The Tangled Web

The Tangled Web: A Guide to Securing Modern Web Applications

The Tangled Web is my second book, a lovingly crafted guide to the world of browser security. It enters an overcrowded market, but there are two reasons why you may want to care.

First of all, where other books simply dispense old and tired advice on remediating common vulnerabilities, The Tangled Web offers a detailed and thoroughly enjoyable account of both the "how" and the "why" of the modern web. In doing so, it enables you to deal with the seedy underbelly of contemporary, incredibly complex web apps.

The other reason is that it is based on years of original research - including, of course, my Browser Security Handbook (2008). I think it is simply unmatched when it comes to the breadth and the quality of the material presented. It outlines dozens of obscure but remarkably important security policies, governing everything from content rendering to frame navigation - and affecting your applications in more ways than you may expect.

Where to buy

The book was published by No Starch Press (ISBN 9781593273880), and is available for around $30 from all the usual retailers, including Amazon and Barnes & Noble; Safari subscribers can also get it here.

Alternatively, you can buy directly from the publisher - use coupon code COREDUMP.CX to get 30% off. If you buy from No Starch, you get complimentary, DRM-free PDF, Mobi, and ePub versions with each paper copy; they also sell e-books separately.

Translations: Italian (Apogeo), Chinese (China Machine Press), German (dpunkt), Polish (Helion), Korean (SciTech Media), Japanese (Shoeisha), Spanish (Anaya).

Reviews

Endorsements from several prominent experts in the security community:

Mark Dowd: "Perhaps the most thorough and insightful treatise on the state of security for web-driven technologies to date."
Tavis Ormandy: "Thorough and comprehensive coverage from one of the foremost experts in browser security."
Collin Jackson (CMU Web Security Group): "A must-read for anyone who values their security and privacy online."

Notable detailed reviews:

Dave Aitel (Immunity): "The best book out there on web security right now."
Stephen Northcutt (SANS): "I was looking forward to taking a look at this. What I did not expect was that I would not want to put it down."
Ben Rothke: "[An] incredibly good and highly technical book."
Packet Storm review: "One-off findings are constantly discovered and documented, but this is the first time I have seen a comprehensive guide that focuses on everything from cross-domain content inclusion to content-sniffing. It is the sort of book that should be required reading for every web developer."
Chris Rohlf (Matasano): "My expectations were high for this book for a reason and it doesn't disappoint."
Chris John Riley (Catch²²): "I love this book. There's no other way to say it."
Gynvael Coldwind: "TL;DR: Must have."
Kristian Erik Hermansen: "Mr. Zalewski's new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender."
Devon kearns (Offensive Security): "I can't think of a better starting point for anyone interested in securing, or taking advantage of, web application technologies."

Miscellanous Twitter mentions:

Elie Bursztein (Stanford Security Lab): "Anyone serious about web security should order 'The Tangled Web'."
Adam Langley (Chrome): "The Tangled Web is a fantastic book."
Nasko Oskov (Microsoft): "Highly recommended to anyone interested in web security."
Ruben Santamarta: "[What] every book should be: written by someone who has the knowledge in addition to the talent to write about it."
Bob Ippolito (Python hacker): "Simultaneously hilarious and frightening."
Joel Tyson: "Worth every penny."

More to come...

Sample chapter

Chapter 3 is available for download here. In addition, an excerpt from the introduction to the Kindle version can be read on Amazon (click the cover if it doesn't load automatically).

Table of Contents

The following is a rough, top-level table of contents for the book; you can download a more detailed but non-annotated version here.

Introduction and Acknowledgments

1. Security in the World of Web Applications (Kindle excerpt)

The goals of security engineering in the age of web apps. The chapter includes a sketch of the history of browser technologies, and the unique problems their architecture created today.

Part I: Anatomy of the Web

2. It Starts with a URL

The semantics of URL parsing, complete with the loopholes accidentally introduced by the original RFCs. The chapter also covers IDNA, character set handling, and a classification of commonly used network protocols.

3. Hypertext Transfer Protocol (download)

The inner workings of HTTP, including proxy requests, caching, conflict resolution, and chunked transfers. The chapter outlines the antics of character set and newline handling, the problems with Content-Disposition parsing, and much more.

4. Hypertext Markup Language

An overview of HTML and XHTML parsing, including an examination of error recovery modes, conditionals, subresource handling, form behaviors, etc. Provides HTML sanitization advice.

5. Cascading Stylesheets

CSS syntax. Among other things, outlines the dangers of parser resynchronization and the pitfalls of CSS3 selector logic.

6. Browser-Side Scripts

JavaScript language features and their security properties; parsing and execution model; DOM; JSON. Discusses security considerations for serving and loading dynamically generated scripts, examining properties of other documents, etc.

7. Non-HTML Document Types

From text documents to RSS to WML - a summary of all the non-HTML document types supported natively by modern browsers, and the security risks they pose to parties hosting them.

8. Browser Plugins

Security properties and other characteristics of commonly installed plugins, including Flash, Java, Silverlight, XBAP, and PDF.

Part II: Browser Security Features

9. Content Isolation Logic

Same-origin policy and its many flavors, including plugin-enforced policies, postMessage(), sessionStorage, localStorage, cookie behavior, etc. Provides an extensive discussion of unexpected interactions between these mechanisms, and advice on compartmentalizing web apps.

10. Origin Inheritance

Same-origin policy extensions implemented to deal with pseudo-URLs such as about:blank, javascript:, or data:. The chapter covers context inheritance rules and the unexpected security properties of windows and frames that point to these classes of URLs.

11. Life Outside Same-Origin Rules

Cross-domain interations permitted outside SOP. The chapter pays special attention to the frame navigation model and its consequences for inter-frame communication schemes.

12. Other Security Boundaries

Covers miscellanous additional navigation restrictions, such as port or protocol blacklists, DNS rebinding defenses, etc.

13. Content Recognition Mechanisms

A survey of content sniffing and character set detection logic, including topics such as IFRAME character set inheritance, BOM behavior, and a lot more.

14. Dealing with Rogue Scripts

Security restrictions devised to stop abusive scripts. A detailed discussion of UI timing attacks and other systemic vulnerabilities that plague the modern web.

15. Extrinsic Site Privileges

User-granted or browser-imposed privileges, from geolocation data access to the Internet Explorer zone model and MotW.

Part III: A Glimpse of Things to Come

16. New and Upcoming Security Features

A broad discussion of the ongoing HTML5 work and related security efforts, including sandboxed frames, CSP, or CORS.

17. Other Browser Mechanisms of Note

A brief review of web workers, cache manifests, notifications, navigation timing APIs, and more.

A Glossary of Web Vulnerabilities

Epilogue

Contact

If you have any questions or feedback about the book, please contact me at <lcamtuf@coredump.cx>.