Book: The Tangled Web
Everybody in the “security world” knows Michal Zalewski and his work especially in the field of web security and exploitation. So, with no further introduction here is my review of his new book, “The Tangled Web“.
Title: The Tangled Web: A Guide to Securing Modern Web Applications
Author: Michal Zalewski
Chapter 1: Security in the World of Web Applications
Here we have a nice introduction to the web application security going through all the required theoretical information as well as useful historical references.
Part I: Anatomy of the Web
Chapter 2: It Starts with a URL
Although a chapter dedicated to URL might initially seem like an overkill, M. Zalewski proves the opposite. In this chapter we can see that are so many details in parsing URLs correctly that is extremely difficult to have an application able to handle all of them properly.
Chapter 3: Hypertext Transfer Protocol
Similarly to the previous chapter, this one is dedicated to the “web protocol”, HTTP and all the security related information that go with it. This includes everything from requests, handling, encoding schemes, data transfers, etc. Definitely an excellent chapter.
Chapter 4: Hypertext Markup Language
Moving to a higher level we have the language of the web, HTML. This language that has literally changed the world has also many nuances crucial to any security researcher. From parsing to integration semantics and content inclusion, this chapter has all the information you need to know to start looking at HTML from a security researcher’s point of view.
Chapter 5: Cascading Style Sheets
We all know that nowadays it is almost impossible to find any web site that does not use Cascading Style Sheets (CSS) to change the content’s appearance. From a security perspective CSS are also important, many subjects like encodings, parsing and XBL bindings are discussed here.
Chapter 6: Browser-Side Scripts
Chapter 7: Non-HTML Document Types
On the web we have numerous non-HTML files and all of them could have serious security impact on a web application. This chapter attempts to cover the most critical such as plain-text files, images, audio and video, XML, SVG, WML, RSS and Atom feeds, etc. by providing a quick overview for each one of them.
Chapter 8: Content Rendering with Browser Plug-ins
The last chapter of the first part of the book moves to a more complex subject. Starting with the essentials like invoking a plug-in, M. Zalewski moves to more advanced issues such as document rendering helpers and the various application frameworks (Adobe Flash, Microsoft Silverlight, etc.).
Part II: Browser Security Features
Chapter 9: Content Isolation Logic
Starting with the second part we now deal with the security policies that assist in securing web applications. Author explains how same-origin policy should be implemented for different types of objects and requests. Then he moves to plug-in related security policies and more advanced topics like unexpected or ambiguous origins.
Chapter 10: Origin Inheritance
Chapter 11: Life Outside Same-Origin Rules
Continuing from the previous chapters, this one moves to a subject that has to do with content outside same-origin policy. For example, window or frame interactions.
Chapter 12: Other Security Boundaries
Apart from handling of the content there are a lot limitations that a web application should enforce. In this chapter you can find information for such topics like internal network(s) access, prohibited ports, third-party cookies, etc.
Chapter 13: Content Recognition Mechanisms
After discussing the document type detection model, M. Zalewski goes through many security related subjects that have to do with the content recognition including malformed MIME types, Content-Type values, downloaded files, character set handling, etc.
Chapter 14: Dealing with Rogue Scripts
Starting with denial-of-service attacks and the equivalent mitigation strategies for web applications, he moves to appearence problems and timing attacks on the user interface.
Chapter 15: Extrinsic Site Privileges
Here we have an overview of the extrinsic site privilege model including information for site permissions, password managers as well as a discussion of Microsoft Internet Explorer’s zone model.
Part III: A Glimpse of Things to Come
Chapter 16: New and Upcoming Security Features
The last part of this books is about the future of web application security. Many useful ideas and implementations are analysed in this chapter including popular ones like sandboxed frames and XSS filtering to less popular like security model extension frameworks for cross-domain requests.
Chapter 17: Other Browser Mechanisms of Note
Really interesting ideas that affect the security of web applications are provided here. Some of them are protocol registration, binary HTTP, P2P networking, geolocation discovery, UI notifications, media capture, etc.
Chapter 18: Common Web Vulnerabilities
This is the last chapter of the book and it’s a quick reference of all the common web vulnerabilities along with a small description.
So, if you are seriously interested in web application security and not limited to simple SQL injection and XSS vulnerabilities you should definitely read this book. I’m not aware of any other book dealing with this subject in such detail, most web application books are limited to vulnerability discovery and exploitation of bug classes known for at least 10 years but this one is about understanding each part of an application from the design, specifications, logic and of course implementation. Excellent work.