Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Book Review, The Tangled Web: A Guide to Securing Modern Web Applications

DZone's Guide to

Book Review, The Tangled Web: A Guide to Securing Modern Web Applications

If you're a web developer looking to enhance the security of the code you write, then this book should prove an interesting read.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

This is a review of The Tangled Web: A Guide to Securing Modern Web Applications.

(My) Conclusiontangledwebbook

This book does a great job explaining how the “bricks” of the Internet (HTTP, HTML, WWW, Cookies, Script Languages) are working (or not) from a security point of view. Also, a very systematic coverage of browser (in)security is given, even if some of the information is starting to become outdated. The book is aimed at web developers that are interested in the inner workings of browsers in order to write more secure code.

Chapter 1: Security in the World of Web Applications

The goal of this chapter is to set the scene for the rest of book. The main ideas revolve around the fact that security is a non-algorithmic problem and the best ways to tackle security problems are, therefore, very empirical (learn from mistakes, develop tools to detect and correct problems, and plan to have everything compromised).

Another part of the chapter is dedicated to the history of the web because, for the author, it is very important to understand the history behind the well known “bricks” of the Internet (HTTP, HTML, WWW) in order to understand why, from a security point of view, they are completely broken. For a long time, the standard evolution of the Internet was dominated by vendors or stakeholders who did not care much about the long-term prospects of technology; see the Wikipedia Browser Wars page for a few examples.

Part I: Anatomy of the Web (Chapters 2 to 8)

The first part of the book is about the building blocks of the web: the HTTP protocol, HTML, CSS, the scripting languages (JavaScript, VBScript), and the external browser plug-ins (Flash, SilverLight). For each of these building blocks, the author presents how they are implemented and how they work (or not) in different browsers, what the standards are that are supposed to drive the development of the web, and how these standards are very often incomplete or oblivious to security requirements.

In this part of the book, the author speaks only briefly about security features, knowing that the second part of the book will be focused on security.

Part II: Browser Security Features (Chapters 9 to 15)

The first security feature presented is the SOP (Same Policy Origin), which is also the most important mechanism to protect against hostile applications. The SOP's behavior is described in relation to DOM documents, XMLHttpRequests, WebStorage, and how the security policies for cookies could impact the SOP.

A less known topic that is treated is the SOP inheritance; how the SOP is applied to pseudo-URLs like about:, javascript: and data:. The conclusion is that each browser treats the SOP inheritance in different ways (which can be incompatible) and it is preferable to create new frames or windows by pointing them to a server-supplied blank page with a definite origin.

Another less known browser feature that can affect security that is deeply explained is the way browsers recognize the content of the response (a.k.a content sniffing), the navigation to sensitive URI schemes like “javascript:”, “vbscript:”, “file:”, “about:”,“res:” and the way browsers protect themselves against rogue scripts (in the case of rogue scripts protection, the author is pointing to the inefficiency  of the protections).

The last part is about different mechanisms that browsers are using in order to give special privileges to some specific websites. The mechanisms the author explains are form-based password managers, hard-coded domain names, and the Internet Explorer Zone model.

Part III: Glimpse of Things to Come (Chapters 16 to 17)

This part is about the developments made in the industry to enhance the security of browsers.

For the author, there are two ways that browser security could evolve: extend the existing framework(s) or try to restrict the existing framework(s) by creating new boundaries on top of the existing browser security model.

For the first alternative, the following solutions are presented: the W3C Cross-Origin Resource Sharing specification, the Microsoft response to CORS called XDomainRequest (which, by the way, has since been deprecated by Microsoft), and W3C Uniform Messaging Policy.

For the second alternative, the following solutions are presented: W3C's (formerly Mozilla's) Content Security Policy, (WebKit) Sandboxed frames, and Strict Transport Security.

The last part is about how the new planned APIs and features could have an impact on browser and application security. The author very briefly explains “Binary HTTP,” WebSockets (which were not yet a standard when the book was written), JavaScript offline applications, and P2P networking.

Chapter 18: Common Web Vulnerabilities

The last chapter is a nomenclature of different known vulnerabilities grouped by the place where it can happen (server side, client side). For each item, a brief definition is given and links are provided towards previous chapters where the item has been discussed.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
web security ,secure coding ,security ,book review

Published at DZone with permission of Adrian CITU, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}