Customer Reviews

3
5.0 out of 5 stars
5 star
3
4 star
0
3 star
0
2 star
0
1 star
0
The Tangled Web: A Guide to Securing Modern Web Applications
Format: PaperbackChange
Price:£26.80+Free shipping with Amazon Prime

Your rating(Clear)Rate this item
Share your thoughts with other customers

There was a problem filtering reviews right now. Please try again later.

3 of 3 people found the following review helpful
on 9 January 2012
Book Review: The Tangled Web: A Guide to Securing Modern Web Applications

The web came together from many points of interest, and its open and free for all nature is both a blessing and a curse. It's a blessing in that the barrier to creating software to run on the web is very low (at least in its origin). A dizzying array of products, services, browsers, and other technologies has sprung up to make the experience more entertaining, engaging, and create one of the worlds most pervasive communications mediums. It's a curse in that with all of those varied (and competing) approaches, the ability to exploit and subvert the web is also relatively easy. We all agree that we want a more secure web. The big question is "how can we make that a reality?"

Michal Zalewski's provides an answer in "The Tangled Web". As a software tester, I this book is a well-spring. It shows the vulnerabilities that browsers have, and it gives an excellent walk through of potential exploits that testers can add to their plan of attack.

Michal starts out by giving us a tour and history of how we got where we are today, as well as a walk through the basics of URL encoding, HTTP requests, cookies, HTML and CSS, Server and Browser Side Scripting (in all its various flavors). The variety of browser plug-ins that allow users to make their browsers more extensible and do things that go well beyond the traditional HTTP model of transactions is also covered (ActiveX, anyone?). This has not been a straight line of innovation, and it hasn't been done in the spirit of collegiality. In may ways, it's this lack of camaraderie that has led us to the situation we are in today; too much finger pointing and not enough mutual collaboration can be said to be the reason the web is much less secure than it potentially could be.

You could be forgiven if you think this section is just a rehash of basic Web Info 101, but you would be wrong. In each section, Michal shows some interesting inconsistencies, and ways that miscreant users can take advantage of them (Unicode manipulation to display completely logical looking URLs but be totally different due to using Cyrillic alphabet characters? I'll admit *I* never thought of that one; it's a phisher's dream!).

Part II focuses on Browser Security Features, i.e. those features in various browsers that are actually designed to help users (and developers) make sure that they are hindering the ability of rogue apps to cause mischief. Michal explores the vagaries of Content Isolation (the same origin policy being the most significant), Origin Inheritance (using URL's with data:, JavaScript: or about:), Frame Hijacking and Cross Domain Content Inclusion, following different security rules for Intranet vs. Internet usage, running services on non-standard ports, user generated content and files, and more explicit and aggressive forms of malicious use like Denial of Service attacks.

Part III focuses on some up and coming areas where web browser manufacturers are making feature distinctions with browser security as a legitimate selling point. Cross Origin Resource Sharing (CORS), Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), in-Browser HTML Sanitization, and additional tweaks to modern browsers take center stage in this section. Many of these modifications are currently in play on some browsers but not others, and many are part of the HTML5 and CSS3 framework that is emerging. Michal makes the case that, while many of these schemes are somewhat effective, it would be wise to not let one's guard down and rely on these modifications on faith alone. Forewarned is forearmed. The section ends with a chapter dedicated to Common Web Vulnerabilities (and a good list of test areas for the aspiring penetration tester).

At the end of each chapter is a "Security Engineering" Cheat Sheet. Note that each of these suggestions can also be used as a "Security Deconstruction Cheat Sheet" as well. Any tester looking to expand on their penetration testing repertoire, or just expand their current Heuristic Testing models, would be well advised to look over each of these cheat sheets and see if, indeed, the sites and pages they are testing actually follow these directives, or if they don't.

Bottom Line:

This is not a book that you will be able to read in a single sitting and absorb everything that it contains, but it will make you sit up and think about aspects of web security you might never have considered before. This is in equal parts a wake-up call and a style reference. It sounds a much-needed alarm and shows us areas we take for granted way too often, and alerts us to issues we have likely never considered. If you're a developer, tester, or infrastructure implementer, you would be wise to read and then re-read The Tangled Web. In our ever-changing world and with our web sites and services becoming more complex rather than less, the advice in this book may well prove to be both timely and timeless.
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
2 of 2 people found the following review helpful
on 16 February 2012
The Tangled Web is mostly about web technologies and how insecure they are by nature. The book is a very engaging narrative, full of details and impressive war stories. It focuses on the practical issues of web technologies and not on the theory of security. The book can be very useful for web developers and those interested in security. For example, at the end of each chapter we can find a "Security Engineering Cheat Sheet", which presents us a summary of things to consider/do. These sheets alone make the book worthwhile having. The book is organized in three main parts. In the first one, the author tells us the story of the inception of the web until today and discusses all the important technologies, protocols, etc. The second part focuses on the browser security and the third part on "the things to come". Although the book is not very thick (around 300 pages) it addresses too many important issues to completely absorb them in a single reading.

To conclude, the Tangled Web is a solid book, full of interesting and useful information. For web developers and security experts it should be a must read book. For the rest of us it is an enjoyable reading.
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
on 11 February 2014
I haven't read it all yet, but it has already helped me a lot with my understanding of web-security, including a good understanding of why things are the way they are today.
0CommentWas this review helpful to you?YesNoSending feedback...
Thank you for your feedback.
Sorry, we failed to record your vote. Please try again
Report abuse
     
 
Customers who viewed this item also viewed


Web Application Security, A Beginner's Guide
Web Application Security, A Beginner's Guide by Bryan Sullivan (Paperback - 1 Jan. 2012)
£27.99
 
     

Send us feedback

How can we make Amazon Customer Reviews better for you?
Let us know here.

Sponsored Links

  (What is this?)
  -  
Prevent Application Security Risks. Download IBM's Report Today.
  -  
Application Security & Data Threat Protection. Get a Free Trial!
  -  
Deep-content inspection security with integrated adaptive redaction