...one of the most highly
regarded and expertly designed C++ library projects in the
world.
— Herb Sutter and Andrei
Alexandrescu, C++
Coding Standards
Since 2005, Bishop Fox has provided security consulting services to the Fortune 1000, high-tech startups, and financial institutions worldwide. Beast engaged Bishop Fox to assess the security of the Boost C++ Beast HTTP/S networking library. The following report details the findings identified during the course of the engagement, which started on September 11, 2017.
The assessment team conducted a hybrid application assessment of the Beast library. Bishop Fox’s hybrid application assessment methodology leverages the real-world attack techniques of application penetration testing in combination with targeted source code review to thoroughly identify application security vulnerabilities. These fullknowledge assessments begin with automated scans of the deployed application and source code. Next, analyses of the scan results are combined with manual review to thoroughly identify potential application security vulnerabilities. In addition, the team performs a review of the application architecture and business logic to locate any design-level issues. Finally, the team performs manual exploitation and review of these issues to validate the findings.
The Autobahn WebSockets Testsuite provides a fully automated test suite to verify client and server implementations of The WebSocket Protocol for specification conformance and implementation robustness. The test suite will check an implementation by doing basic WebSocket conversations, extensive protocol compliance verification and performance and limits testing. Autobahn|Testsuite is used across the industry and contains over 500 test cases.
Autobahn|Testsuite WebSocket Results
Warning | |
---|---|
Version 0.7.6 of Autobahn|Testsuite contains a known defect which causes false positive failures in Beast for the following test cases: { 12.4.5, 12.4.6, 12.4.8, 12.4.9, 12.4.10, 12.4.11, 12.4.13, 12.4.14, 12.4.15, 12.4.16, 12.4.17, 12.4.18 } When this issue is resolved in the test suite, the reports will be updated. |