The Tangled Web helps secure browser-based apps

Review by Steve Hardwick

No Starch Press, November 2011, 320 pp., $49.95

In a recent survey by Veracode in December 2011 found that more than 80 percent of approximately 10,000 web applications examined failed security testing. This data shows that web applications provide a fertile ground for hackers to launch their malware. Obviously web developers still have some work to do to make their applications secure. The Tangled Web by Michal Zalewski is targeted toward web application developers and security professionals that have a solid understanding of the web and browser operations at an operational level. The author will go into fairly technical details assuming that the reader has the necessary skills to understand the technology discussed.

After an introductory chapter outlining some security fundamentals, the book is split into three parts. The first part covers browser and web technologies. Specific attention is paid to vulnerabilities and how they became to be part of the infrastructure. The second part covers browser security and highlights some of the ways to mitigate the inherent holes in the current technology. The final portion covers some of the new vulnerabilities that are expected to come in the near future. With a couple of exceptions, most chapters are concluded with a security engineering cheat sheet. This gives a summary of the topics covered in the chapter and serves as a guide to implementing some of the technology discussed. It provides a useful quick reference to the books contents after the reader has completed their read through and can be used as a design aid on future projects.

Part One goes into some depth on the various technologies used by browsers, both their inherent operating infrastructure and the services used over the web. Attention is paid to areas of the technology that are open to exploitation. In many cases the author outlines how some of the weaknesses came into being and provides a good view into the difficulty of building this technology. Part One is broken down into chapters that cover the different pieces of the browser function. Both internal processes, HTML and CSS parsing for example, are covered plus external processes, HTML and URL parsing, are reviewed. Two chapters cover additional programming capabilities of the browser i.e. JavaScript and plug-ins.  Throughout this section many examples are given on how the vulnerabilities can be exploited. This gives the reader a better understanding on how a hacker would go about using these weaknesses. In some cases a chapter has a limited discussion of the topic due its wide complexity. The author does include references to other works that cover the topic in greater detail and then focuses on key areas that are relevant to web security.

The first five chapters of Part Two concentrates on browser security mechanisms that attempt to prevent rogue content from interfering with valid, legitimate, content displayed with in the browser. These chapters cover how content isolation is maintained within the operation of the browser. The concepts discussed in part one are used to show how the browser security achieves this. Content from user input and downloaded data are included in this review. Furthermore the impact of scripting and plug-in functionality is discussed in depth to allow the reader to understand how this can impact the overall security of a web application. There are many references to works where researchers have shown example of exploits based on the vulnerabilities in the browser and associated functions. The latter two chapters in this section cover dealing with rogue scripts and extrinsic site privileges.  In general Part Two provides a comprehensive overview of many security flaws in the browser. There are comparisons between the major browsers and how their operation differs with respect to the exploits. Additionally there are also recommendations on how to understand and overcome them.

Part Three looks at some of the changes that may come to fruition in the future. The first chapter covers new and upcoming security standards. They are intended to mitigate some of the problems that plague browsers today. These include, cross domain requests (including a discussion of Cross-Origin Resource Sharing CORS), content security policy CSP, sandboxed frames, strict transport security, private browsing modes, in-browser HTML sanitizers and XSS Filtering. In each case a summary of the goal of the security measure and its current status is given. The second chapter covers new browser developments and how they may impact security. Several new or planned API sets are examined for their intent and current implementation. The final chapter is a synopsis of common web vulnerabilities and how they are defined. Common, simple definitions are used for the various vulnerabilities – e.g. Cross Site Scripting (XSS). For each there is a short description with a reference to the details section of the book.

There is a pivotal statement in Chapter 16 “the dream of inventing a brand-new browser security model is strong within the community, but it is always followed by the realization that it would require rebuilding the entire Web.” This book walks the reader through the inner workings of popular browsers with a focus on showing the weaknesses that are embedded in their very construction. The author does take time to explain how these came about and the attempts to fix them. In part 2 he also gives examples on how to develop web applications so you can navigate around these deficiencies. The security engineering cheat sheets give an easy way to develop a strategy to apply basic security concepts to web application development. The book provides an invaluable reference for anyone working with, testing or deploying web applications.