The Tangled Web: A Guide to Securing Modern Web Applications and over one million other books are available for Amazon Kindle. Learn more
CDN$ 32.92
  • List Price: CDN$ 52.95
  • You Save: CDN$ 20.03 (38%)
Only 1 left in stock (more on the way).
Ships from and sold by Amazon.ca.
Gift-wrap available.
Quantity:1
Add to Cart
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See all 2 images

The Tangled Web: A Guide to Securing Modern Web Applications Paperback – Nov 26 2011


See all 2 formats and editions Hide other formats and editions
Amazon Price New from Used from
Kindle Edition
"Please retry"
Paperback
"Please retry"
CDN$ 32.92
CDN$ 16.73 CDN$ 27.28

Join Amazon Student in Canada



Frequently Bought Together

Customers buy this book with JavaScript: The Good Parts CDN$ 18.80

The Tangled Web: A Guide to Securing Modern Web Applications + JavaScript: The Good Parts
Price For Both: CDN$ 51.72

Show availability and shipping details

  • This item: The Tangled Web: A Guide to Securing Modern Web Applications

    In Stock.
    Ships from and sold by Amazon.ca.
    FREE Shipping. Details

  • JavaScript: The Good Parts

    In Stock.
    Ships from and sold by Amazon.ca.
    FREE Shipping on orders over CDN$ CDN$ 25. Details


Customers Who Bought This Item Also Bought

NO_CONTENT_IN_FEATURE

Product Details

  • Paperback: 320 pages
  • Publisher: No Starch Press; 1 edition (Nov. 26 2011)
  • Language: English
  • ISBN-10: 1593273886
  • ISBN-13: 978-1593273880
  • Product Dimensions: 23.4 x 18 x 2.1 cm
  • Shipping Weight: 635 g
  • Average Customer Review: 5.0 out of 5 stars  See all reviews (1 customer review)
  • Amazon Bestsellers Rank: #153,145 in Books (See Top 100 in Books)
  • See Complete Table of Contents


What Other Items Do Customers Buy After Viewing This Item?

Customer Reviews

5.0 out of 5 stars
5 star
1
4 star
0
3 star
0
2 star
0
1 star
0
See the customer review
Share your thoughts with other customers

Most helpful customer reviews

Format: Paperback
Book Review: The Tangled Web: A Guide to Securing Modern Web Applications

The web came together from many points of interest, and its open and free for all nature is both a blessing and a curse. It's a blessing in that the barrier to creating software to run on the web is very low (at least in its origin). A dizzying array of products, services, browsers, and other technologies has sprung up to make the experience more entertaining, engaging, and create one of the worlds most pervasive communications mediums. It's a curse in that with all of those varied (and competing) approaches, the ability to exploit and subvert the web is also relatively easy. We all agree that we want a more secure web. The big question is "how can we make that a reality?"

Michal Zalewski's provides an answer in "The Tangled Web". As a software tester, I this book is a well-spring. It shows the vulnerabilities that browsers have, and it gives an excellent walk through of potential exploits that testers can add to their plan of attack.

Michal starts out by giving us a tour and history of how we got where we are today, as well as a walk through the basics of URL encoding, HTTP requests, cookies, HTML and CSS, Server and Browser Side Scripting (in all its various flavors). The variety of browser plug-ins that allow users to make their browsers more extensible and do things that go well beyond the traditional HTTP model of transactions is also covered (ActiveX, anyone?). This has not been a straight line of innovation, and it hasn't been done in the spirit of collegiality.
Read more ›
Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again.

Most Helpful Customer Reviews on Amazon.com (beta)

Amazon.com: 30 reviews
23 of 24 people found the following review helpful
On the evolution of the modern web browser design and notable security implications. Nov. 26 2011
By Kristian Erik Hermansen - Published on Amazon.com
Format: Paperback
Mr. Zalewski's new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender. It definitively captures the current state and how we arrived at this juncture due to the many historical browser wars. His current employer and producer of the most secure browser -- Google Chrome -- is about to capture a 40% share [1] of the browser market and leap frog Firefox, Internet Explorer, and Safari.

