Rating:
Author: Michal Zalewski
ISBN : B006FZ3UNI
New from $22.99
Format: PDF, EPUB
Direct download links available Free The Tangled Web: A Guide to Securing Modern Web Applications for everyone book with Mediafire Link Download Link
"Thorough and comprehensive coverage from one of the foremost experts in browser security."
—Tavis Ormandy, Google Inc.
Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.
In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You'll learn how to:
- Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
- Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
- Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
- Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
- Embed or host user-supplied content without running into the trap of content sniffing
For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.
Books with free ebook downloads available Free The Tangled Web: A Guide to Securing Modern Web Applications [Kindle Edition]
- File Size: 1343 KB
- Print Length: 320 pages
- Publisher: No Starch Press; 1 edition (November 28, 2011)
- Sold by: Amazon Digital Services, Inc.
- Language: English
- ASIN: B006FZ3UNI
- Text-to-Speech: Enabled
X-Ray:
- Lending: Not Enabled
- Amazon Best Sellers Rank: #143,805 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
- #21
in Books > Computers & Technology > Security & Encryption > Viruses - #30
in Books > Computers & Technology > Home Computing & How-to > Web Browsers - #51
in Books > Computers & Technology > Programming > Algorithms > Cryptography
- #21
in Books > Computers & Technology > Security & Encryption > Viruses - #30
in Books > Computers & Technology > Home Computing & How-to > Web Browsers - #51
in Books > Computers & Technology > Programming > Algorithms > Cryptography
Free The Tangled Web: A Guide to Securing Modern Web Applications
Mr. Zalewski's new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender. It definitively captures the current state and how we arrived at this juncture due to the many historical browser wars. His current employer and producer of the most secure browser -- Google Chrome -- is about to capture a 40% share [1] of the browser market and leap frog Firefox, Internet Explorer, and Safari.
The Tangled Web untangles the mystery of some poor design philosophies and also discusses some of the improvements that have been made along the way. A quote from the book that sums it all up is a statement that "...the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases..."
I greatly enjoyed reading the book and jotted some notes down that may be useful to other readers. These were the topics that piqued my interest the most:
* Microsoft's challenge to JavaScript, VBScript, has the potential for some exploitation, if no one has been fuzzing it much thus far.
* SVG embedding vulnerabilities potential (eg. some initial research also published by Thorsten Holz [2]).
* Flash cross-domain exploitation examples and crossdomain.xml "loose" policies.
* Great coverage of "GIFAR" type issues.
* Astute observations of trade-offs in plugin attack surface versus actual benefit to users.
* XBAP security coverage.
* The excellent tables of Same-Origin-Policy violations and other tests versus different client-side contexts.
* In depth coverage of URI schemes [3] and potentials for abuse.
* How to resolve data sharing via new mechanisms like postMessage() API.
In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience.
In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.
The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.
This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.
In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in.