Book Review: "The Tangled Web"
The Tangled Web by Michal Zalewski is a fantastic info-sec read! I give it 9 / 10 stars and highly recommend it, to anyone who likes historical technology books, web programmers, and information security practitioners. It's very detailed, and has excellent references, pointing out specific sections of RFCs it discuses. I recommend the ebook version to quickly follow links and references to the web. It takes you through the history and evolution of various web technologies, from protocols and subtleties in languages, to browser and server implementations. It discuses security issues in the evolution of the web in great detail, often leaving me with a profound new insight to how different browser implementations, of the same general protocols, will handle the same syntax in completely different ways, often lulling developers into making assumptions that work only on select platforms. He details the book in his own words here, which has summaries of each chapter, but I'm also going to give a brief descriptions of the parts that meant the most to me.
The book, in general, is divided into three sections: Anatomy of the Web, largely focused on the historical evolution of web components, Browser Security Features, which focuses on how the various browsers implement their core security mechanisms, and A Glimpse of Things to Come, which highlights some new and important security features. Each of the sections have their own rich, focused, and developed chapters and are all highly important for the aforementioned reasons. All of the chapters cover their respective technologies in depth, diving into subtleties and misnomers, each within the scope of the chapter focus, often dealing with specific implementations, protocols, or features surrounding the web and web browsers. The book focuses directly on the big five web browsers: Chrome, Firefox, Safari, Internet Explorer, and Opera. The book is too large and encompassing to really talk about any specific technology in this review, thus I recommend two different ways to approach this book: it can be read cover to cover, for a far more in-depth understanding of how the web and browsers work, or it can be read chapter by chapter, as a reference for developers or security practitioners looking for more details on a particular subject.
The security cheat sheets at the end of each chapter should be looked at critically by web developers, as they highlight many security concerns developers historically and commonly miss. Further, it is easy to pick a subject by chapter and check the cheat sheet at the end to make sure you aren't overlooking a critical security property. The references for that chapter are usually close behind, giving developers a place to seek additional information. This is an excellent feature of this book and often summarizes each chapter in it's own way.
Chapter 18 should also not be overlooked by security practitioners and developers alike. Chapter 18, Common Web Vulnerabilities, provides an excellent summary of web application weaknesses and exploits, along with links to where that vulnerability is discussed in detail in another chapter. This provides security practitioners their own cheat sheet chapter that quickly links back to all the juicy details.
For a comprehensive list of reviews, as well as a free chapter of the book, check out the No Starch Press page on The Tangled Web,
For a comprehensive list of reviews, as well as a free chapter of the book, check out the No Starch Press page on The Tangled Web,