The Tangled Web: A Guide to Securing Modern Web Applications Paperback – Nov 29 2011
|New from||Used from|
Frequently Bought Together
Customers Who Bought This Item Also Bought
No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
To get the free app, enter your e-mail address or mobile phone number.
About the Author
Michal Zalewski is an internationally recognized information security expert with a long track record of delivering cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire (No Starch Press), Google's "Browser Security Handbook," and numerous important research papers.
What Other Items Do Customers Buy After Viewing This Item?
Top Customer Reviews
The web came together from many points of interest, and its open and free for all nature is both a blessing and a curse. It's a blessing in that the barrier to creating software to run on the web is very low (at least in its origin). A dizzying array of products, services, browsers, and other technologies has sprung up to make the experience more entertaining, engaging, and create one of the worlds most pervasive communications mediums. It's a curse in that with all of those varied (and competing) approaches, the ability to exploit and subvert the web is also relatively easy. We all agree that we want a more secure web. The big question is "how can we make that a reality?"
Michal Zalewski's provides an answer in "The Tangled Web". As a software tester, I this book is a well-spring. It shows the vulnerabilities that browsers have, and it gives an excellent walk through of potential exploits that testers can add to their plan of attack.
Michal starts out by giving us a tour and history of how we got where we are today, as well as a walk through the basics of URL encoding, HTTP requests, cookies, HTML and CSS, Server and Browser Side Scripting (in all its various flavors). The variety of browser plug-ins that allow users to make their browsers more extensible and do things that go well beyond the traditional HTTP model of transactions is also covered (ActiveX, anyone?). This has not been a straight line of innovation, and it hasn't been done in the spirit of collegiality.Read more ›
Most Helpful Customer Reviews on Amazon.com (beta)
The Tangled Web untangles the mystery of some poor design philosophies and also discusses some of the improvements that have been made along the way. A quote from the book that sums it all up is a statement that "...the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases..."
I greatly enjoyed reading the book and jotted some notes down that may be useful to other readers. These were the topics that piqued my interest the most:
* SVG embedding vulnerabilities potential (eg. some initial research also published by Thorsten Holz ).
* Flash cross-domain exploitation examples and crossdomain.xml "loose" policies.
* Great coverage of "GIFAR" type issues.
* Astute observations of trade-offs in plugin attack surface versus actual benefit to users.
* XBAP security coverage.
* The excellent tables of Same-Origin-Policy violations and other tests versus different client-side contexts.
* In depth coverage of URI schemes  and potentials for abuse.
* How to resolve data sharing via new mechanisms like postMessage() API.
* Blind cookie-overwrite attacks (interesting examples).
* Very humorous localhost.cisco.com abuse example.
* Local HTML/other execution issues that break privacy segmentation.
* Interesting about:neterror security weakness example.
* New style HTML frame attacks.
* CSS object overlay click-jacking examples and impact on user experience (eg. Firefox add-on installation).
* Content sniffing and dangers such as Byte Order Marking / UTF-7; also interesting note on difference between "UTF7" and "UTF-7".
* window.createPopup() example.
* Abusing HSTS header injection for client-side DoS.
* CSP coverage.
As a final note, it was highly predictable to see slow-moving browser vendors being cited for their inability to rectify issues quickly (even those that are known), but what struck me as noteworthy was the case where Microsoft correctly challenged the CORS standard. It didn't appear that they were doing this for any political reason and in fact came up with a more technically superior solution, which the CORS team eventually drew inspiration from. That was nice for the author to throw in there and show that Microsoft still has the ability to engineer great solutions when they truly care about an initiative.
I hope other readers also enjoy the book when they pick it up...
The reason I give the book 3 stars, however, is that the author is suffering from the curs of knowledge (or perhaps I am suffering from the curse of ignorance). While he gives some background information on how browsers work, html works, etc in the first part of the book, I did not find that it was enough to really understand the consequences of some of the vulnerabilities that he mentions. Often I was left wondering how the issue he raises is actually an issue, or how someone would exploit it.
As a web developer, knowing how someone might exploit the security holes allows me to figure out how to close down those holes and make my web application more secure.
