The Tangled Web: A Guide to Securing Modern Web Applications

Posted on by Ben Rothke

In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscriptionabandon all hope, ye who enter here above the entrance.  After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante’s experience.  

In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together.  Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences.  In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers. 

The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski’s last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic.  This book tackles the issues surrounding insecure web browsers.  Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk.  The book details what developers can do to mitigate those risks. 

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software. 

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in.  Zalewski writes that perhaps the most striking and nontechnical property of web browsers is that most people who use them are overwhelmingly unskilled.  And given the fact that most users simply do not know enough to use the web in a safe manner, which leads to the predicament we are in now. 

Zalewski then spends the remainder of the book detailing specific problems, how they are exploited, and details the manner in which they can be fixed. 

In chapter 2, the book details that something as elementary as how the resolution of relative URL’s is done isn’t a trivial exercise.  The book details how misunderstandings occur between application level URL filters and the browser when handling these types of relative references can lead to security problems.  

For those that want a feel for the book, chapter 3 on the topic of HTTP is available here. 

Chapter 4 deals with HTML and the book notes that HTML is the subject of a fascinating conceptual struggle with a clash between the ideology and the reality of the on-line world.  Tim Berners-Lee had the vision of a semantic web; namely a common framework that allows data to be shared and reused across applications, companies and the entire web.  The notion though of a semantic web has not really caught on. 

Chapter 4 continues with a detailed overview of how to understand HTML parser behavior.  The author writes that HTML parsers will second-guess the intent of the page developer which can leads to security problems. 

In chapter 12, the book deals with third-party cookies and notes that since their inception, HTTP cookies have been misunderstood as the tool that enables online advertisers to violate users privacy.  Zalewski observes that the public’s fixation on cookies is deeply misguided.  He writes there is no doubt that some sites use cookies as a mechanism for malicious use. But that there is nothing that makes it uniquely suited for this task, as there are many other equivalent ways to sore unique identifiers on visitor’s computes, such as cache-based tags. 

Chapter 14 details the issue of rogue scripts and how to manage them. In the chapter, the author goes slightly off-topic and asks the question if the current model of web scripting is fundamentally incompatible with the way human beings works.  Which leads to the question of it if is possible for a script to consistently outsmart victims simply due to the inherent limits of human cognition. 

Part 3 of the book takes up the last 35 pages and is a glimpse of things to come.  Zalewski optimistically writes that many of the battles being fought in today’s browser war is around security, which is a good thing for everyone.

Chapter 16 deals with new and upcoming security features of browsers and details many compelling security features such as security model extension frameworks and security model restriction frameworks. 

The chapter deals with one of the more powerful frameworks is the Content Security Policy (CSP) from Mozilla.  CSP is meant to fix a large class of web application vulnerabilities, including cross site scripting, cross site request forgery and more.  The book notes that as powerful as CSP is, one of its main problems is not a security one, in that it requires a webmaster to move all incline scripts on a web page to a separately requested document.  Given that many web pages have hundreds of short scripts; this can be an overwhelmingly onerous task. 

The chapter concludes with other developments such as in-browser HTML sanitizers, XSS filtering and more. 

Each chapter also concludes with a security engineering cheat sheet that details the core themes of the chapter. 

For anyone involved in programming web pages, The Tangled Web: A Guide to Securing Modern Web Applications should be considered required reading to ensure they write secure web code. The book takes a deep look at the core problems with various web protocols, and offers effective methods in which to mitigate those vulnerabilities. 

Michal Zalewski brings his extremely deep technical understanding to the book and combines it with a most readable style.  The book is an invaluable resource and provides a significant amount of information needed to write secure code for browsers.  There is a huge amount of really good advice in this book, and for those that are building web applications, it is hopes this is a book they read.

Ben Rothke

Senior Information Security Manager, Tapad

risk management data security

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs