• Complain

Michal Zalewski - The Tangled Web: A Guide to Securing Modern Web Applications

Here you can read online Michal Zalewski - The Tangled Web: A Guide to Securing Modern Web Applications full text of the book (entire story) in english for free. Download pdf and epub, get meaning, cover and reviews about this ebook. year: 2011, publisher: No Starch Press, genre: Romance novel. Description of the work, (preface) as well as reviews are available. Best literature library LitArk.com created for fans of good reading and offers a wide selection of genres:

Romance novel Science fiction Adventure Detective Science History Home and family Prose Art Politics Computer Non-fiction Religion Business Children Humor

Choose a favorite category and find really read worthwhile books. Enjoy immersion in the world of imagination, feel the emotions of the characters or learn something new for yourself, make an fascinating discovery.

Michal Zalewski The Tangled Web: A Guide to Securing Modern Web Applications
  • Book:
    The Tangled Web: A Guide to Securing Modern Web Applications
  • Author:
  • Publisher:
    No Starch Press
  • Genre:
  • Year:
    2011
  • Rating:
    3 / 5
  • Favourites:
    Add to favourites
  • Your mark:
    • 60
    • 1
    • 2
    • 3
    • 4
    • 5

The Tangled Web: A Guide to Securing Modern Web Applications: summary, description and annotation

We offer to read an annotation, description, summary or preface (depends on what the author of the book "The Tangled Web: A Guide to Securing Modern Web Applications" wrote himself). If you haven't found the necessary information about the book — write in the comments, we will try to find it.

Thorough and comprehensive coverage from one of the foremost experts in browser security.
--Tavis Ormandy, Google Inc.
Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.
In The Tangled Web, Michal Zalewski, one of the worlds top browser security experts, offers a compelling narrative that explains exactly how browsers work and why theyre fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. Youll learn how to:
  • Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
  • Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
  • Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
  • Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
  • Embed or host user-supplied content without running into the trap of content sniffing
For quick reference, Security Engineering Cheat Sheets at the end of each chapter offer ready solutions to problems youre most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.

Michal Zalewski: author's other books


Who wrote The Tangled Web: A Guide to Securing Modern Web Applications? Find out the surname, the name of the author of the book and a list of all author's works by series.

The Tangled Web: A Guide to Securing Modern Web Applications — read online for free the complete book (whole text) full work

Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "The Tangled Web: A Guide to Securing Modern Web Applications" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.

Light

Font size:

Reset

Interval:

Bookmark:

Make
The Tangled Web
Michal Zalewski

Copyright 2011

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. The Book of is a trademark of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The information in this book is distributed on an As Is basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.

No Starch Press

Dedication

For my son

PRAISE FOR THE TANGLED WEB

Thorough and comprehensive coverage from one of the foremost experts in browser security.

Tavis Ormandy, Google Inc .

A must-read for anyone who values their security and privacy online.

Collin Jackson, researcher at the Carnegie Mellon Web Security Group

Perhaps the most thorough and insightful treatise on the state of security for web-driven technologies to date. A must have!

Mark Dowd, Azimuth Security, author of The Art of Software Security Assessment
PRAISE FOR SILENCE ON THE WIRE BY MICHAL ZALEWSKI

One of the most innovative and original computing books available.

Richard Bejtlich, TaoSecurity

For the pure information security specialist this book is pure gold.

Mitch Tulloch, Windows Security

Zalewskis explanations make it clear that hes tops in the industry.

Computerworld

The amount of detail is stunning for such a small volume and the examples are amazing.... You will definitely think different after reading this title.

(IN)SECURE Magazine

Totally rises head and shoulders above other such security-related titles.

Linux User & Developer
Preface

Just fifteen years ago, the Web was as simple as it was unimportant: a quirky mechanism that allowed a handful of students, plus a bunch of asocial, basement-dwelling geeks, to visit each others home pages dedicated to science, pets, or poetry. Today, it is the platform of choice for writing complex, interactive applications (from mail clients to image editors to computer games) and a medium reaching hundreds of millions of casual users around the globe. It is also an essential tool of commerce, important enough to be credited for causing a recession when the 1999 to 2001 dot-com bubble burst.

