Rating:
(28 reviews)
Author: Visit Amazon's Michal Zalewski Page
ISBN : 1593273886
New from $31.82
Format: PDF
Posts about Download The Book Free The Tangled Web: A Guide to Securing Modern Web Applications Paperback for everyone book 4shared, mediafire, hotfile, and mirror link
About the Author
Michal Zalewski is an internationally recognized information security expert with a long track record of delivering cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire (No Starch Press), Google's "Browser Security Handbook," and numerous important research papers.
Direct download links available for Free The Tangled Web: A Guide to Securing Modern Web Applications Paperback
- Paperback: 320 pages
- Publisher: No Starch Press (November 26, 2011)
- Language: English
- ISBN-10: 1593273886
- ISBN-13: 978-1593273880
- Product Dimensions: 0.8 x 7 x 9.1 inches
- Shipping Weight: 1.4 pounds (View shipping rates and policies)
Free The Tangled Web: A Guide to Securing Modern Web Applications
Mr. Zalewski's new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender. It definitively captures the current state and how we arrived at this juncture due to the many historical browser wars. His current employer and producer of the most secure browser -- Google Chrome -- is about to capture a 40% share [1] of the browser market and leap frog Firefox, Internet Explorer, and Safari.
The Tangled Web untangles the mystery of some poor design philosophies and also discusses some of the improvements that have been made along the way. A quote from the book that sums it all up is a statement that "...the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases..."
I greatly enjoyed reading the book and jotted some notes down that may be useful to other readers. These were the topics that piqued my interest the most:
* Microsoft's challenge to JavaScript, VBScript, has the potential for some exploitation, if no one has been fuzzing it much thus far.
* SVG embedding vulnerabilities potential (eg. some initial research also published by Thorsten Holz [2]).
* Flash cross-domain exploitation examples and crossdomain.xml "loose" policies.
* Great coverage of "GIFAR" type issues.
* Astute observations of trade-offs in plugin attack surface versus actual benefit to users.
* XBAP security coverage.
* The excellent tables of Same-Origin-Policy violations and other tests versus different client-side contexts.
* In depth coverage of URI schemes [3] and potentials for abuse.
* How to resolve data sharing via new mechanisms like postMessage() API.
In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience.
In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.
The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.
This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.
In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in.