Perhaps the most thorough and insightful treatise on the state of security for web-driven technologies to date. A must have!
For the pure information security specialist this book is pure gold.
Zalewskis explanations make it clear that hes tops in the industry.
The amount of detail is stunning for such a small volume and the examples are amazing.... You will definitely think different after reading this title.
Totally rises head and shoulders above other such security-related titles.
Preface
Just fifteen years ago, the Web was as simple as it was unimportant: a quirky mechanism that allowed a handful of students, plus a bunch of asocial, basement-dwelling geeks, to visit each others home pages dedicated to science, pets, or poetry. Today, it is the platform of choice for writing complex, interactive applications (from mail clients to image editors to computer games) and a medium reaching hundreds of millions of casual users around the globe. It is also an essential tool of commerce, important enough to be credited for causing a recession when the 1999 to 2001 dot-com bubble burst.
This progression from obscurity to ubiquity was amazingly fast, even by the standards we are accustomed to in todays information ageand its speed of ascent brought with it an unexpected problem. The design flaws and implementation shortcomings of the World Wide Web are those of a technology that never aspired to its current status and never had a chance to pause and look back at previous mistakes. The resulting issues have quickly emerged as some of the most significant and prevalent threats to data security today: As it turns out, the protocol design standards one would apply to a black-on-gray home page full of dancing hamsters are not necessarily the same for an online shop that processes millions of credit card transactions every year.
When taking a look at the past decade, it is difficult not to be slightly disappointed: Nearly every single noteworthy online application devised so far has had to pay a price for the corners cut in the early days of the Web. Heck, xssed.com , a site dedicated to tracking a narrow subset of web-related security glitches, amassed some 50,000 entries in about three years of operation. Yet, browser vendors are largely unfazed, and the security community itself has offered little insight or advice on how to cope with the widespread misery. Instead, many security experts stick to building byzantine vulnerability taxonomies and engage in habitual but vague hand wringing about the supposed causes of this mess.
Part of the problem is that said experts have long been dismissive of the whole web security ruckus, unable to understand what it was all about. They have been quick to label web security flaws as trivial manifestations of the confused deputy problem [] or of some other catchy label outlined in a trade journal three decades ago. And why should they care about web security, anyway? What is the impact of an obscene comment injected onto a dull pet-themed home page compared to the gravity of a traditional system-compromise flaw?
In retrospect, Im pretty sure most of us are biting our tongues. Not only has the Web turned out to matter a lot more than originally expected, but weve failed to pay attention to some fundamental characteristics that put it well outside our comfort zone. After all, even the best-designed and most thoroughly audited web applications have far more issues, far more frequently, than their nonweb counterparts.
We all messed up, and it is time to repent. In the interest of repentance, The Tangled Web tries to take a small step toward much-needed normalcy, and as such, it may be the first publication to provide a systematic and thorough analysis of the current state of affairs in the world of web application security. In the process of doing so, it aims to shed light on the uniqueness of the security challenges that wesecurity engineers, web developers, and usershave to face every day.
The layout of this book is centered on exploring some of the most prominent, high-level browser building blocks and various security-relevant topics derived from this narrative. I have taken this approach because it seems to be more informative and intuitive than simply enumerating the issues using an arbitrarily chosen taxonomy (a practice seen in many other information security books). I hope, too, that this approach will make The Tangled Web a better read.
For readers looking for quick answers, I decided to include quick engineering cheat sheets at the end of many of the chapters. These cheat sheets outline sensible approaches to some of the most commonly encountered problems in web application design. In addition, the final part of the book offers a quick glossary of the well-known implementation vulnerabilities that one may come across.
Acknowledgments
Many parts of The Tangled Web have their roots in the research done for Googles Browser Security Handbook , a technical wiki I put together in 2008 and released publicly under a Creative Commons license. You can browse the original document online at http://code.google.com/p/browsersec/.
I am fortunate to be with a company that allowed me to pursue this projectand delighted to be working with a number of talented peers who provided excellent input to make the Browser Security Handbook more useful and accurate. In particular, thanks to Filipe Almeida, Drew Hintz, Marius Schilder, and Parisa Tabriz for their assistance.
I am also proud to be standing on the shoulders of giants. This book owes a lot to the research on browser security done by members of the information security community. Special credit goes to Adam Barth, Collin Jackson, Chris Evans, Jesse Ruderman, Billy Rios, and Eduardo Vela Nava for the advancement of our understanding of this field.