Cyber Shelf
AdvancedWeb SecurityBrowser InternalsAppSec

The Tangled Web

A Guide to Securing Modern Web Applications

5 / 5

The deepest book ever written on the strange, accreted security model of the web browser.

Buy on Amazon

As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.

Authors
Michal Zalewski
Published
2011
Publisher
No Starch Press
Pages
320
Language
English

Table of contents

18 chapters · 30 sections

Part I: Anatomy of the Web

  1. 1

    Security in the World of Web Applications

  2. 2

    It Starts with a URL

    • Uniform Resource Locator structure
    • Reserved characters and percent-encoding
    • Common URL schemes
    • Resolution of relative URLs
  3. 3

    Hypertext Transfer Protocol

    • Basic syntax of HTTP traffic
    • HTTP request types
    • Server response codes
    • Keepalive sessions
    • Chunked data transfers
    • Caching behavior
    • HTTP cookie semantics
    • HTTP authentication
    • Protocol-level encryption and client certificates
  4. 4

    Hypertext Markup Language

    • Basic concepts behind HTML documents
    • Understanding HTML parser behavior
    • Entity encoding
    • HTTP/HTML integration semantics
    • Hyperlinking and content inclusion
  5. 5

    Cascading Style Sheets

  6. 6

    Browser-Side Scripts

    • Basic characteristics of JavaScript
    • Standard object hierarchy
    • Script character encoding
    • Code inclusion modes and nesting risks
    • The living dead: VBScript
  7. 7

    Non-HTML Document Types

  8. 8

    Content Rendering with Browser Plug-ins

Part II: Browser Security Features

  1. 9

    Content Isolation Logic

    • Same-origin policy for the DOM
    • Same-origin policy for XMLHttpRequest
    • Same-origin policy for Web Storage
    • Same-origin policy for cookies
    • Plug-in security rules
    • Coping with ambiguous or unexpected origins
    • Other uses of the origin concept
  2. 10

    Origin Inheritance

  3. 11

    Life Outside Same-Origin Rules

  4. 12

    Other Security Boundaries

  5. 13

    Content Recognition Mechanisms

  6. 14

    Dealing with Rogue Scripts

  7. 15

    Extrinsic Site Privileges

Part III: A Glimpse of Things to Come

  1. 16

    New and Upcoming Security Features

  2. 17

    Other Browser Mechanisms of Note

  3. 18

    Common Web Vulnerabilities

Prerequisites

You should already know what XSS, CSRF, and same-origin policy are. This book is for the second pass, not the first.

Read this if

Anyone who builds, attacks, or audits browser-based systems and wants to know why the rules are the way they are.

Skip this if

Beginners, Zalewski assumes you've already touched the surface and want the substrate. Start with PortSwigger Academy first.

Key takeaways

  • The web's security model is not designed; it is excavated.
  • Origins, schemes, and trust boundaries are the only real abstractions; everything else is a leaky negotiation.
  • Specifications and reality diverge constantly, and the divergence is where bugs live.

Notes

Reads like an anthropologist's report on a culture they have lived inside. Older than half the platform features that matter today (no service workers, COOP/COEP, Trusted Types), but the older material is the soil all the new material grows from. The only book that explains why the browser is the way it is.

What to read before

What to read before The Tangled Web

What to read next

What to read after The Tangled Web

Explore similar books

Alternatives to The Tangled Web

How they compare

Related topics

Web SecurityBrowser InternalsAppSec