Commencez à lire The Tangled Web: A Guide to Securing Modern Web Applications sur votre Kindle dans moins d'une minute. Vous n'avez pas encore de Kindle ? Achetez-le ici Ou commencez à lire dès maintenant avec l'une de nos applications de lecture Kindle gratuites.

Envoyer sur votre Kindle ou un autre appareil


Essai gratuit

Découvrez gratuitement un extrait de ce titre

Envoyer sur votre Kindle ou un autre appareil

Désolé, cet article n'est pas disponible en
Image non disponible pour la
couleur :
Image non disponible

The Tangled Web: A Guide to Securing Modern Web Applications [Format Kindle]

Michal Zalewski

Prix conseillé : EUR 30,08 De quoi s'agit-il ?
Prix éditeur - format imprimé : EUR 45,63
Prix Kindle : EUR 21,05 TTC & envoi gratuit via réseau sans fil par Amazon Whispernet
Économisez : EUR 24,58 (54%)

App de lecture Kindle gratuite Tout le monde peut lire les livres Kindle, même sans un appareil Kindle, grâce à l'appli Kindle GRATUITE pour les smartphones, les tablettes et les ordinateurs.

Pour obtenir l'appli gratuite, saisissez votre adresse e-mail ou numéro de téléphone mobile.


Prix Amazon Neuf à partir de Occasion à partir de
Format Kindle EUR 21,05  
Broché EUR 47,02  
-40%, -50%, -60%, -70%... Découvrez les Soldes Amazon jusqu'au 17 février 2015 inclus. Profitez-en !

Descriptions du produit

Présentation de l'éditeur

"Thorough and comprehensive coverage from one of the foremost experts in browser security."

—Tavis Ormandy, Google Inc.

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.

In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You'll learn how to:

  • Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
  • Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
  • Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
  • Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
  • Embed or host user-supplied content without running into the trap of content sniffing

For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.

Détails sur le produit

  • Format : Format Kindle
  • Taille du fichier : 1343 KB
  • Nombre de pages de l'édition imprimée : 320 pages
  • Editeur : No Starch Press; Édition : 1 (28 novembre 2011)
  • Vendu par : Amazon Media EU S.à r.l.
  • Langue : Anglais
  • ASIN: B006FZ3UNI
  • Synthèse vocale : Activée
  • X-Ray :
  • Word Wise: Non activé
  • Classement des meilleures ventes d'Amazon: n°170.063 dans la Boutique Kindle (Voir le Top 100 dans la Boutique Kindle)
  •  Souhaitez-vous faire modifier les images ?

En savoir plus sur l'auteur

Découvrez des livres, informez-vous sur les écrivains, lisez des blogs d'auteurs et bien plus encore.

Commentaires en ligne

Il n'y a pas encore de commentaires clients sur
5 étoiles
4 étoiles
3 étoiles
2 étoiles
1 étoiles
Commentaires client les plus utiles sur (beta) 4.6 étoiles sur 5  33 commentaires
24 internautes sur 25 ont trouvé ce commentaire utile 
5.0 étoiles sur 5 On the evolution of the modern web browser design and notable security implications. 26 novembre 2011
Par K. H. - Publié sur
Mr. Zalewski's new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender. It definitively captures the current state and how we arrived at this juncture due to the many historical browser wars. His current employer and producer of the most secure browser -- Google Chrome -- is about to capture a 40% share [1] of the browser market and leap frog Firefox, Internet Explorer, and Safari.

The Tangled Web untangles the mystery of some poor design philosophies and also discusses some of the improvements that have been made along the way. A quote from the book that sums it all up is a statement that "...the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases..."

I greatly enjoyed reading the book and jotted some notes down that may be useful to other readers. These were the topics that piqued my interest the most:

* Microsoft's challenge to JavaScript, VBScript, has the potential for some exploitation, if no one has been fuzzing it much thus far.

* SVG embedding vulnerabilities potential (eg. some initial research also published by Thorsten Holz [2]).

