The web came together from many points of interest, and its open and free for all nature is both a blessing and a curse. It’s a blessing in that the barrier to creating software to run on the web is very low (at least in its origin). A dizzying array of products, services, browsers, and other technologies has sprung up to make the experience more entertaining, engaging, and create one of the worlds most pervasive communications mediums. It’s a curse in that with all of those varied (and competing) approaches, the ability to exploit and subvert the web is also relatively easy. We all agree that we want a more secure web. The big question is “how can we make that a reality?”

Michal Zalewski provides an answer in “The Tangled Web“. As a software tester, this book is a well-spring. It shows the vulnerabilities that browsers have, and it gives an excellent walk through of potential exploits that testers can add to their plan of attack.

Michal starts out by giving us a tour and history of how we got where we are today, as well as a walk through of the basics of URL encoding, HTTP requests, cookies, HTML and CSS, Server and Browser Side Scripting (in all its various flavors). The variety of browser plug-ins that allow users to make their browsers more extensible and do things that go well beyond the traditional HTTP model of transactions is also covered (ActiveX, anyone?). This has not been a straight line of innovation, and it hasn’t been done in the spirit of collegiality. In may ways, it’s this lack of camaraderie that has led us to the situation we are in today; too much finger pointing and not enough mutual collaboration can be said to be the reason the web is much less secure than it potentially could be.

You could be forgiven if you think this section is just a rehash of basic Web Info 101, but you would be wrong. In each section, Michal shows some interesting inconsistencies, and ways that miscreant users can take advantage of them (Unicode manipulation to display completely logical looking URLs but be totally different due to using Cyrillic alphabet characters? I’ll admit *I* never thought of that one; it’s a phisher’s dream!).

Part II focuses on Browser Security Features, i.e. those features in various browsers that are actually designed to help users (and developers) make sure that they are hindering the ability of rogue apps to cause mischief. Michal explores the vagaries of Content Isolation (the same origin policy being the most significant), Origin Inheritance (using URL’s with data:, JavaScript: or about:), Frame Hijacking and Cross Domain Content Inclusion, following different security rules for Intranet vs. Internet usage, running services on non-standard ports, user generated content and files, and more explicit and aggressive forms of malicious use like Denial of Service attacks.

Part III focuses on some up and coming areas where web browser manufacturers are making feature distinctions with browser security as a legitimate selling point. Cross Origin Resource Sharing (CORS), Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), in-Browser HTML Sanitization, and additional tweaks to modern browsers take center stage in this section. Many of these modifications are currently in play on some browsers but not others, and many are part of the HTML5 and CSS3 framework that is emerging. Michal makes the case that, while many of these schemes are somewhat effective, it would be wise to not let one’s guard down and rely on these modifications on faith alone. Forewarned is forearmed. The section ends with a chapter dedicated to Common Web Vulnerabilities (and a good list of test areas for the aspiring penetration tester).

At the end of each chapter is a “Security Engineering” Cheat Sheet. Note that each of these suggestions can also be used as a “Security Deconstruction Cheat Sheet” as well. Any tester looking to expand on their penetration testing repertoire, or just expand their current Heuristic Testing models, would be well advised to look over each of these cheat sheets and see if, indeed, the sites and pages they are testing actually follow these directives, or if they don’t.

Bottom Line:

This is not a book that you will be able to read in a single sitting and absorb everything that it contains, but it will make you sit up and think about aspects of web security you might never have considered before. This is in equal parts a wake-up call and a style reference. It sounds a much-needed alarm and shows us areas we take for granted way too often, and alerts us to issues we have likely never considered. If you’re a developer, tester, or infrastructure implementer, you would be wise to read and then re-read The Tangled Web. In our ever-changing world and with our web sites and services becoming more complex rather than less, the advice in this book may well prove to be both timely and timeless.