The Tangled Web untangles the mystery of some poor design philosophies and also discusses some of the improvements that have been made along the way. A quote from the book that sums it all up is a statement that "...the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases..."

I greatly enjoyed reading the book and jotted some notes down that may be useful to other readers. These were the topics that piqued my interest the most:

* Microsoft's challenge to JavaScript, VBScript, has the potential for some exploitation, if no one has been fuzzing it much thus far.

* SVG embedding vulnerabilities potential (eg. some initial research also published by Thorsten Holz [2]).

* Flash cross-domain exploitation examples and crossdomain.xml "loose" policies.

* Great coverage of "GIFAR" type issues.

* Astute observations of trade-offs in plugin attack surface versus actual benefit to users.

* XBAP security coverage.

* The excellent tables of Same-Origin-Policy violations and other tests versus different client-side contexts.

* In depth coverage of URI schemes [3] and potentials for abuse.

* How to resolve data sharing via new mechanisms like postMessage() API.

* Blind cookie-overwrite attacks (interesting examples).

* Very humorous localhost.cisco.com abuse example.

* Local HTML/other execution issues that break privacy segmentation.

* Interesting about:neterror security weakness example.

* New style HTML frame attacks.

* CSS object overlay click-jacking examples and impact on user experience (eg. Firefox add-on installation).

* Content sniffing and dangers such as Byte Order Marking / UTF-7; also interesting note on difference between "UTF7" and "UTF-7".

* window.createPopup() example.

* Abusing HSTS header injection for client-side DoS.

* CSP coverage.

As a final note, it was highly predictable to see slow-moving browser vendors being cited for their inability to rectify issues quickly (even those that are known), but what struck me as noteworthy was the case where Microsoft correctly challenged the CORS standard. It didn't appear that they were doing this for any political reason and in fact came up with a more technically superior solution, which the CORS team eventually drew inspiration from. That was nice for the author to throw in there and show that Microsoft still has the ability to engineer great solutions when they truly care about an initiative.

I hope other readers also enjoy the book when they pick it up...

[1] [...]
[2] [...]
[3] [...]
8 of 8 people found the following review helpful
Incredibly good and highly technical book on browser security coding Jan. 25 2012
By Ben Rothke - Published on Amazon.com
Format: Paperback
In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience.

In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in. Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled. And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now.

Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed.

In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.

For those that want a feel for the book, chapter 3 on the topic of HTTP is available here.

Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world. Tim Berners-Lee had the vision of a semantic web; namely a common framework that allows data to be shared and reused across applications, companies and the entire web. The notion though of a semantic web has not really caught on.

Chapter 4 continues with a detailed overview of how to understand HTML parser behavior. The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems.

In chapter 12, the book deals with third-party cookies and notes that since their inception, HTTP cookies have been misunderstood as the tool that enables online advertisers to violate users privacy. Zalewski observes that the public's fixation on cookies is deeply misguided. He writes there is no doubt that some sites use cookies as a mechanism for malicious use. But that there is nothing that makes it uniquely suited for this task, as there are many other equivalent ways to sore unique identifiers on visitor's computes, such as cache-based tags.

Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works. Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition.

Part 3 of the book takes up the last 35 pages and is a glimpse of things to come. Zalewski optimistically writes that many of the battles being fought in today's browser war is around security, which is a good thing for everyone.

Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks.

The chapter deals with one of the more powerful frameworks is the Content Security Policy (CSP) from Mozilla. CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more. The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document. Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task.

The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more.

Each chapter also concludes with a security engineering cheat sheet that details the core themes of the chapter.

For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applications should be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities.

Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style. The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers. There is a huge amount of really good advice in this book, and for those that are building web applications, it is hopes this is a book they read.
9 of 10 people found the following review helpful
Decent book...for readers with previous knowledge Aug. 23 2012
By Rebecca Ames - Published on Amazon.com
Format: Paperback
In general, I thought this book was good. It covers a lot of material, and has nice "cheat sheets" at the end of each chapter.

