Start reading The Tangled Web: A Guide to Securing Modern Web Applications on the free Kindle Reading App or on your Kindle in under a minute. Don't have a Kindle? Get your Kindle here.

Deliver to your Kindle or other device

Enter a promotion code
or gift card

Try it free

Sample the beginning of this book for free

Deliver to your Kindle or other device

Sorry, this item is not available in
Image not available for
Image not available

The Tangled Web: A Guide to Securing Modern Web Applications [Kindle Edition]

Michal Zalewski
4.6 out of 5 stars  See all reviews (34 customer reviews)

Digital List Price: $31.95 What's this?
Print List Price: $49.95
Kindle Price: $22.99
You Save: $26.96 (54%)

Free Kindle Reading App Anybody can read Kindle books—even without a Kindle device—with the FREE Kindle app for smartphones, tablets and computers.

To get the free app, enter your email address or mobile phone number.


Amazon Price New from Used from
Kindle Edition $22.99  
Paperback $34.95  
Shop the new
New! Introducing the, a hub for Software Developers and Architects, Networking Administrators, TPMs, and other technology professionals to find highly-rated and highly-relevant career resources. Shop books on programming and big data, or read this week's blog posts by authors and thought-leaders in the tech industry. > Shop now

Book Description

"Thorough and comprehensive coverage from one of the foremost experts in browser security."

—Tavis Ormandy, Google Inc.

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.

In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You'll learn how to:

  • Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
  • Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
  • Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
  • Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
  • Embed or host user-supplied content without running into the trap of content sniffing

For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.

Editorial Reviews

About the Author

Michal Zalewski is an internationally recognized information security expert with a long track record of delivering cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire (No Starch Press), Google's "Browser Security Handbook," and numerous important research papers.

Product Details

  • File Size: 1343 KB
  • Print Length: 320 pages
  • Simultaneous Device Usage: Unlimited
  • Publisher: No Starch Press; 1 edition (November 19, 2011)
  • Sold by: Amazon Digital Services, Inc.
  • Language: English
  • ASIN: B006FZ3UNI
  • Text-to-Speech: Enabled
  • X-Ray:
  • Word Wise: Not Enabled
  • Lending: Not Enabled
  • Amazon Best Sellers Rank: #92,161 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
  •  Would you like to give feedback on images?

Customer Reviews

Most Helpful Customer Reviews
26 of 27 people found the following review helpful
By K. H.
Mr. Zalewski's new book is impressive and should be read by anyone working in the web space that cares about security -- whether an attacker or defender. It definitively captures the current state and how we arrived at this juncture due to the many historical browser wars. His current employer and producer of the most secure browser -- Google Chrome -- is about to capture a 40% share [1] of the browser market and leap frog Firefox, Internet Explorer, and Safari.

The Tangled Web untangles the mystery of some poor design philosophies and also discusses some of the improvements that have been made along the way. A quote from the book that sums it all up is a statement that "...the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases..."

I greatly enjoyed reading the book and jotted some notes down that may be useful to other readers. These were the topics that piqued my interest the most:

* Microsoft's challenge to JavaScript, VBScript, has the potential for some exploitation, if no one has been fuzzing it much thus far.

* SVG embedding vulnerabilities potential (eg. some initial research also published by Thorsten Holz [2]).

* Flash cross-domain exploitation examples and crossdomain.xml "loose" policies.

* Great coverage of "GIFAR" type issues.

* Astute observations of trade-offs in plugin attack surface versus actual benefit to users.

* XBAP security coverage.

* The excellent tables of Same-Origin-Policy violations and other tests versus different client-side contexts.

* In depth coverage of URI schemes [3] and potentials for abuse.

* How to resolve data sharing via new mechanisms like postMessage() API.
Read more ›
Comment | 
Was this review helpful to you?
10 of 10 people found the following review helpful
In the classic poem Inferno, Dante passes through the gates of Hell, which has the inscription abandon all hope, ye who enter here above the entrance. After reading The Tangled Web: A Guide to Securing Modern Web Applications, one gets the feeling the writing secure web code is akin to Dante's experience.

In this incredibly good and highly technical book, author Michal Zalewski writes that modern web applications are built on a tangled mesh of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. In the book, Zalewski dissects those subtle security consequences to show what their dangers are, and how developers can take it to heart and write secure code for browsers.

The Tangled Web: A Guide to Securing Modern Web Applications is written in the same style as Zalewski's last book - Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks, which is another highly technical and dense book on the topic. This book tackles the issues surrounding insecure web browsers. Since the browser is the portal of choice for so many users; its inherent secure flaws leaves the user at a significant risk. The book details what developers can do to mitigate those risks.

