San Francisco, CA, November 9, 2011—Modern web applications are built on a tangle of technologies developed over time and haphazardly patched together. Every piece of the web application stack, from HTTP requests to browser-side scripts, is riddled with important yet subtle security gotchas that developers need to understand in order to keep users safe online.
In The Tangled Web (No Starch Press, November 2011, 320 pp., $49.95, ISBN 9781593273880), Michal Zalewski, one of the world's top security experts and author of Google's Browser Security Handbook, explains how browsers work and why they're fundamentally insecure. Rather than simply list known vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. The book opens with a comprehensive examination of browser mechanisms, the historical reasons behind their design, and the security consequences involved. After examining and dissecting the security mechanisms available for web applications, Zalewski outlines anticipated future developments in browser security, including planned HTML5 features.
"Since Silence on the Wire, readers have been waiting for Zalewski's next book," said No Starch Press Founder Bill Pollock. "As applications migrate to the Web, exposing our private data to a wide range of attacks, the security community is badly in need of instruction on how to make web applications more secure. Zalewski offers real insight."
Readers of The Tangled Web will learn how to:
- Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
- Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
- Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
- Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
- Embed or host user-supplied content without running into the trap of content sniffing
The Tangled Web will prove indispensable to web developers and security researchers who want to create secure web applications that stand the test of time and the savviest of attackers.
For more information or to request a review copy of The Tangled Web, contact Travis Peterson at No Starch Press (nostarchpr@oreilly.com, +1.415.863.9900, x108), or visit www.nostarch.com.
Praise for The Tangled Web
"Thorough and comprehensive coverage from one of the foremost experts in browser security."
—TAVIS ORMANDY, GOOGLE INC.
"A must-read for anyone who values their security and privacy online."
—COLLIN JACKSON, RESEARCHER AT THE CARNEGIE MELLON WEB SECURITY GROUP
"Perhaps the most thorough and insightful treatise on the state of security for web-driven technologies to date. A must have!"
—MARK DOWD, AZIMUTH SECURITY, AUTHOR OF THE ART OF SOFTWARE SECURITY ASSESSMENT
Additional Resources
Chapter 3: "Hypertext Transfer Protocol" (PDF)
Table of Contents
Detailed Table of Contents (PDF)
Index (PDF)
No Starch Press Catalog Page
The Tangled Web Publisher: No Starch Press By Michal Zalewski ISBN 9781593273880, $49.95 USD November 2011, 320 pp. order@oreilly.com 1-800-998-9938 1-707-827-7000 |
Available in fine bookstores everywhere, from http://www.oreilly.com/nostarch, or directly from No Starch Press (http://www.nostarch.com, orders@nostarch.com, 1-800-420-7240).
About No Starch Press
Founded in 1994, No Starch Press publishes the finest in geek entertainment—unique books on technology, with a focus on open source, security, hacking, programming, alternative operating systems, LEGO, science, and math. Our titles have personality, our authors are passionate, and our books tackle topics that people care about. Visit http://www.nostarch.com for a complete catalog.
About O’Reilly
O’Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O’Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying “faint signals” from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.