The reason I give the book 3 stars, however, is that the author is suffering from the curs of knowledge (or perhaps I am suffering from the curse of ignorance). While he gives some background information on how browsers work, html works, etc in the first part of the book, I did not find that it was enough to really understand the consequences of some of the vulnerabilities that he mentions. Often I was left wondering how the issue he raises is actually an issue, or how someone would exploit it.

As a web developer, knowing how someone might exploit the security holes allows me to figure out how to close down those holes and make my web application more secure.

Also, the book seems to be focused on what browser developers should be doing in order to close down these issues, and not what web developers should be doing.
6 of 6 people found the following review helpful
Systematic coverage of browser security Nov. 30 2011
By Marcin Antkiewicz - Published on Amazon.com
Format: Paperback Verified Purchase
The book provides systematic coverage of browser security. The first 6 pages of chapter 1 provide brilliant insight into why formal security models, risk management and taxonomies fail to deliver promised security improvements to organizations that embrace them. I used to explain the same with a lot of hand weaving, Zalewski's approach and insight are far superior.

Make no mistake, the book is focused on the browser and related technologies rather than the theory of security. The same tremendous insight, that made me nod with appreciation and wish that I had the book 5 years ago while working on security policies, illuminates browser concepts like in-browser content separation, scripting, and much more.

I appreciate the authors treatment of each of the concepts in the context of the browser as a complex and still evolving technology, with it's own history, standards, market requirements and politics.
3 of 3 people found the following review helpful
A Cut Above the Rest Jan. 26 2012
By Joshua Brower - Published on Amazon.com
Format: Paperback
I have to say, I wasn't quite sure what to expect when I received a review copy, as there seems to be a glut of "Securing Web Apps" books out there, and from what I have seen, not that many great ones. However, Zalewski is well-known within the security industry, so I had higher than normal expectations.

Zalewski starts out with his take on Information Security Management, and this small section probably deserves its own blog post entirely, but suffice to say that Zalewski is a pragmatist in this area--indeed, his 3 principles that he prescribes are:

1) Learning from (preferably other people's) mistakes

2) Developing tools to detect and correct problems

3) Planning to have everything compromised.

Though I would agree with all three, the third principle resonates the strongest with me, as this is one of Richard Bejitlich's favorite things to say, and I have taken it to heart.

With the intro to Information Security out of the way, Zalewski takes the reader through a brief history of the web, and the evolution of the threat. This was one of my favorite sections of the book, as it gave the much needed context to the issue of web security.

Being very young when the first browser wars started (1995ish), I have never understood why it mattered for web security.... Understanding the Wild Wild West-esqueness of those early days, and how each browser tried to one-up each other on web features, brings much clarity to why the security landscape of the web is so pockmarked with half-forgotten/half-thought out features that can be exploited for much gain.

Zalewski then moves from history to an anatomy of the web, picking apart the very structure of the web: URLs, HTTP, HTML, CSS, Scripting, etc... This is great reference material for a theoretical and practical understanding of what makes up the web from a technical standpoint--Zalewski continually points out differences in how different browsers implement specific features.

The rest of the book delves into web and browser-specific security issues, starting with a great treatise on one of the foundational security principles of the Web, Same-Origin Policy.

I will most likely be writing a couple other blog posts on some of the specific security issues that are dealt with here.

The book finishes with some time dedicated to looking forward to future security mechanisms that are on the horizon, along with the pros and cons of them.

All in all, a fantastic book on the current state of affairs for web security, and one which I cannot help but classify as 5 stars.

A couple closing thoughts:

-The security engineering cheat sheets at the end of each chapter is a great way to keep it practical.... I am thinking about finding a way to pull all of the cheat sheets together for a small booklet to refer back to.

-This was the first epub book I have read on my iPad, and I throughly enjoyed it.... Thanks to No Starch for providing epubs and not just pdfs!

-Josh

Product Images from Customers

Search


Feedback