×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Book Review: The Tangled Web

samzenpus posted more than 2 years ago | from the read-all-about-it dept.

Book Reviews 40

brothke writes "In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience." Read below for Ben's review.In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in. Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled. And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now.

Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed.

In chapter 2, the book details that something as elementary as how the resolution of relative URL's is done isn't a trivial exercise. The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.

For those that want a feel for the book, chapter 3 on the topic of HTTP is available here.

Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world. Tim Berners-Lee had the vision of a semantic web;namely a common framework that allows data to be shared and reused across applications, companies and the entire web. The notion though of a semantic web has not really caught on.

Chapter 4 continues with a detailed overview of how to understand HTML parser behavior. The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems.

In chapter 12, the book deals with third-party cookies and notes that since their inception, HTTP cookies have been misunderstood as the tool that enables online advertisers to violate users privacy. Zalewski observes that the public's fixation on cookies is deeply misguided. He writes there is no doubt that some sites use cookies as a mechanism for malicious use. But that there is nothing that makes it uniquely suited for this task, as there are many other equivalent ways to sore unique identifiers on visitor's computes, such as cache-based tags.

Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works. Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition.

Part 3 of the book takes up the last 35 pages and is a glimpse of things to come. Zalewski optimistically writes that many of the battles being fought in today's browser war is around security, which is a good thing for everyone.

Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks.

The chapter deals with one of the more powerful frameworks is the Content Security Policy (CSP) from Mozilla. CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more. The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document. Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task.

The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more.

Each chapter also concludes with a security engineering cheat sheetthat details the core themes of the chapter.

For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applications should be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities.

Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style. The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers. There is a huge amount of really good advice in this book, and for those that are building web applications, this is a book they should read.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase The Tangled Web: A Guide to Securing Modern Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

40 comments

But it's not Packt... (-1)

afabbro (33948) | more than 2 years ago | (#38822529)

...so why bother reading it? All the good books are by Packt, right?

Re:But it's not Packt... (0)

Anonymous Coward | more than 2 years ago | (#38823807)

... and it's not this book [virtualbookcase.com]

iOS now has more marketshare than Android (-1)

Anonymous Coward | more than 2 years ago | (#38822531)

It's official: iOS now has more marketshare than Android. Reuters reports that Apple completely erased Android's marketshare lead [reuters.com], confirming earlier reports by both Nielsen [nielsen.com] and NPD [gigaom.com]. Over 150 Android smartphones couldn't outcompete the iPhone 4S. With 37 million iPhones sold last quarter, Apple is the largest smartphone marker, and their profits exceed Google’s entire revenue, $13 billion to $10.6 billion. With 15 million iPads sold last quarter, the tablet market is now larger than the entire desktop PC market.

The clock is ticking, Fandroids.

Re:iOS now has more marketshare than Android (-1)

Anonymous Coward | more than 2 years ago | (#38822717)

Let the smartphone makers worry about the market share thingy. No matter the market share though it won't fix the problem of iOS being pretty crap until jailbroken and modified extensively.

If people are content buying a phone they have to pay to run their code on it's their business. It won't make my apps run worse.

Re:iOS now has more marketshare than Android (-1)

Anonymous Coward | more than 2 years ago | (#38822801)

With 15 million iPads sold last quarter, the tablet market is now larger than the entire desktop PC market.

The clock is ticking, Fandroids.

The 450 million copies of Windows 7 sold through Sept 2011 ( http://techcrunch.com/2011/09/13/microsoft-sold-450-million-copies-of-windows-7/ ) say "Hello".

According to http://en.wikipedia.org/wiki/IPad there's only been 55 million ipads sold. PC sales passed 1 billion a few years back.

Re:iOS now has more marketshare than Android (-1)

Anonymous Coward | more than 2 years ago | (#38822969)

and just what does that have to do w/ this book?

Except... (4, Insightful)

Samantha Wright (1324923) | more than 2 years ago | (#38822577)

Inferno is only the first third of the Divine Comedy. (It's also widely cited as the most interesting one to actually read.) What are Purgatorio and Paradiso, then?

Re:Except... (4, Funny)

thatisscary (1297483) | more than 2 years ago | (#38822685)

Places where the inscription: "Abandon all hope, ye who enter here" does not appear above the entrance.

Re:Except... (3, Funny)

Baloroth (2370816) | more than 2 years ago | (#38822723)

Purgatorio is writing web pages without concern for security: painful, but not bad once you finish. Paradiso is writing malware on the Internet: painless, easy, and rewarding.

Re:Except... (1)

FrootLoops (1817694) | more than 2 years ago | (#38823227)

I wouldn't call Paradiso painless and rewarding. I couldn't get through it--it's very repetitive and uninteresting.

Re:Except... (3, Interesting)

Baloroth (2370816) | more than 2 years ago | (#38824849)

I was talking about the characters, not the reading.

