The Tangled Web
A Guide to Securing Modern Web Applications
Publisher: No Starch Press
Final Release Date: November 2011
Pages: 320

"Thorough and comprehensive coverage from one of the foremost experts in browser security."

—Tavis Ormandy, Google Inc.

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.

In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You'll learn how to:

  • Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
  • Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
  • Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
  • Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
  • Embed or host user-supplied content without running into the trap of content sniffing

For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.

Table of Contents
Product Details
About the Author
Recommended for You
Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews
oreillyThe Tangled Web
 
4.8

(based on 4 reviews)

Ratings Distribution

  • 5 Stars

     

    (3)

  • 4 Stars

     

    (1)

  • 3 Stars

     

    (0)

  • 2 Stars

     

    (0)

  • 1 Stars

     

    (0)

100%

of respondents would recommend this to a friend.

Pros

  • Accurate (3)
  • Well-written (3)

Cons

    Best Uses

    • Expert (3)
    • Intermediate (3)
      • Reviewer Profile:
      • Developer (3)

    Reviewed by 4 customers

    Sort by

    Displaying reviews 1-4

    Back to top

     
    5.0

    The Tanlged Web

    By Mat

    from Bentonille, AR

    About Me Developer, Sys Admin

    Verified Reviewer

    Pros

    • Accurate
    • Well-written

    Cons

      Best Uses

      • Expert
      • Intermediate

      Comments about oreilly The Tangled Web:

      The Tangled Web provides an in-depth academic approach to web security to examine the current threat landscape, how we got here, and how to better secure your applications.

      One thing I really enjoyed about this book is that it conveys technial content without having you do any real labs or follow along with code examples. To sweeten the deal even further, there's some handy cheat sheets at the end of each chapter that you can utilize as a checklist for your applicaitons.

      Overall, I think this is a great book for security engineers or web developers who want to understand how their applications are under attack.

      (1 of 1 customers found this review helpful)

       
      4.0

      Great stuff, maybe not for beginners...

      By Jason

      from Washington, DC

      About Me Developer

      Verified Reviewer

      Pros

      • Accurate
      • Easy to understand
      • Well-written

      Cons

        Best Uses

        • Expert
        • Intermediate

        Comments about oreilly The Tangled Web:

        In The Tangled Web Mr. Zalewski paints a grim picture of web security, explaining in some detail the confluence of conflicting standards, incomplete RFCs, inconsistent browser behaviors and other anomolies that lead to today's current (spoiler alert: not good) state of web security.

        This title is different than any other I've read on web security. It isn't a web security handbook by any means - it is more a descriptive history of the evolution of web standards and languages, focusing on decisions made that impact web security to this day. The author delves into every aspect of the web - HTML, HTTP, CSS, scripting languages, browers, plugins, etc. in astounding detail. Moving between topics he is consistently able to combine low-level technical details with a deal of historical context that is in itself remarkable. It is interesting to read explanations of how vulnerabilities came to be, whether caused by ignorance, good intentions, loyalty to a specific browser, etc. This more "human" information provides a respite from more technical content while being both insightful and entertaining.

        While the content is highly descriptive Mr. Zalewski does a great job of providing security cheat sheets at the end of each chapter. These bite-sized nuggets of actionable content are invaluable and add an extra dimension to the title - I know I will come back to these time and again as I develop for the web.

        This book is definitely a worthwhile read, but it is not an easy read. It weighs in at about 300 pages but is packed with information and it took me quite some time to get through it. It is quite technical and I found myself re-reading sections to make sure I really understood what the author was saying. I'm somewhat conflicted: I wouldn't necessarily recommend this title to a novice web programmer but I wouldn't recommend deploying a website without reading it...

        At the end of the day Mr. Zalewski takes what is realistically a dull and dry topic and makes it read like prose. I strongly suggest this title to anyone working in the web development world.Everyone will get something out of it and if you are the kind of person passionate about knowing how everything works behind the scenes you'll absolutely love it!

        (3 of 3 customers found this review helpful)

         
        5.0

        Real & deep web information

        By marc137

        from Madrid

        Comments about oreilly The Tangled Web:

        Tremendous. Long ago I read a book not so much technical information. Designed especially for web developers, clearly explains how it all works, from browsers to the protocols, security, different parsers (HTML, URLs, etc ...).

        There are many things we know how it works ... or so we think. We used to use them, but usually know the other possibilities that we offer, or by the same ignorance, we fall into security issues. It is here where this book comes in handy.

        It is not easy reading, nor intended for beginners. But it's worth making the effort and if you already have a web programming level, mess with this book. Definitely highly recommended.

        (4 of 5 customers found this review helpful)

         
        5.0

        An invaluable Browser Security Resource!

        By grandslam

        from honolulu

        About Me Designer, Developer, Sys Admin

        Verified Reviewer

        Pros

        • Accurate
        • Concise
        • Easy to understand
        • Helpful examples
        • Well-written

        Cons

          Best Uses

          • Expert
          • Intermediate
          • Novice

          Comments about oreilly The Tangled Web:

          I am currently a front-end application developer a financial institution, and I have gone through quite a few security books over the last couple of years but have never found one so specifically focused on browser applications as this book is. I thought I was pretty versed and up-to-date in the common internet security issues until I read this book. I was surprised to see how creative the bad-guys can be. I especially found Michal's coverage on Intranet security an eye-opener. After reading this book, I simply can not imagine anyone involved in the management, design or development of applications for the internet or intranet to not have this book as their foundation. I found this book to be an invaluable resource for updating our company's intranet security policy and I would highly recommend this book others.

          Displaying reviews 1-4

          Back to top

           
          Buy 2 Get 1 Free Free Shipping Guarantee
          Buying Options
          Immediate Access - Go Digital what's this?
          Ebook: $31.95
          Formats:  ePub, Mobi, PDF
          Print & Ebook: $54.95
          Print: $49.95