The Tangled Web is my second book, a lovingly crafted guide to the world of browser security. It enters an overcrowded market, but there are two reasons why you may want to care. >
First of all, where other books simply dispense old and tired advice on remediating common vulnerabilities, The Tangled Web offers a detailed and thoroughly enjoyable account of both the "how" and the "why" of the modern web. In doing so, it enables you to deal with the seedy underbelly of contemporary, incredibly complex web apps.
The other reason is that it is based on years of original research - including, of course, my Browser Security Handbook (2008). I think it is simply unmatched when it comes to the breadth and the quality of the material presented. It outlines dozens of obscure but remarkably important security policies, governing everything from content rendering to frame navigation - and affecting your applications in more ways than you may expect.
The book was published by No Starch Press (ISBN 9781593273880), and is available for around $30 from all the usual retailers, including Amazon and Barnes & Noble; Safari subscribers can also get it here.
Alternatively, you can buy directly from the publisher - use coupon code
COREDUMP.CX to get 30% off. If you buy from No Starch, you get complimentary, DRM-free PDF, Mobi, and ePub versions
with each paper copy; they also sell e-books separately.
Translations: Italian (Apogeo), Chinese (China Machine Press), German (dpunkt), Polish (Helion), Korean (SciTech Media), Japanese (Shoeisha), Spanish (Anaya).
Endorsements from several prominent experts in the security community:
Mark Dowd: "Perhaps the most thorough and insightful treatise on the state of security for web-driven technologies to date."
Tavis Ormandy: "Thorough and comprehensive coverage from one of the foremost experts in browser security."
Collin Jackson (CMU Web Security Group): "A must-read for anyone who values their security and privacy online."
Notable detailed reviews:
Dave Aitel (Immunity): "The best book out there on web security right now."
Stephen Northcutt (SANS): "I was looking forward to taking a look at this. What I did not expect was that I would not want to put it down."
Ben Rothke: "[An] incredibly good and highly technical book."
Packet Storm review: "One-off findings are constantly discovered and documented, but this is the first time I have seen a comprehensive guide that focuses on everything from cross-domain content inclusion to content-sniffing. It is the sort of book that should be required reading for every web developer."
Chris Rohlf (Matasano): "My expectations were high for this book for a reason and it doesn't disappoint."
Chris John Riley (Catch22): "I love this book. There's no other way to say it."
Gynvael Coldwind: "TL;DR: Must have."
Kristian Erik Hermansen: "Mr. Zalewski's new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender."
Devon kearns (Offensive Security): "I can't think of a better starting point for anyone interested in securing, or taking advantage of, web application technologies."
Miscellanous Twitter mentions:
Elie Bursztein (Stanford Security Lab): "Anyone serious about web security should order 'The Tangled Web'."
Adam Langley (Chrome): "The Tangled Web is a fantastic book."
Nasko Oskov (Microsoft): "Highly recommended to anyone interested in web security."
Ruben Santamarta: "[What] every book should be: written by someone who has the knowledge in addition to the talent to write about it."
Bob Ippolito (Python hacker): "Simultaneously hilarious and frightening."
Joel Tyson: "Worth every penny."
Chapter 3 is available for download here. In addition, an excerpt from the introduction to the Kindle version can be read on Amazon (click the cover if it doesn't load automatically).
The following is a rough, top-level table of contents for the book; you can download a more detailed but non-annotated version here.
Introduction and Acknowledgments
1. Security in the World of Web Applications (Kindle excerpt)
Part I: Anatomy of the Web
2. It Starts with a URL
3. Hypertext Transfer Protocol (download)
4. Hypertext Markup Language
5. Cascading Stylesheets
6. Browser-Side Scripts
7. Non-HTML Document Types
8. Browser Plugins
Part II: Browser Security Features
9. Content Isolation Logic
10. Origin Inheritance
11. Life Outside Same-Origin Rules
12. Other Security Boundaries
13. Content Recognition Mechanisms
14. Dealing with Rogue Scripts
15. Extrinsic Site Privileges
Part III: A Glimpse of Things to Come
16. New and Upcoming Security Features
17. Other Browser Mechanisms of Note
A Glossary of Web Vulnerabilities
If you have any questions or feedback about the book, please contact me at <firstname.lastname@example.org>. You can also follow me on Twitter here.