However, I do understand your point. To really appreciate the Paradiso, you have to know a lot of Medieval cosmology and theology (actually, that is true of the entire Divine Comedy, but especially the last part). The entirety of the work has four interpretative levels, which are the literal, figurative or allegorical (or metaphorical), moral, and anagogical (yes spellcheck that is a real word). This is true of many of the works of literature which are called "great", but to really understand these levels you usually have to have read an absolutely massive body of other works. Most people really only see the literal and figurative levels. Oh and you should read it in the original Italian too. Really, literature is a much more in-depth field than most people realize.

Just as a quick example: Dante meets 3 creatures at the beginning of the Inferno, a leopard, a lion, and a she-wolf. Those are actually representative of the 3 main levels of hell at one level (the appetative sins, like lust, the spirited sins, like anger, and the intellectual ones, like fraud and treachery), and of those tendencies in Dante (the main character's) soul at another level. He can't get around the she-wolf, which is figurative of his problems with intellectual sins (pride, most likely), and Virgil (considered a prime example of intellectual guidance) is required to show him the path around her.

For reference, despite having read a lot of great works, I don't understand most of the symbolism in the Divine Comedy, just enough to see the depth there.

Re:Except... (1)

FrootLoops (1817694) | more than 2 years ago | (#38825295)

It's been a few years since I read it so my memory is a bit hazy. Still, I do remember copious footnotes in my translation, pointing out lots of symbolism and historical background. Eventually I found that I just didn't care about those features. After the morbidly interesting punishments in Hell and Purgatory were over, I suppose there wasn't much left to keep my interest. The structure, while obviously laden with symbolism, is also incredibly repetitive. I'm sure it was great for its time, but the same can be said for number 0. Perhaps it is better in the original Italian.

Just to be clear, it's not like I have a grudge against all "classics". Shakespeare's got some wonderful stuff in his plays, for instance. I was just underwhelmed by the Divine Comedy, particularly the 2nd and 3rd (what I read of it) parts.

Re:Except... (1)

Bob the Super Hamste (1152367) | more than 2 years ago | (#38827431)

Granted the Divine Comedy was rather repetitive but the imagery conjured up is what I liked most. It might have been that I was lucky enough to have had a teacher who knew all of the necessary background info to get the most out of it (as well as the rest of the classics) but still it is a book of historical significance. Comparatively Shakespeare 's works are less deep and don't develop as much. Granted they targeted towards an entirely different medium, time, and class of people so I am not trying to knock Shakespeare's work. It would be much like trying to compare the literary merits of the C.S. Lewis's Space Trilogy [wikipedia.org] to the works of Gilbert and Sullivan.

Re:Except... (1)

Bob the Super Hamste (1152367) | more than 2 years ago | (#38827309)

I was lucky enough to have read it in high school and to have a teacher who could explain and provide the necessary background information to fully understand it. Granted that was years ago but one of the things that I remember is one day he was talking about one pope and how he was considered at the time to be awful. If you had kept up with the outside of class reading you understood when the same pope was mentioned in the Divine Comedy as being in the replica baptistry of Pisa in hell upside down as Dante was indicating that the mentioned pope was actually an anti-pope. Dante also seemed to have a love of ironic punishments like the punishment for the hoarders and wasters, or those who committed the sin of lust.

Re:Except... (1)

Synerg1y (2169962) | more than 2 years ago | (#38832471)

Yep, I remember only the 1st book from highschool, however I remember the explanations being mostly literal as well. At times it was hard enough interpreting the text. I think to really get into it you'd probably have to read it at least 3-4 times in the entirety of the trilogy. Alternatively you can get/have a life :)

a metaphor packed allegory? (0)

Anonymous Coward | more than 2 years ago | (#38822587)

Is it about Italian politics or some other references like Niven and Pournelle's retelling?

sounds sucky. (1)

geekoid (135745) | more than 2 years ago | (#38822743)

" After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience."

Then it's a poorly written book

Re:sounds sucky. (1)

indeterminator (1829904) | more than 2 years ago | (#38822931)

Then it's a poorly written book

Indeed. To write a secure application, you need to know what you are doing, and proper discipline. No need to go through seven circles of hell.

Re:sounds sucky. (1)

Anonymous Coward | more than 2 years ago | (#38823407)

It sounds to me like you should erm, you know, RTFB and come back and enlighten us how discipline solves the issues it raises.

I've just finished reading it. It's well worth the investment

Re:sounds sucky. (0)

Anonymous Coward | more than 2 years ago | (#38823941)

very true. people need to read this book.

Re:sounds sucky. (0)

Anonymous Coward | more than 2 years ago | (#38823069)

Read the rest of the review....it says that it is a really really good book....

