In addition, the Bishop Fox team reviewed the application architecture and business logic to locate any design-level issues. Finally, the team performed manual exploitation and review of these issues to validate the findings.
The Bishop Fox assessment team discovered multiple “high-risk” denial-of-service vulnerabilities that could be exploited by malicious hackers to prevent authorized users from accessing the resource.
The team demonstrated three denial-of-service attacks against Beast by sending malformed WebSocket frames containing a compressed payload. The issues were identified by fuzzing the WebSocket server code responsible for uncompressing client messages.
In addition, the Bishop Fox team found that Beast uses an insufficient source of entropy as a seed value to a linear congruential generator (LCG) to generate random values that serve as the masking value when WebSocket client frames are sent. In special circumstances, an attacker may be able to exploit this issue to poison HTTP caches served from improperly implemented intermediaries.
Bishop Fox produced a detailed report of the findings, outlining where security vulnerabilities could potentially affect developers when using Beast code as foundation. The crash in WebSocket frames vulnerability was fixed in the first official release of Beast in Boost thanks to the Bishop Fox discoveries. The other vulnerability was found to only affect WebSocket clients in very limited circumstances. Because Beast places immense value on security and transparency, the report and details of the findings were publicly posted on the Beast Project page. You can access the full Bishop Fox report here.
“Bishop Fox's reputation in the industry is exceptional. This project was uniquely challenging as it did not fit the typical profile and scope of an application pen-test. Despite the challenges, Bishop Fox was extremely professional and produced great results.”
— Vinnie Falco, Author of Boost.Beast
Vinnie Falco started programming on an Apple II+ in 1982. He wrote BearShare – a Gnutella compatible file sharing program and later joined Ripple, a global financial settlement network built on top of a decentralized cryptocurrency and its associated ledger. Ripple gave him the opportunity to develop Beast, the HTTP and WebSocket library written in C++ and used in Ripple.
Beast is an open-source C++ header-only library serving as a foundation for writing interoperable networking libraries. It implements low level HTTP/1, WebSocket, networking protocol vocabulary types, and algorithms using the consistent asynchronous model of Boost.Asio. Beast empowers users to create their own libraries, clients, and servers.
Gravity-Defying Security: An Apollo.io Story
Apollo selected Bishop Fox to perform a Google Security Assessment to evaluate the security of its application, external perimeter, and Google Cloud Platform (GCP) environment, as well as conduct a review of its responses to Google’s required self-assessment questionnaire (SAQ).
John Deere Digital Security Journey: Securing Products Against Cyberattacks
To help ensure John Deere products are ready to withstand security threats, John Deere chooses Bishop Fox's Cosmos platform and product security reviews.
August: Built-in Security in IoT Devices
This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.