25 Women to Read Before You Die
 
 

Special Offers see all

Enter to WIN a $100 Credit

Subscribe to PowellsBooks.news
for a chance to win.
Privacy Policy

Visit our stores


    Recently Viewed clear list


    Original Essays | August 18, 2015

    Rinker Buck: IMG Just Passing Through: Embracing the Covered Wagon Mind-Set



    When people learn that I recently spent a long summer riding 2,000 miles across the Oregon Trail in a covered wagon pulled by mules, they invariably... Continue »
    1. $19.60 Sale Hardcover add to wish list

    spacer
Qualifying orders ship free.
$49.95
New Trade Paper
Ships in 1 to 3 days
Add to Wishlist
available for shipping or prepaid pickup only
Available for In-store Pickup
in 7 to 12 days
Qty Store Section
25 Remote Warehouse Internet- General

Tangled Web: A Guide to Securing Modern Web Applications

by

Tangled Web: A Guide to Securing Modern Web Applications Cover

 

Synopses & Reviews

Publisher Comments:

"Thorough and comprehensive coverage from one of the foremost experts in browser security."

—Tavis Ormandy, Google Inc.

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.

In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You'll learn how to:

  • Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
  • Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
  • Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
  • Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
  • Embed or host user-supplied content without running into the trap of content sniffing

For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.

Book News Annotation:

Intended for web developers and application programmers, this interesting volume on web application security provides a detailed overview of fundamental, structural security flaws inherent in current web technologies. The work provides practical fixes for specific security issues while engaging readers with a discussion of necessary paradigmatic shifts in development standards that will need to be adopted by industry professionals in order to provide users and businesses with secure Internet platforms in the future. Chapters provide numerous code examples addressing specific security concerns, and include brief "security engineer cheat sheets" for quick reference. Zalewski is an influential Internet security expert and the author of several books on the subject. Annotation ©2012 Book News, Inc., Portland, OR (booknews.com)

Synopsis:

The Tangled Web is destined to be the definitive guide to web application security. Rather than simply enumerate known vulnerabilities or lay down a series of commandments from on high, famed security expert Michal Zalewski takes an in-depth look at how browsers actually work, how to leverage their features, and what pitfalls lurk in the shadows. An outgrowth of Zalewski's work on Google's online Browser Security Handbook, The Tangled Web sheds light on the uniqueness of the security challenges that engineers, developers, and users face on the Web today. The book opens with a detailed examination of browser security mechanisms, the historical reasons behind their design, and their security consequences. Subsequent chapters discuss the security aspects of specific web technologies, including URLs, HTTP, HTML, JavaScript, the same-origin policy, and HTML5. Readers looking for quick answers will appreciate the cheat sheets in each chapter, which outline the most commonly encountered problems and how to tackle them. An appendix offers a glossary of well-known implementation vulnerabilities.

About the Author

Michal Zalewski is an internationally recognized information security expert with a long track record of cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities, and is also the author of numerous important research papers. He is ranked #5 on eWeek's "The 15 Most Influential People in Security Today," #51 on CIO Insight's "100 Most Influential People in IT," and is counted among 11 hacking experts on ITSecurity's "Top Influencers in IT Security." He is also the author of Silence on the Wire (No Starch Press).