This progression from obscurity to ubiquity was amazingly fast, even by the standards we are accustomed to in todays information ageand its speed of ascent brought with it an unexpected problem. The design flaws and implementation shortcomings of the World Wide Web are those of a technology that never aspired to its current status and never had a chance to pause and look back at previous mistakes. The resulting issues have quickly emerged as some of the most significant and prevalent threats to data security today: As it turns out, the protocol design standards one would apply to a black-on-gray home page full of dancing hamsters are not necessarily the same for an online shop that processes millions of credit card transactions every year.

When taking a look at the past decade, it is difficult not to be slightly disappointed: Nearly every single noteworthy online application devised so far has had to pay a price for the corners cut in the early days of the Web. Heck, xssed.com , a site dedicated to tracking a narrow subset of web-related security glitches, amassed some 50,000 entries in about three years of operation. Yet, browser vendors are largely unfazed, and the security community itself has offered little insight or advice on how to cope with the widespread misery. Instead, many security experts stick to building byzantine vulnerability taxonomies and engage in habitual but vague hand wringing about the supposed causes of this mess.

Part of the problem is that said experts have long been dismissive of the whole web security ruckus, unable to understand what it was all about. They have been quick to label web security flaws as trivial manifestations of the confused deputy problem [] or of some other catchy label outlined in a trade journal three decades ago. And why should they care about web security, anyway? What is the impact of an obscene comment injected onto a dull pet-themed home page compared to the gravity of a traditional system-compromise flaw?

In retrospect, Im pretty sure most of us are biting our tongues. Not only has the Web turned out to matter a lot more than originally expected, but weve failed to pay attention to some fundamental characteristics that put it well outside our comfort zone. After all, even the best-designed and most thoroughly audited web applications have far more issues, far more frequently, than their nonweb counterparts.

We all messed up, and it is time to repent. In the interest of repentance, The Tangled Web tries to take a small step toward much-needed normalcy, and as such, it may be the first publication to provide a systematic and thorough analysis of the current state of affairs in the world of web application security. In the process of doing so, it aims to shed light on the uniqueness of the security challenges that wesecurity engineers, web developers, and usershave to face every day.

The layout of this book is centered on exploring some of the most prominent, high-level browser building blocks and various security-relevant topics derived from this narrative. I have taken this approach because it seems to be more informative and intuitive than simply enumerating the issues using an arbitrarily chosen taxonomy (a practice seen in many other information security books). I hope, too, that this approach will make The Tangled Web a better read.

For readers looking for quick answers, I decided to include quick engineering cheat sheets at the end of many of the chapters. These cheat sheets outline sensible approaches to some of the most commonly encountered problems in web application design. In addition, the final part of the book offers a quick glossary of the well-known implementation vulnerabilities that one may come across.

Acknowledgments

Many parts of The Tangled Web have their roots in the research done for Googles Browser Security Handbook , a technical wiki I put together in 2008 and released publicly under a Creative Commons license. You can browse the original document online at http://code.google.com/p/browsersec/.

I am fortunate to be with a company that allowed me to pursue this projectand delighted to be working with a number of talented peers who provided excellent input to make the Browser Security Handbook more useful and accurate. In particular, thanks to Filipe Almeida, Drew Hintz, Marius Schilder, and Parisa Tabriz for their assistance.

I am also proud to be standing on the shoulders of giants. This book owes a lot to the research on browser security done by members of the information security community. Special credit goes to Adam Barth, Collin Jackson, Chris Evans, Jesse Ruderman, Billy Rios, and Eduardo Vela Nava for the advancement of our understanding of this field.

Next page
Light

Font size:

Reset

Interval:

Bookmark:

Make

Similar books «The Tangled Web: A Guide to Securing Modern Web Applications»

Look at similar books to The Tangled Web: A Guide to Securing Modern Web Applications. We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.


Reviews about «The Tangled Web: A Guide to Securing Modern Web Applications»

Discussion, reviews of the book The Tangled Web: A Guide to Securing Modern Web Applications and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.