Boost::Beast - Writing HTTP Server For Fun

Writing own server (and client) can be very handy for security research purposes; as writing our own tools from scratch provides complete control on protocol details. As a result, we can implement protocol to the spec, or deviate from it to test other tools / products to see how they behave when protocol is broken in subtle ways. This testing then can lead to some surprising findings, some of which can be further exploitable. Further, own bare-bone servers can be embedded in other tools which are useful for security research activities, or red-team related activities (e.g. evasions).

The session will start with the basic problem statement (security research focusing on red team, and defence evasions), existing solutions, and where they fall short. A brief overview of libraries will be provided which can be used to write HTTP servers (and clients), with most focus on Boost::Beast library due to its sheer flexibility. Rest of the talk will be about writing a bare-bones HTTP server with TLS support, with partial coverage of HTTP protocol. In closing notes, its potential uses will be discussed.

Source code for this is already on Github under GPL-3.0 license.: https://github.com/adhokshajmishra/embedded_webserver