* Flash cross-domain exploitation examples and crossdomain.xml "loose" policies.

* Great coverage of "GIFAR" type issues.

* Astute observations of trade-offs in plugin attack surface versus actual benefit to users.

* XBAP security coverage.

* The excellent tables of Same-Origin-Policy violations and other tests versus different client-side contexts.

* In depth coverage of URI schemes [3] and potentials for abuse.

* How to resolve data sharing via new mechanisms like postMessage() API.

* Blind cookie-overwrite attacks (interesting examples).

* Very humorous abuse example.

* Local HTML/other execution issues that break privacy segmentation.

* Interesting about:neterror security weakness example.

* New style HTML frame attacks.

* CSS object overlay click-jacking examples and impact on user experience (eg. Firefox add-on installation).

* Content sniffing and dangers such as Byte Order Marking / UTF-7; also interesting note on difference between "UTF7" and "UTF-7".

* window.createPopup() example.

* Abusing HSTS header injection for client-side DoS.

* CSP coverage.

As a final note, it was highly predictable to see slow-moving browser vendors being cited for their inability to rectify issues quickly (even those that are known), but what struck me as noteworthy was the case where Microsoft correctly challenged the CORS standard. It didn't appear that they were doing this for any political reason and in fact came up with a more technically superior solution, which the CORS team eventually drew inspiration from. That was nice for the author to throw in there and show that Microsoft still has the ability to engineer great solutions when they truly care about an initiative.

I hope other readers also enjoy the book when they pick it up...

[1] [...]
[2] [...]
[3] [...]
9 internautes sur 9 ont trouvé ce commentaire utile 
5.0 étoiles sur 5 Incredibly good and highly technical book on browser security coding 25 janvier 2012
Par Ben Rothke - Publié sur
In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience.

In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in. Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled. And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now.

Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed.

In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.

For those that want a feel for the book, chapter 3 on the topic of HTTP is available here.

Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world. Tim Berners-Lee had the vision of a semantic web; namely a common framework that allows data to be shared and reused across applications, companies and the entire web. The notion though of a semantic web has not really caught on.

Chapter 4 continues with a detailed overview of how to understand HTML parser behavior. The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems.

In chapter 12, the book deals with third-party cookies and notes that since their inception, HTTP cookies have been misunderstood as the tool that enables online advertisers to violate users privacy. Zalewski observes that the public's fixation on cookies is deeply misguided. He writes there is no doubt that some sites use cookies as a mechanism for malicious use. But that there is nothing that makes it uniquely suited for this task, as there are many other equivalent ways to sore unique identifiers on visitor's computes, such as cache-based tags.

Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works. Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition.

Part 3 of the book takes up the last 35 pages and is a glimpse of things to come. Zalewski optimistically writes that many of the battles being fought in today's browser war is around security, which is a good thing for everyone.

Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks.

The chapter deals with one of the more powerful frameworks is the Content Security Policy (CSP) from Mozilla. CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more. The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document. Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task.

The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more.

Each chapter also concludes with a security engineering cheat sheet that details the core themes of the chapter.

For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applications should be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities.

Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style. The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers. There is a huge amount of really good advice in this book, and for those that are building web applications, it is hopes this is a book they read.
12 internautes sur 13 ont trouvé ce commentaire utile 
3.0 étoiles sur 5 Decent book...for readers with previous knowledge 23 août 2012
Par Rebecca Ames - Publié sur
In general, I thought this book was good. It covers a lot of material, and has nice "cheat sheets" at the end of each chapter.

The reason I give the book 3 stars, however, is that the author is suffering from the curs of knowledge (or perhaps I am suffering from the curse of ignorance). While he gives some background information on how browsers work, html works, etc in the first part of the book, I did not find that it was enough to really understand the consequences of some of the vulnerabilities that he mentions. Often I was left wondering how the issue he raises is actually an issue, or how someone would exploit it.

As a web developer, knowing how someone might exploit the security holes allows me to figure out how to close down those holes and make my web application more secure.