Re:sounds sucky. (1)

Synerg1y (2169962) | more than 2 years ago | (#38832525)

But, it's often not the code that secures the application... rather the underlying technologies... much of the modern applications they're referring to sit behind a username / password over https that requires brute force (99.9% of the time unfeasible). The ones that aren't have much higher security research budgets than this book did :)

Cross site (XSS) & sql injection are real threats, but are they really the weakest link usually?

Coming from a guy who's dba in college left a test server w/o a root password for 1+ years.

Read the free sample chapter (1)

OakDragon (885217) | more than 2 years ago | (#38823183)

From the sample chapter, this does look to be a readable and informative book. That seems to be rare for tech books these days.

Not quite an accurate translation (5, Funny)

Minwee (522556) | more than 2 years ago | (#38822747)

The original inscription in 'Inferno" was Lasciate ogni speranza, voi ch'entrate which, translated into modern English, means "Where do you want to go today?"

"Abandon all hope, ye who enter here" has a simliar meaning, but is less correct.

Re:Not quite an accurate translation (0)

Anonymous Coward | more than 2 years ago | (#38822935)

I believe an even more accurate translation would be "Abandon all hope, ye who Start here"

Bring back Packt! (-1)

Anonymous Coward | more than 2 years ago | (#38822833)

Has anyone else noticed the coincidental drop in Packt books being "reviewed" on this site since Taco left? Have they not been keeping up-to-date with their shill checks? How else am I going to learn about deprecated versions of Drupal without a good MichaelJRoss shill review of the latest Packt drivel?

"writing secure code akin to Dante's experience" (0)

Anonymous Coward | more than 2 years ago | (#38822907)

Which circle corresponds to the visit from the guys from marketing?

Models of Security... (3, Insightful)

ndykman (659315) | more than 2 years ago | (#38823023)

What frustrates me about web security or security in general is alluded in the review; that there is really not a good idea of what security is.

More specifically, the idea of security as a binary property. For me, it seems a more realistic approach is how much information and resource access do I have to gain to perform an action, what are the paths to do so, and how likely are those paths to occur, and what is the cost of the breach. The web makes this analysis harder without question, but still possible.

For example, I have a web site that contains account ids in a post to change something for that account. If the account id is an email, then forging the request is trivial. If the id is an opaque token, but sent in the clear (HTTP), it is less trivial, but still relatively easy. If the id is sent via https POST, sniffing is harder, but replay attacks may occur.

And so on. The point is to decide when the advantage gained is overwhelmed by the cost and risk of the attack.

I remember a time when somebody was worried about GUIDs in a URL because you could guess a valid one. Of course, it is much easier (understatement) to capture a valid one than guess one. This book will have value if it helps you avoid red herrings like that and focus on the real threats.

Of course, I am not a security specialist, so this may be naive at best.

Re:Models of Security... (0)

Anonymous Coward | more than 2 years ago | (#38830831)

Pretty much all security consultancy now is risk based, or should be, you're right, this is a resource that's needed whenever an IT project is in flight. If it ain't there, you're being short changed by management.

Book review? Nope, just a chapter summary. (0)

Anonymous Coward | more than 2 years ago | (#38823141)

This isn't a book review, it's a chapter-by-chapter summary. Did he present information in an easy to understand manner? How often did he cite real-world examples (and how relevant were they)? How useful (and well-written) was the example code that the author included? Do you feel as if you have a better understanding of today's web security landscape? Can you share examples of his good advice, and why it's good? Have you been able to apply the knowledge you learned from reading this book into practical applications in the real world?

Re:Book review? Nope, just a chapter summary. (0)

Anonymous Coward | more than 2 years ago | (#38823167)

there are obviously different styles of reviews....can you please share with us your contributions to the community? what reviews have u written?

Re:Book review? Nope, just a chapter summary. (0)

Anonymous Coward | more than 2 years ago | (#38823271)

Defending yourself using AC? Lame move, Ben.

Re:Book review? Nope, just a chapter summary. (0)

Anonymous Coward | more than 2 years ago | (#38827607)

what...an AC reply to an AC reply... what give's?

Shift-2 or shift-' is your friend (1, Offtopic)

Hognoxious (631665) | more than 2 years ago | (#38823225)

which has the inscription abandon all hope, ye who enter here above the entrance.

I normally enter through the entrance, rather than above it.

Re:Shift-2 or shift-' is your friend (0)

Anonymous Coward | more than 2 years ago | (#38823297)

can anyone focus on the book itself...and the security problem it brings to the forefront...rather than the other comments?

Re:Shift-2 or shift-' is your friend (0)

Anonymous Coward | more than 2 years ago | (#38838251)

I reckon the answer is no, but you've got two eyes so why don't you look for yourself?

Yay, another 10/10 review (0)

Anonymous Coward | more than 2 years ago | (#38823287)

saving me from having to actually read the review.

Re:Yay, another 10/10 review (0)

Anonymous Coward | more than 2 years ago | (#38833663)

how so? whats wrong w/ 10/10 reviews?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...