The Tangled Web: A Guide to Securing Modern Web Applications
Author: Michal Zalewski
Pages: 320
Publisher: No Starch Press
ISBN: 1593273886
Introduction
We all use the Internet to some extent and browsers to surf through it. With security vulnerabilities affecting them and the technologies that allow them to function popping up every day, most of us are aware that we should never consider ourselves completely secure while doing it. This book explains in detail the security pitfalls every web application developer should strive to solve or at least avoid.
About the author
Michal Zalewski is an internationally recognized information security expert and an Information Security Engineer at Google. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire, Google’s “Browser Security Handbook,” and numerous important research papers.
Inside the book
The book starts with a shortish introduction into information security, a brief history of the Web (with a special mention of the past and current “Browser Wars”), and an explanation of the most prevalent online security threats.
What follows are the detailed explanations of how browsers work, how to parse URLs, what is HTTP and its basic syntax, requests types, server response codes, cookies, encryption, client certificates, HTML and HTML parsing, CSS, browser-side scripts, non-HTML document types displayed by web browsers, content rendering with browser plug-ins. In short – this part covers everything you need to know and probably everything you ever wanted to know about the functioning of browsers.
Part 2 covers present browser security features, while part 3 gives a peek into new and upcoming security features.
The title of the book refers to the technologies upon which the Internet has been built. The author does not waste time lamenting on the fact that security wasn’t first and foremost on their creators’ minds but explains clearly, concisely, and in-depth each and every functioning part and points out their security weaknesses and how they came about or were mitigated with time.
Some of the chapters end with “Security Engineering Cheat Sheets”, which sum up the most important rules for secure web application development.
Final thoughts
The book offers a fascinating insight into technologies we all use and appreciate, and is a definite must-read (and re-read) for web developers and everyone else who deals with web application security – whichever “side” they are on.
It is highly technical and very in-depth, but worth the time spent on going through it. Absolute beginners should stay away.