Also, the book seems to be focused on what browser developers should be doing in order to close down these issues, and not what web developers should be doing.
6 internautes sur 6 ont trouvé ce commentaire utile 
5.0 étoiles sur 5 Systematic coverage of browser security 1 décembre 2011
Par Marcin Antkiewicz - Publié sur
Format:Broché|Achat vérifié
The book provides systematic coverage of browser security. The first 6 pages of chapter 1 provide brilliant insight into why formal security models, risk management and taxonomies fail to deliver promised security improvements to organizations that embrace them. I used to explain the same with a lot of hand weaving, Zalewski's approach and insight are far superior.

Make no mistake, the book is focused on the browser and related technologies rather than the theory of security. The same tremendous insight, that made me nod with appreciation and wish that I had the book 5 years ago while working on security policies, illuminates browser concepts like in-browser content separation, scripting, and much more.

I appreciate the authors treatment of each of the concepts in the context of the browser as a complex and still evolving technology, with it's own history, standards, market requirements and politics.
3 internautes sur 3 ont trouvé ce commentaire utile 
5.0 étoiles sur 5 A Cut Above the Rest 26 janvier 2012
Par Joshua Brower - Publié sur
I have to say, I wasn't quite sure what to expect when I received a review copy, as there seems to be a glut of "Securing Web Apps" books out there, and from what I have seen, not that many great ones. However, Zalewski is well-known within the security industry, so I had higher than normal expectations.

Zalewski starts out with his take on Information Security Management, and this small section probably deserves its own blog post entirely, but suffice to say that Zalewski is a pragmatist in this area--indeed, his 3 principles that he prescribes are:

1) Learning from (preferably other people's) mistakes

2) Developing tools to detect and correct problems

3) Planning to have everything compromised.

Though I would agree with all three, the third principle resonates the strongest with me, as this is one of Richard Bejitlich's favorite things to say, and I have taken it to heart.

With the intro to Information Security out of the way, Zalewski takes the reader through a brief history of the web, and the evolution of the threat. This was one of my favorite sections of the book, as it gave the much needed context to the issue of web security.

Being very young when the first browser wars started (1995ish), I have never understood why it mattered for web security.... Understanding the Wild Wild West-esqueness of those early days, and how each browser tried to one-up each other on web features, brings much clarity to why the security landscape of the web is so pockmarked with half-forgotten/half-thought out features that can be exploited for much gain.

Zalewski then moves from history to an anatomy of the web, picking apart the very structure of the web: URLs, HTTP, HTML, CSS, Scripting, etc... This is great reference material for a theoretical and practical understanding of what makes up the web from a technical standpoint--Zalewski continually points out differences in how different browsers implement specific features.

The rest of the book delves into web and browser-specific security issues, starting with a great treatise on one of the foundational security principles of the Web, Same-Origin Policy.

I will most likely be writing a couple other blog posts on some of the specific security issues that are dealt with here.

The book finishes with some time dedicated to looking forward to future security mechanisms that are on the horizon, along with the pros and cons of them.

All in all, a fantastic book on the current state of affairs for web security, and one which I cannot help but classify as 5 stars.

A couple closing thoughts:

-The security engineering cheat sheets at the end of each chapter is a great way to keep it practical.... I am thinking about finding a way to pull all of the cheat sheets together for a small booklet to refer back to.

-This was the first epub book I have read on my iPad, and I throughly enjoyed it.... Thanks to No Starch for providing epubs and not just pdfs!

Ces commentaires ont-ils été utiles ?   Dites-le-nous

Discussions entre clients

Le forum concernant ce produit
Discussion Réponses Message le plus récent
Pas de discussions pour l'instant

Posez des questions, partagez votre opinion, gagnez en compréhension
Démarrer une nouvelle discussion
Première publication:
Aller s'identifier

Rechercher parmi les discussions des clients
Rechercher dans toutes les discussions Amazon

Rechercher des articles similaires par rubrique