The Tangled Web:
A Guide to Securing Modern Web Applications
The Tangled Web is my second book, a lovingly crafted
guide to the world of browser security. It enters an overcrowded market, but there
are two reasons why you may want to care.
First of all, where other books simply dispense old and tired advice on remediating
common vulnerabilities, The Tangled Web offers a detailed and thoroughly enjoyable
account of both the "how" and the "why" of the modern web. In doing so, it enables
you to deal with the seedy underbelly of contemporary, incredibly complex web apps.
The other reason is that it is based on years of original research - including, of course, my
Browser Security Handbook (2008).
I think it is simply unmatched when it comes to the breadth and the quality of the
material presented. It outlines dozens of obscure but remarkably important security
policies, governing everything from content rendering to frame navigation - and affecting
your applications in more ways than you may expect.
Where to buy
The book was published by No Starch Press (ISBN 9781593273880),
and is available for around $30 from all the usual retailers, including
Barnes & Noble;
Safari subscribers can also get it here.
Alternatively, you can buy directly from the publisher - use coupon code
COREDUMP.CX to get 30% off. If you buy from No Starch, you get complimentary, DRM-free PDF, Mobi, and ePub versions
with each paper copy; they also sell e-books separately.
Chinese (China Machine Press),
Korean (SciTech Media),
Endorsements from several prominent experts in the security community:
Notable detailed reviews:
- Mark Dowd: "Perhaps the most thorough and insightful treatise on the state of security for web-driven technologies to date."
- Tavis Ormandy: "Thorough and comprehensive coverage from one of the foremost experts in browser security."
- Collin Jackson (CMU Web Security Group): "A must-read for anyone who values their security and privacy online."
Miscellanous Twitter mentions:
- Dave Aitel (Immunity): "The best book out there on web security right now."
- Stephen Northcutt (SANS): "I was looking forward to taking a look at this. What I did not expect was that I would not want to put it down."
- Ben Rothke: "[An] incredibly good and highly technical book."
- Packet Storm review: "One-off findings are constantly discovered and documented, but this is the first time I have seen a comprehensive guide that focuses on everything from cross-domain content inclusion to content-sniffing. It is the sort of book that should be required reading for every web developer."
- Chris Rohlf (Matasano): "My expectations were high for this book for a reason and it doesn't disappoint."
- Chris John Riley (Catch22): "I love this book. There's no other way to say it."
- Gynvael Coldwind: "TL;DR: Must have."
- Kristian Erik Hermansen: "Mr. Zalewski's new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender."
- Devon kearns (Offensive Security): "I can't think of a better starting point for anyone interested in securing, or taking advantage of, web application technologies."
More to come...
- Elie Bursztein (Stanford Security Lab): "Anyone serious about web security should order 'The Tangled Web'."
- Adam Langley (Chrome): "The Tangled Web is a fantastic book."
- Nasko Oskov (Microsoft): "Highly recommended to anyone interested in web security."
- Ruben Santamarta: "[What] every book should be: written by someone who has the knowledge in addition to the talent to write about it."
- Bob Ippolito (Python hacker): "Simultaneously hilarious and frightening."
- Joel Tyson: "Worth every penny."
Chapter 3 is available for download
here. In addition, an excerpt from the introduction to the Kindle version
can be read on Amazon
(click the cover if it doesn't load automatically).
Table of Contents
The following is a rough, top-level table of contents for the book; you can download a more
detailed but non-annotated version here.
Introduction and Acknowledgments
1. Security in the World of Web Applications (Kindle excerpt)
The goals of security engineering in the age of web apps. The chapter includes a sketch of the
history of browser technologies, and the unique problems their architecture created today.
Part I: Anatomy of the Web
2. It Starts with a URL
The semantics of URL parsing, complete with the loopholes accidentally introduced by the
original RFCs. The chapter also covers IDNA, character set handling, and a classification of commonly used
3. Hypertext Transfer Protocol (download)
The inner workings of HTTP, including proxy requests, caching, conflict resolution, and
chunked transfers. The chapter outlines the antics of character set and newline handling, the problems with
Content-Disposition parsing, and much more.
4. Hypertext Markup Language
An overview of HTML and XHTML parsing, including an examination of error recovery modes,
conditionals, subresource handling, form behaviors, etc. Provides HTML sanitization advice.
5. Cascading Stylesheets
CSS syntax. Among other things, outlines the dangers of parser resynchronization and the pitfalls
of CSS3 selector logic.
6. Browser-Side Scripts
considerations for serving and loading dynamically generated scripts, examining properties of other documents, etc.
7. Non-HTML Document Types
From text documents to RSS to WML - a summary of all the non-HTML document types supported natively by modern browsers, and the
security risks they pose to parties hosting them.
8. Browser Plugins
Security properties and other characteristics of commonly installed plugins, including Flash, Java, Silverlight, XBAP, and PDF.
Part II: Browser Security Features
9. Content Isolation Logic
Same-origin policy and its many flavors, including plugin-enforced policies, postMessage(), sessionStorage, localStorage, cookie
Provides an extensive discussion of unexpected interactions between these mechanisms, and advice on compartmentalizing web apps.
10. Origin Inheritance
The chapter covers context inheritance rules and the unexpected security properties of windows and frames that point to these classes of URLs.
11. Life Outside Same-Origin Rules
Cross-domain interations permitted outside SOP. The chapter pays special attention to the frame navigation model and
its consequences for inter-frame communication schemes.
12. Other Security Boundaries
Covers miscellanous additional navigation restrictions, such as port or protocol blacklists, DNS rebinding defenses, etc.
13. Content Recognition Mechanisms
A survey of content sniffing and character set detection logic, including topics such as IFRAME character set inheritance,
BOM behavior, and a lot more.
14. Dealing with Rogue Scripts
Security restrictions devised to stop abusive scripts. A detailed discussion of UI timing attacks and other systemic
vulnerabilities that plague the modern web.
15. Extrinsic Site Privileges
User-granted or browser-imposed privileges, from geolocation data access to the Internet Explorer zone model and MotW.
Part III: A Glimpse of Things to Come
16. New and Upcoming Security Features
A broad discussion of the ongoing HTML5 work and related security efforts, including sandboxed frames, CSP, or CORS.
17. Other Browser Mechanisms of Note
A brief review of web workers, cache manifests, notifications, navigation timing APIs, and more.
A Glossary of Web Vulnerabilities
If you have any questions or feedback about the book, please contact me at