Although the title “The Tangled Web” gave a different idea, the subtitle “A Guide to Securing Modern Web Applications” pointed to its security background.
It turned out to be a dive into the history and workarounds of the web!
I wrote down some of the things I learned from reading the book as a reminder to my future self. Maybe they encourage you to read the book as well.
Creating parsers for the web is hard ¶
This allows for a myriad of injection attacks once you allow your users to provide content in your application or web site. The author suggests parsing an then re-creating the content, but even that seems to me to be hard to get “right” (as in preventing injection).
Don’t be liberal ¶
There’s Jon Postel’s law: “Be conservative in what you do, be liberal in what you accept from others.”
There is an encoding called UTF-7 ¶
Every feature leaks personal information ¶
This might be visited link formatting, APIs to derive the orientation of the browser or other old and new browser features. I liked the idea of rendering a number derived from the sites previously visited and tricking the user to enter it as a CAPTCHA in an input field (see: “I Still Know What You Visited Last Summer” by Weinberg et. al.).
Numerous ways to trick the user ¶
An advice from Michal Zalewski, the author: It might be a good idea to check that the mouse has been hovering your web site’s window at least 500 ms before allowing the user to click a button to execute something security related or non-revertible.
Thanks you Dennis for lending me this book. I’m sorry it took me so long to read – now I can finally return it.
The book has a page on the author’s web site where you can find sample chapters. You can buy this Book online, for example from the publisher No Starch Press (DRM free) or at Amazon. There might be used ones available at a cheaper price.