Table of Contents

PRAISE FOR THE TANGLED WEB; PRAISE FOR SILENCE ON THE WIRE BY MICHAL ZALEWSKI; Dedication; Preface; Acknowledgments; Chapter 1: Security in the World of Web Applications; 1.1 Information Security in a Nutshell; 1.2 A Brief History of the Web; 1.3 The Evolution of a Threat; 1.4 Global browser market share, May 2011; Anatomy of the Web; Chapter 2: It Starts with a URL; 2.1 Uniform Resource Locator Structure; 2.2 Reserved Characters and Percent Encoding; 2.3 Common URL Schemes and Their Function; 2.4 Resolution of Relative URLs; Chapter 3: Hypertext Transfer Protocol; 3.1 Basic Syntax of HTTP Traffic; 3.2 HTTP Request Types; 3.3 Server Response Codes; 3.4 Keepalive Sessions; 3.5 Chunked Data Transfers; 3.6 Caching Behavior; 3.7 HTTP Cookie Semantics; 3.8 HTTP Authentication; 3.9 Protocol-Level Encryption and Client Certificates; Chapter 4: Hypertext Markup Language; 4.1 Basic Concepts Behind HTML Documents; 4.2 Understanding HTML Parser Behavior; 4.3 Entity Encoding; 4.4 HTTP/HTML Integration Semantics; 4.5 Hyperlinking and Content Inclusion; Chapter 5: Cascading Style Sheets; 5.1 Basic CSS Syntax; 5.2 Parser Resynchronization Risks; 5.3 Character Encoding; Chapter 6: Browser-Side Scripts; 6.1 Basic Characteristics of JavaScript; 6.2 Standard Object Hierarchy; 6.3 Script Character Encoding; 6.4 Code Inclusion Modes and Nesting Risks; 6.5 The Living Dead: Visual Basic; Chapter 7: Non-HTML Document Types; 7.1 Plaintext Files; 7.2 Bitmap Images; 7.3 Audio and Video; 7.4 XML-Based Documents; 7.5 A Note on Nonrenderable File Types; Chapter 8: Content Rendering with Browser Plug-ins; 8.1 Invoking a Plug-in; 8.2 Document Rendering Helpers; 8.3 Plug-in-Based Application Frameworks; 8.4 ActiveX Controls; 8.5 Living with Other Plug-ins; Browser Security Features; Chapter 9: Content Isolation Logic; 9.1 Same-Origin Policy for the Document Object Model; 9.2 Same-Origin Policy for XMLHttpRequest; 9.3 Same-Origin Policy for Web Storage; 9.4 Security Policy for Cookies; 9.5 Plug-in Security Rules; 9.6 Coping with Ambiguous or Unexpected Origins; 9.7 Other Uses of Origins; Chapter 10: Origin Inheritance; 10.1 Origin Inheritance for about:blank; 10.2 Inheritance for data: URLs; 10.3 Inheritance for javascript: and vbscript: URLs; 10.4 A Note on Restricted Pseudo-URLs; Chapter 11: Life Outside Same-Origin Rules; 11.1 Window and Frame Interactions; 11.2 Cross-Domain Content Inclusion; 11.3 Privacy-Related Side Channels; 11.4 Other SOP Loopholes and Their Uses; Chapter 12: Other Security Boundaries; 12.1 Navigation to Sensitive Schemes; 12.2 Access to Internal Networks; 12.3 Prohibited Ports; 12.4 Limitations on Third-Party Cookies; Chapter 13: Content Recognition Mechanisms; 13.1 Document Type Detection Logic; 13.2 Character Set Handling; Chapter 14: Dealing with Rogue Scripts; 14.1 Denial-of-Service Attacks; 14.2 Window-Positioning and Appearance Problems; 14.3 Timing Attacks on User Interfaces; Chapter 15: Extrinsic Site Privileges; 15.1 Browser- and Plug-in-Managed Site Permissions; 15.2 Form-Based Password Managers; 15.3 Internet Explorer's Zone Model; A Glimpse of Things to Come; Chapter 16: New and Upcoming Security Features; 16.1 Security Model Extension Frameworks; 16.2 Security Model Restriction Frameworks; 16.3 Other Developments; Chapter 17: Other Browser Mechanisms of Note; 17.1 URL- and Protocol-Level Proposals; 17.2 Content-Level Features; 17.3 I/O Interfaces; Chapter 18: Common Web Vulnerabilities; 18.1 Vulnerabilities Specific to Web Applications; 18.2 Problems to Keep in Mind in Web Application Design; 18.3 Common Problems Unique to Server-Side Code; Epilogue; Notes; ; UPDATES;

Product Details

ISBN:
9781593273880
Author:
Zalewski, Michal
Publisher:
No Starch Press
Subject:
Internet - Security
Subject:
General-General
Subject:
Internet - General
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Subject:
browser application security;browser security;browser security handbook;browser security model;browser vulnerabilities;html security;html5 security;http security;javascript security;url security;web application security;web security;web security model
Edition Description:
Print PDF
Publication Date:
20111131
Binding:
TRADE PAPER
Language:
English
Pages:
320
Dimensions:
9.25 x 7 in

Other books you might like

  1. The Kimball Group Reader:... New Trade Paper $50.25
  2. Building Integrated Business... New Trade Paper $50.00
  3. Visual Explanations
    Used Hardcover $19.95
  4. Beautiful Visualization: Looking at... New Trade Paper $59.50
  5. Microsoft SQL Server 2012 T-SQL...
    New Trade Paper $49.99
  6. Show Me the Numbers: Designing... New Hardcover $45.00

Related Subjects

Computers and Internet » Internet » General
Computers and Internet » Internet » Information
Computers and Internet » Networking » Computer Security
Computers and Internet » Networking » General
Computers and Internet » Networking » Security » General

Tangled Web: A Guide to Securing Modern Web Applications New Trade Paper
0 stars - 0 reviews
$49.95 In Stock
Product details 320 pages No Starch Press - English 9781593273880 Reviews:
"Synopsis" by ,

The Tangled Web is destined to be the definitive guide to web application security. Rather than simply enumerate known vulnerabilities or lay down a series of commandments from on high, famed security expert Michal Zalewski takes an in-depth look at how browsers actually work, how to leverage their features, and what pitfalls lurk in the shadows. An outgrowth of Zalewski's work on Google's online Browser Security Handbook, The Tangled Web sheds light on the uniqueness of the security challenges that engineers, developers, and users face on the Web today. The book opens with a detailed examination of browser security mechanisms, the historical reasons behind their design, and their security consequences. Subsequent chapters discuss the security aspects of specific web technologies, including URLs, HTTP, HTML, JavaScript, the same-origin policy, and HTML5. Readers looking for quick answers will appreciate the cheat sheets in each chapter, which outline the most commonly encountered problems and how to tackle them. An appendix offers a glossary of well-known implementation vulnerabilities.

spacer
spacer
  • back to top

FOLLOW US ON...

       
Powell's City of Books is an independent bookstore in Portland, Oregon, that fills a whole city block with more than a million new, used, and out of print books. Shop those shelves — plus literally millions more books, DVDs, and gifts — here at Powells.com.