This book starts out with the observation that while the field of information security seems to be a mature and well-defined discipline, there is not even a rudimentary usable framework for understanding and assessing the security of modern software.

In chapter 1, the book provides a brief overview of the development of the web and how so many security issues have cropped in.
Read more ›
Was this review helpful to you?
12 of 13 people found the following review helpful
3.0 out of 5 stars Decent book...for readers with previous knowledge August 23, 2012
In general, I thought this book was good. It covers a lot of material, and has nice "cheat sheets" at the end of each chapter.

The reason I give the book 3 stars, however, is that the author is suffering from the curs of knowledge (or perhaps I am suffering from the curse of ignorance). While he gives some background information on how browsers work, html works, etc in the first part of the book, I did not find that it was enough to really understand the consequences of some of the vulnerabilities that he mentions. Often I was left wondering how the issue he raises is actually an issue, or how someone would exploit it.

As a web developer, knowing how someone might exploit the security holes allows me to figure out how to close down those holes and make my web application more secure.

Also, the book seems to be focused on what browser developers should be doing in order to close down these issues, and not what web developers should be doing.
Was this review helpful to you?
6 of 6 people found the following review helpful
5.0 out of 5 stars Systematic coverage of browser security November 30, 2011
Format:Paperback|Verified Purchase
The book provides systematic coverage of browser security. The first 6 pages of chapter 1 provide brilliant insight into why formal security models, risk management and taxonomies fail to deliver promised security improvements to organizations that embrace them. I used to explain the same with a lot of hand weaving, Zalewski's approach and insight are far superior.

Make no mistake, the book is focused on the browser and related technologies rather than the theory of security. The same tremendous insight, that made me nod with appreciation and wish that I had the book 5 years ago while working on security policies, illuminates browser concepts like in-browser content separation, scripting, and much more.

I appreciate the authors treatment of each of the concepts in the context of the browser as a complex and still evolving technology, with it's own history, standards, market requirements and politics.
Comment | 
Was this review helpful to you?
Most Recent Customer Reviews
5.0 out of 5 stars Five Stars
One of the most well written security books on any subject matter.
Published 3 days ago by John
5.0 out of 5 stars At first i was conservative about this book because of ...
At first i was conservative about this book because of the topics, URL, HTML, etc... However, since i'm a Zalewski's fan, i decided to try it. Read more
Published 4 months ago by Henrique Ferraz Arcoverde
2.0 out of 5 stars Weak...
Really expected more from this book. It does have some interesting bits, but it lacks depth, does not manage to pull my attention. Read more
Published 4 months ago by Gunnar Wolf
4.0 out of 5 stars Highly-Effective Guide
A remarkable tour through the mess of protocols and band-aids that comprise the web we know and love today. Read more
Published 7 months ago by Nyck
5.0 out of 5 stars Good guidance for developing secure web applications
Did you know that every web application should have a crossdomain.xml? Check the top level of most popular sites. Read more
Published 10 months ago by rpm507
5.0 out of 5 stars Very Useful and Informative Book
This book has a lot of information and history in it. It's a great book to read if you already know something about web applications and web security. Read more
Published 13 months ago by Reeko
3.0 out of 5 stars Not a developers book
Although not a bad book as such I found it to be annoying. Thats because the subtitle "A guide to securing modern web applications" lies. It is not a book for developers. Read more
Published 19 months ago by Ronald Ploeger
5.0 out of 5 stars Zalewski again, driving the security practices
The book is very well written and goes through modern web application vulnerabilities. The author, as always, gives examples and very clear explanations.
Published 20 months ago by E. Gutesman
3.0 out of 5 stars rambling
The content is good but the organization of the book is somewhat rambling, jumping around. This is a problem which often appears in technical publications.
Published 22 months ago by Lee Stecklov
5.0 out of 5 stars Explains how and why the web is broken
A great book. Initial focus on fundamentals of how url's etc work. Describes how browsers actually work moving into JavaScript and DOM etc. Read more
Published 23 months ago by Keary - OWASP
Search Customer Reviews
Search these reviews only

More About the Author

Discover books, learn about writers, read author blogs, and more.

What Other Items Do Customers Buy After Viewing This Item?


There are no discussions about this product yet.
Be the first to discuss this product with the community.
Start a new discussion
First post:
Prompts for sign-in

Look for Similar Items by Category