Michal Zalewski - The Tangled Web: A Guide to Securing Modern Web Applications

A must-read for anyone who values their security and privacy online.

One of the most innovative and original computing books available.

Just fifteen years ago, the Web was as simple as it was unimportant: a quirky mechanism that allowed a handful of students, plus a bunch of asocial, basement-dwelling geeks, to visit each others home pages dedicated to science, pets, or poetry. Today, it is the platform of choice for writing complex, interactive applications (from mail clients to image editors to computer games) and a medium reaching hundreds of millions of casual users around the globe. It is also an essential tool of commerce, important enough to be credited for causing a recession when the 1999 to 2001 dot-com bubble burst.

This progression from obscurity to ubiquity was amazingly fast, even by the standards we are accustomed to in todays information ageand its speed of ascent brought with it an unexpected problem. The design flaws and implementation shortcomings of the World Wide Web are those of a technology that never aspired to its current status and never had a chance to pause and look back at previous mistakes. The resulting issues have quickly emerged as some of the most significant and prevalent threats to data security today: As it turns out, the protocol design standards one would apply to a black-on-gray home page full of dancing hamsters are not necessarily the same for an online shop that processes millions of credit card transactions every year.

When taking a look at the past decade, it is difficult not to be slightly disappointed: Nearly every single noteworthy online application devised so far has had to pay a price for the corners cut in the early days of the Web. Heck, xssed.com , a site dedicated to tracking a narrow subset of web-related security glitches, amassed some 50,000 entries in about three years of operation. Yet, browser vendors are largely unfazed, and the security community itself has offered little insight or advice on how to cope with the widespread misery. Instead, many security experts stick to building byzantine vulnerability taxonomies and engage in habitual but vague hand wringing about the supposed causes of this mess.

Part of the problem is that said experts have long been dismissive of the whole web security ruckus, unable to understand what it was all about. They have been quick to label web security flaws as trivial manifestations of the confused deputy problem [] or of some other catchy label outlined in a trade journal three decades ago. And why should they care about web security, anyway? What is the impact of an obscene comment injected onto a dull pet-themed home page compared to the gravity of a traditional system-compromise flaw?

In retrospect, Im pretty sure most of us are biting our tongues. Not only has the Web turned out to matter a lot more than originally expected, but weve failed to pay attention to some fundamental characteristics that put it well outside our comfort zone. After all, even the best-designed and most thoroughly audited web applications have far more issues, far more frequently, than their nonweb counterparts.

We all messed up, and it is time to repent. In the interest of repentance, The Tangled Web tries to take a small step toward much-needed normalcy, and as such, it may be the first publication to provide a systematic and thorough analysis of the current state of affairs in the world of web application security. In the process of doing so, it aims to shed light on the uniqueness of the security challenges that wesecurity engineers, web developers, and usershave to face every day.

The layout of this book is centered on exploring some of the most prominent, high-level browser building blocks and various security-relevant topics derived from this narrative. I have taken this approach because it seems to be more informative and intuitive than simply enumerating the issues using an arbitrarily chosen taxonomy (a practice seen in many other information security books). I hope, too, that this approach will make The Tangled Web a better read.

For readers looking for quick answers, I decided to include quick engineering cheat sheets at the end of many of the chapters. These cheat sheets outline sensible approaches to some of the most commonly encountered problems in web application design. In addition, the final part of the book offers a quick glossary of the well-known implementation vulnerabilities that one may come across.