Also, the book seems to be focused on what browser developers should be doing in order to close down these issues, and not what web developers should be doing.
In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.
The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.
This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.
In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in. Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled. And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now.
Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed.
In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.
For those that want a feel for the book, chapter 3 on the topic of HTTP is available here.
Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world. Tim Berners-Lee had the vision of a semantic web; namely a common framework that allows data to be shared and reused across applications, companies and the entire web. The notion though of a semantic web has not really caught on.
Chapter 4 continues with a detailed overview of how to understand HTML parser behavior. The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems.
Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works. Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition.
Part 3 of the book takes up the last 35 pages and is a glimpse of things to come. Zalewski optimistically writes that many of the battles being fought in today's browser war is around security, which is a good thing for everyone.
Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks.
The chapter deals with one of the more powerful frameworks is the Content Security Policy (CSP) from Mozilla. CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more. The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document. Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task.
The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more.
Each chapter also concludes with a security engineering cheat sheet that details the core themes of the chapter.
For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applications should be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities.
Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style. The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers. There is a huge amount of really good advice in this book, and for those that are building web applications, it is hopes this is a book they read.
Make no mistake, the book is focused on the browser and related technologies rather than the theory of security. The same tremendous insight, that made me nod with appreciation and wish that I had the book 5 years ago while working on security policies, illuminates browser concepts like in-browser content separation, scripting, and much more.
I appreciate the authors treatment of each of the concepts in the context of the browser as a complex and still evolving technology, with it's own history, standards, market requirements and politics.
Zalewski starts out with his take on Information Security Management, and this small section probably deserves its own blog post entirely, but suffice to say that Zalewski is a pragmatist in this area--indeed, his 3 principles that he prescribes are:
1) Learning from (preferably other people's) mistakes
2) Developing tools to detect and correct problems
3) Planning to have everything compromised.
Though I would agree with all three, the third principle resonates the strongest with me, as this is one of Richard Bejitlich's favorite things to say, and I have taken it to heart.
With the intro to Information Security out of the way, Zalewski takes the reader through a brief history of the web, and the evolution of the threat. This was one of my favorite sections of the book, as it gave the much needed context to the issue of web security.
Being very young when the first browser wars started (1995ish), I have never understood why it mattered for web security.... Understanding the Wild Wild West-esqueness of those early days, and how each browser tried to one-up each other on web features, brings much clarity to why the security landscape of the web is so pockmarked with half-forgotten/half-thought out features that can be exploited for much gain.
Zalewski then moves from history to an anatomy of the web, picking apart the very structure of the web: URLs, HTTP, HTML, CSS, Scripting, etc... This is great reference material for a theoretical and practical understanding of what makes up the web from a technical standpoint--Zalewski continually points out differences in how different browsers implement specific features.
The rest of the book delves into web and browser-specific security issues, starting with a great treatise on one of the foundational security principles of the Web, Same-Origin Policy.
I will most likely be writing a couple other blog posts on some of the specific security issues that are dealt with here.
The book finishes with some time dedicated to looking forward to future security mechanisms that are on the horizon, along with the pros and cons of them.
All in all, a fantastic book on the current state of affairs for web security, and one which I cannot help but classify as 5 stars.
A couple closing thoughts:
-The security engineering cheat sheets at the end of each chapter is a great way to keep it practical.... I am thinking about finding a way to pull all of the cheat sheets together for a small booklet to refer back to.
-This was the first epub book I have read on my iPad, and I throughly enjoyed it.... Thanks to No Starch for providing epubs and not just pdfs!
Look for similar items by category
- Books > Computers & Technology > History & Culture > Privacy
- Books > Computers & Technology > Internet & Social Media > Web Browsers
- Books > Computers & Technology > Microsoft > Web Browsers
- Books > Computers & Technology > Networking & Cloud Computing > Internet, Groupware, & Telecommunications
- Books > Computers & Technology > Networking & Cloud Computing > Network Security
- Books > Computers & Technology > Networking & Cloud Computing > Networks, Protocols & APIs > Networks
- Books > Computers & Technology > Programming > Algorithms > Cryptography
- Books > Computers & Technology > Security & Encryption
- Books > Computers & Technology > Web Development > Programming