Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

{book review} The Tangled Web

It’s been 6 years since Michal Zalewski’s “Silence on the wire” hit the shelves. Although “The Tangled Web” concentrates on a completely separate set of issues, you can’t fail but draw comparison between the two books. Zalewski’s unique style of writing brings both topics to life, not simply scratching the surface of a set topic, but diving headlong into the lowest levels to give the reader a true understanding of the reasons why, and the thought processes behind, any feature, bug, or technology discussed. The Tangled Web does for Web Applications what silence on the wire did for computers and networks.

The Tangled Web is split into 3 parts, starting off with a concise walk-through of the underlying technologies of the web. Unlike so many other books that take for granted that the reader is already up to par on the backstory, Zalewski takes the time to really dig deep into the tools, protocols and RFCs that run the modern web.

Part 1: Anatomy of the web

    • It starts with a URL
    • Hypertext Transfer Protocol
    • Hypertext Markup Language
    • Cascading Style Sheets
    • Browser Side Scripts
    • Non-HTML Document Types
    • Content Rendering with Browser plug-ins

This not always pretty romp through an alphabet soup of acronyms gives the reader the knowledge need to not only understand and appreciate the 2nd part of the book as it should be, but is in my mind the single best source for anybody looking to really understand the web as it works today. Not the way you think it  works, the way it should work, or the way the RFCs say it needs to work, but the down and dirty truth behind the web. Nothing is what it seems, and when you place the safety of your computer in the hands of browser vendors, you’re not quite sure what you’re going to get it seems.

Part 2 of the book moves from understanding the web to understanding how browsers see and interpret the web, and how the browser security models really work. You’d think every browser would see things and handle things the same, but after even the first few pages you get the feeling that no 2 browsers are going to handle things the way you expect, or want!

Part 2: Browser Security Features

    • Content Isolation Logic
    • Origin Inheritance
    • Life Outside Same-Origin Rules
    • Other Security Boundaries
    • Content Recognition Mechanisms
    • Dealing With Rogue Scripts
    • Extrinsic Site Privileges

Zalewski covers the very fundamentals the current generation of browsers use to protect users in a way that just seems to make things click. Even when discussing things like same-origin policy and how the different browsers interpret the rules, the information just seems to make sense without needing to re-read sections over and over (an issue I had with some of the “silence on the wire” content at times). A common theme that comes up in part 2 of the book is the “sins of the old”, were browsers are suffering from security issues due to lack of foresight. As more and more bandaids are stuck into the browser security models, things become ever complex. It’s sad to see however that companies still aren’t learning from this lack of foresight as issues crop up again and again (for example <canvas> loading of cross-domain images. An issue that’s since been resolved).

Those who cannot remember the past are condemned to repeat it. (George Santayana)

The chapter discussing “Content Recognition Mechanisms could easily be renamed to “101 reasons to always set a charset”. The sniffing logic of browsers is both scary and often abused. What struck me more than the scary quirks of certain browsers was that most people just aren’t aware of these issues… I know I wasn’t!

Moving into part 3 of the book, Zalewski talks about what’s to come in terms of browser advancements.

Part 3: A Glimpe Of Things To Come

    • New And Upcoming Security Features
    • Other Browser Mechanisms Of Note
    • Common Web Vulnerabilities

Despite what the first 2 chapters of the tangled web bring to light, it doesn’t seem that browser vendors have learnt the lesson from history. New features seem to once again be applied unevenly across browsers, with Microsoft going their own route with things like xDomainRequest. Not to be left out in the cold, Mozilla’s drive for CSP is discussed in-depth along with other restriction frameworks. There’s a lot of ideas in this space it seems, but little consensus on how or what to implement.

Conclusions

I love this book… there’s no other way to say it. Every once in a while you get a book that’s well written, contains good content and sparks those little ideas in the back of your brain. For me, the tangled web met all of these points and then some. A book that gives you so much background on the how and the why of things, that you come out the other end really feeling like you know the subject matter.

That said, I’m not 100% sure who this book is targeted at… the addition of the “security engineering cheat sheets” at the end of each chapter is a great idea, and for a defender it provides some really good information. How ever I’m not sure I know many defenders that would pick this book up and give it the time it really deserves. Maybe I’m wrong on this, and I hope I am.

I also don’t didn’t see it being something the attacker types would be jumping all over themselves to read either. It’s not full of the usual hacking tips, tricks and tools you’ve come to expect from hacker books in the last few years. The information is more than that I find, but it needs to be applied to other ideas to be really useful. Still from a discussion with No Starch at Shmoocon, they sold out of the tangled web, so I hope I’m wrong on this too.

TL:DR; Read this book… give it your full attention, and come out the other end smarter for it!

About these ads

One response to “{book review} The Tangled Web

  1. Pingback: Week 5 in Review – 2012 | Infosec Events

Follow

Get every new post delivered to your Inbox.

Join 126 other followers

%d bloggers like this: