The Tangled Web
A Guide to Securing Modern Web Applications
Published on 15. November 2011
320 pages
978-1-59327-417-7 (ISBN)
Description
Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.
In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security.
You'll learn how to:
-Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
-Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
-Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
-Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
-Embed or host user-supplied content without running into the trap of content sniffing
For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.
In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security.
You'll learn how to:
-Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
-Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
-Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
-Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
-Embed or host user-supplied content without running into the trap of content sniffing
For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.
More details
Other editions
Additional editions
Book
11/2011
1st Edition
No Starch Press
€71.00
Shipment within 3-4 weeks
Person
Michal Zalewski is an internationally recognized information security expert with a long track record of delivering cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire (No Starch Press), Google's "Browser Security Handbook," and numerous important research papers.
Content
- Intro
- The Tangled Web
- PRAISE FOR THE TANGLED WEB
- PRAISE FOR SILENCE ON THE WIRE BY MICHAL ZALEWSKI
- Preface
- Acknowledgments
- 1. Security in the World of Web Applications
- Information Security in a Nutshell
- Flirting with Formal Solutions
- Enter Risk Management
- Enlightenment Through Taxonomy
- Toward Practical Approaches
- A Brief History of the Web
- Tales of the Stone Age: 1945 to 1994
- The First Browser Wars: 1995 to 1999
- The Boring Period: 2000 to 2003
- Web 2.0 and the Second Browser Wars: 2004 and Beyond
- The Evolution of a Threat
- The User as a Security Flaw
- The Cloud, or the Joys of Communal Living
- Nonconvergence of Visions
- Cross-Browser Interactions: Synergy in Failure
- The Breakdown of the Client-Server Divide
- Global browser market share, May 2011
- I. Anatomy of the Web
- 2. It Starts with a URL
- Uniform Resource Locator Structure
- Scheme Name
- Indicator of a Hierarchical URL
- Credentials to Access the Resource
- Server Address
- Server Port
- Hierarchical File Path
- Query String
- Fragment ID
- Putting It All Together Again
- Reserved Characters and Percent Encoding
- Handling of Non-US-ASCII Text
- Common URL Schemes and Their Function
- Browser-Supported, Document-Fetching Protocols
- Protocols Claimed by Third-Party Applications and Plug-ins
- Nonencapsulating Pseudo-Protocols
- Encapsulating Pseudo-Protocols
- Closing Note on Scheme Detection
- Resolution of Relative URLs
- 3. Hypertext Transfer Protocol
- Basic Syntax of HTTP Traffic
- The Consequences of Supporting HTTP/0.9
- Newline Handling Quirks
- Proxy Requests
- Resolution of Duplicate or Conflicting Headers
- Semicolon-Delimited Header Values
- Header Character Set and Encoding Schemes
- Referer Header Behavior
- HTTP Request Types
- GET
- POST
- HEAD
- OPTIONS
- PUT
- DELETE
- TRACE
- CONNECT
- Other HTTP Methods
- Server Response Codes
- 200-299: Success
- 300-399: Redirection and Other Status Messages
- 400-499: Client-Side Error
- 500-599: Server-Side Error
- Consistency of HTTP Code Signaling
- Keepalive Sessions
- Chunked Data Transfers
- Caching Behavior
- HTTP Cookie Semantics
- HTTP Authentication
- Protocol-Level Encryption and Client Certificates
- Extended Validation Certificates
- Error-Handling Rules
- 4. Hypertext Markup Language
- Basic Concepts Behind HTML Documents
- Document Parsing Modes
- The Battle over Semantics
- Understanding HTML Parser Behavior
- Interactions Between Multiple Tags
- Explicit and Implicit Conditionals
- HTML Parsing Survival Tips
- Entity Encoding
- HTTP/HTML Integration Semantics
- Hyperlinking and Content Inclusion
- Plain Links
- Forms and Form-Triggered Requests
- Frames
- Type-Specific Content Inclusion
- A Note on Cross-Site Request Forgery
- 5. Cascading Style Sheets
- Basic CSS Syntax
- Property Definitions
- @ Directives and XBL Bindings
- Interactions with HTML
- Parser Resynchronization Risks
- Character Encoding
- 6. Browser-Side Scripts
- Basic Characteristics of JavaScript
- Script Processing Model
- Parsing
- Function Resolution
- Code Execution
- Execution Ordering Control
- Code and Object Inspection Capabilities
- Modifying the Runtime Environment
- Overriding Built-Ins
- Setters and Getters
- Impact on Potential Uses of the Language
- JavaScript Object Notation and Other Data Serializations
- E4X and Other Syntax Extensions
- Standard Object Hierarchy
- The Document Object Model
- Access to Other Documents
- Script Character Encoding
- Code Inclusion Modes and Nesting Risks
- The Living Dead: Visual Basic
- 7. Non-HTML Document Types
- Plaintext Files
- Bitmap Images
- Audio and Video
- XML-Based Documents
- Generic XML View
- Scalable Vector Graphics
- Mathematical Markup Language
- XML User Interface Language
- Wireless Markup Language
- RSS and Atom Feeds
- A Note on Nonrenderable File Types
- 8. Content Rendering with Browser Plug-ins
- Invoking a Plug-in
- The Perils of Plug-in Content-Type Handling
- Document Rendering Helpers
- Plug-in-Based Application Frameworks
- Adobe Flash
- Properties of ActionScript
- Microsoft Silverlight
- Sun Java
- XML Browser Applications (XBAP)
- ActiveX Controls
- Living with Other Plug-ins
- II. Browser Security Features
- 9. Content Isolation Logic
- Same-Origin Policy for the Document Object Model
- document.domain
- postMessage(...)
- Interactions with Browser Credentials
- Same-Origin Policy for XMLHttpRequest
- Same-Origin Policy for Web Storage
- Security Policy for Cookies
- Impact of Cookies on the Same-Origin Policy
- Problems with Domain Restrictions
- The Unusual Danger of "localhost"
- Cookies and "Legitimate" DNS Hijacking
- Plug-in Security Rules
- Adobe Flash
- Markup-Level Security Controls
- Security.allowDomain(...)
- Cross-Domain Policy Files
- Policy File Spoofing Risks
- Microsoft Silverlight
- Java
- Coping with Ambiguous or Unexpected Origins
- IP Addresses
- Hostnames with Extra Periods
- Non-Fully Qualified Hostnames
- Local Files
- Pseudo-URLs
- Browser Extensions and UI
- Other Uses of Origins
- 10. Origin Inheritance
- Origin Inheritance for about:blank
- Inheritance for data: URLs
- Inheritance for javascript: and vbscript: URLs
- A Note on Restricted Pseudo-URLs
- 11. Life Outside Same-Origin Rules
- Window and Frame Interactions
- Changing the Location of Existing Documents
- Frame Hijacking Risks
- Frame Descendant Policy and Cross-Domain Communications
- Unsolicited Framing
- Beyond the Threat of a Single Click
- Cross-Domain Content Inclusion
- A Note on Cross-Origin Subresources
- Privacy-Related Side Channels
- Other SOP Loopholes and Their Uses
- 12. Other Security Boundaries
- Navigation to Sensitive Schemes
- Access to Internal Networks
- Prohibited Ports
- Limitations on Third-Party Cookies
- 13. Content Recognition Mechanisms
- Document Type Detection Logic
- Malformed MIME Types
- Special Content-Type Values
- Unrecognized Content Type
- Defensive Uses of Content-Disposition
- Content Directives on Subresources
- Downloaded Files and Other Non-HTTP Content
- Character Set Handling
- Byte Order Marks
- Character Set Inheritance and Override
- Markup-Controlled Charset on Subresources
- Detection for Non-HTTP Files
- 14. Dealing with Rogue Scripts
- Denial-of-Service Attacks
- Execution Time and Memory Use Restrictions
- Connection Limits
- Pop-Up Filtering
- Dialog Use Restrictions
- Window-Positioning and Appearance Problems
- Timing Attacks on User Interfaces
- 15. Extrinsic Site Privileges
- Browser- and Plug-in-Managed Site Permissions
- Hardcoded Domains
- Form-Based Password Managers
- Internet Explorer's Zone Model
- Mark of the Web and Zone.Identifier
- III. A Glimpse of Things to Come
- 16. New and Upcoming Security Features
- Security Model Extension Frameworks
- Cross-Domain Requests
- CORS Request Types
- Security Checks for Simple Requests
- Non-simple Requests and Preflight
- Current Status of CORS
- XDomainRequest
- Other Uses of the Origin Header
- Security Model Restriction Frameworks
- Content Security Policy
- Primary CSP Directives
- Policy Violations
- Criticisms of CSP
- Sandboxed Frames
- Scripting, Forms, and Navigation
- Synthetic Origins
- Strict Transport Security
- Private Browsing Modes
- Other Developments
- In-Browser HTML Sanitizers
- XSS Filtering
- 17. Other Browser Mechanisms of Note
- URL- and Protocol-Level Proposals
- Content-Level Features
- I/O Interfaces
- 18. Common Web Vulnerabilities
- Vulnerabilities Specific to Web Applications
- Problems to Keep in Mind in Web Application Design
- Common Problems Unique to Server-Side Code
- A. Epilogue
- Notes
- Chapter 1
- Page 19
- Chapter 2
- Chapter 3
- Chapter 4
- Chapter 5
- Chapter 6
- Chapter 7
- Chapter 8
- Chapter 9
- Chapter 10
- Chapter 11
- Chapter 12
- Chapter 13
- Chapter 14
- Chapter 15
- Chapter 16
- Chapter 17
- Index
- About the Author
- UPDATES
