Case Study Securing Boost.Beast

A Non-Traditional Source Code Review

Securing the Foundation of Thousands of Web Applications

About Boost.Beast

Beast is an open-source C++ header-only library serving as a foundation for writing interoperable networking libraries. It implements low level HTTP/1, WebSocket, networking protocol vocabulary types, and algorithms using the consistent asynchronous model of Boost.Asio. Beast empowers users to create their own libraries, clients, and servers.

 

Since tens of thousands of users across the internet rely on the Beast library as the foundation of their code, security and peer review is crucial and mandatory to identify and remove dangerous security vulnerabilities. Watch Vinnie Falco, the creator of Beast, explain how he reached out to Bishop Fox to assess the security of the Boost.Beast C++ HTTP/S and WebSockets networking library.

Bishop Fox’s reputation in the industry is exceptional. This project was uniquely challenging as it did not fit the typical profile and scope of an application pen-test. Despite the challenges, Bishop Fox was extremely professional and produced great results.

Vinnie Falco Author of Boost.Beast

The Challenge

Since tens of thousands of users across the Internet rely on the Beast library as the foundation of their code, security and peer review are crucial and mandatory to identify and remove dangerous security vulnerabilities. Vinnie Falco, the creator of Beast, reached out to Bishop Fox to assess the security of the Boost C++ Beast HTTP/S networking library.The assessment team conducted a hybrid application assessment of the Beast library. Bishop Fox used its hybrid application assessment methodology to conduct automated scans of the deployed application and source code, detailed inspection of the scan results and manual code review to thoroughly identify potential application security vulnerabilities. In addition, the Bishop Fox team reviewed the application architecture and business logic to locate any design-level issues. Finally, the team performed manual exploitation and review of these issues to validate the findings.
 
 

The Results

The Bishop Fox assessment team discovered multiple “high-risk” denial-of-service vulnerabilities that could be exploited by malicious hackers to prevent authorized users from accessing the resource.

The team demonstrated three denial-of-service attacks against Beast by sending malformed WebSocket frames containing a compressed payload. The issues were identified by fuzzing the WebSocket server code responsible for uncompressing client messages. 

In addition, the Bishop Fox team found that Beast uses an insufficient source of entropy as a seed value to a linear congruential generator (LCG) to generate random values that serve as the masking value when WebSocket client frames are sent. In special circumstances, an attacker may be able to exploit this issue to poison HTTP caches served from improperly implemented intermediaries. 

Bishop Fox produced a detailed report of the findings, outlining where security vulnerabilities could potentially affect developers when using Beast code as foundation. The crash in WebSocket frames vulnerability was fixed in the first official release of Beast in Boost thanks to the Bishop Fox discoveries. The other vulnerability was found to only affect WebSocket clients in very limited circumstances. Because Beast places immense value on security and transparency, the report and details of the findings were publicly posted on the Beast Project page (view the Bishop Fox report here).

Download the PDF here –  Beast Case Study (1713 downloads)

About Vinnie Falco

Vinnie Falco started programming on an Apple II+ in 1982. He wrote BearShare – a Gnutella compatible file sharing program and later joined Ripple, a global financial settlement network built on top of a decentralized cryptocurrency and its associated ledger. Ripple gave him the opportunity to develop Beast, the HTTP and WebSocket library written in C++ and used in Ripple.