Goodreads helps you keep track of books you want to read.
Start by marking “The Tangled Web: A Guide to Securing Modern Web Applications” as Want to Read:
The Tangled Web: A Guide to Securing Modern Web Applications
Enlarge cover
Rate this book
Clear rating
Open Preview

The Tangled Web: A Guide to Securing Modern Web Applications

4.07  ·  Rating details ·  494 ratings  ·  40 reviews
"Thorough and comprehensive coverage from one of the foremost experts in browser security."

—Tavis Ormandy, Google Inc.

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle sec
Paperback, 320 pages
Published November 26th 2011 by No Starch Press (first published September 22nd 2011)
More Details... Edit Details

Friend Reviews

To see what your friends thought of this book, please sign up.

Community Reviews

Showing 1-30
Average rating 4.07  · 
Rating details
 ·  494 ratings  ·  40 reviews

More filters
Sort order
Start your review of The Tangled Web: A Guide to Securing Modern Web Applications
Rose Smith
Oct 11, 2019 rated it it was amazing
I should have read this book at the bgeinning of my career. On the other hand, after 10 years experience I may appreciate it even more.
Wilson Jimenez
Mar 22, 2018 rated it really liked it
Shelves: web-development

A bit dated as any 7 year old web related book, I picked it up to get a good grasp of the definition and impact of things like XSS, XSRF, Header splitting, etc.

Most of the book is still relevant but some stuff should be revalidated since they may be deprecated like XDomainRequest.

What I like about these older books concerning the web is that they're an easy read, that is, by having a bit of knowledge of some of the concepts, getting a deeper understanding is straight forward.


Mar 14, 2012 rated it it was amazing
Shelves: security
I’ve been interested in IT security for a long time, but obviously even more so since I started working professionally in this area. Since web applications have become ubiquitous in recent years, they constitute a big part of our penetration testing work. This is a very broad topic, so The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski is an ambitious project.

The first thing I noticed was that the book is comparatively thin. At around 300 pages it’s only about one th
Ahmed Sultan
Nov 08, 2015 rated it liked it
Shelves: tech
Read about 2 times , Not bad to get an idea about the Client-side and browser's holes
But for web app pentesting generally!!!
It might not help a lot
But still suggest reading specially for those who already done with the classic web vulnerabilities and need deeper look at the browser's side
would classify it in the same category off "browser hacker's handbook" , but to be honest there is some nice tricks and notes regarding web technologies in this book and that's why am giving it 3*
Nov 21, 2012 rated it it was amazing
Pretty horrifying to find out just how fucked the modern web is.
Alex  Gyoshev
Mar 06, 2019 rated it really liked it
Shows the numerous ways in which the web has failed in terms of security. More importantly, the book shows the reasons why these problems have occurred.

Even though some of the discussed problems have been mitigated during the years, and there are more secure methods available, the book is still very interesting, and some of the attacks are still relevant.
Jan 13, 2019 rated it really liked it
The Tangled Web: A Guide to Securing Modern Web Applications is a fairly solid introduction to computer security in the context of web sites/browsers with one fairly major downside: it was published 7 years ago. In the context of the Internet, that's... quite a while.

Which this book was published, IE had a 40% market share, followed by Firefox with 30%, and Chrome with only 20%. Given that more recent numbers show Chrome with 70%, FF with 10%, and IE + Edge together only at 10%... the Internet
Oct 19, 2016 rated it really liked it
I got through maybe 1/4 of this book, then skimmed the rest for takeaways. What I got was great, and I will keep it around as a reference. Recommended. Although dense, I could get through half a chapter at a time before I felt like I was on information overload. For a technical book, that is pretty great.
Feb 12, 2013 rated it it was ok
This book has a ton of complaints and not many suggestions to fix those issues.
Sep 03, 2018 rated it did not like it  ·  review of another edition
Even accounting for the fact that this came out a while ago and the web is a fast-moving target, this is not a good book.

I have a background in developing web applications on both the server and the front end, so I feel like I ought to be able to get something out of this. But the book has a pattern of going on for a long time into internet basics that I'm already familiar with, then suddenly dives into particular vulnerabilities that are so poorly explained that I can't tell whether they're hap
Ioannis Papagiannis
Aug 13, 2017 rated it really liked it
Needs an update for sure, but quite enjoyable still. The tongue-in-cheek intro about academics looking into web security was quite funny. Definitely protested inside "but they really are manifestations of the confused deputy problem"!

"Part of the problem is that said experts have long been dismissive of the whole web security ruckus, unable to understand what it was all about. They have been quick to label web security flaws as trivial manifestations of the confused deputy problem[1] or of some
Mar 20, 2021 rated it liked it
Do yourself a favor and start with ch 18 and the epilogue then read through the sections you're interested in. The book is outdated and while it's clear that the author is an expert in this field their writing style was really difficult for me to understand.

I barely got through this book but that doesn't mean it wasn't worth reading. I think in combination with real life experience and other security books this one will really shine, the author truly knows what they're talking about. On its own
Sep 01, 2017 rated it liked it
Shelves: nonfiction
This can perhaps be boiled down to "user-generated content is hard."

But really: decently interesting read, though definitely in more of a reference format than Silence on the Wire. I learned a few new things, and would definitely come back if building a site with user accounts. Yes, at six years old some parts are getting a little dated (IE6 security problems aren't that much of a burden, thankfully), but it's not like XSS isn't an issue these days.
Jan 14, 2021 rated it liked it
some of the basics is still relevant today but the vast majority has been adjusted / edited;
well, the book has been published in 2012 (I have got my hands on the Polish version from 2012).
I stopped reading it somewhere in the middle, hm, I have a feeling lots of things are extremely dated and fairly s0 (for example, there is info on Internet Explorer and Flash - dead as of Jan 2021)
But still, if you come across it - it is a fine read
Hao Ca Vien
Aug 03, 2018 rated it it was amazing
A great read about Cross-Site Web Forgery and other exploits that a developer should be aware of when developing for the web. A lot of his techniques have since been patched, but are cool to note that they were once problematic. Novice web-developers and web-designers should be aware of these problems before developing. I highly recommend reading it through once.
Gary Boland
Jan 19, 2018 rated it liked it
It is a little dated but still a worthwhile listing of vulnerabilities in browsers
Alessandro Baffa
Jul 01, 2018 rated it it was amazing
A fundamental read for all those who work with web applications.
Sep 18, 2019 rated it liked it
The contents are in many places outdated at this point. Still an interesting book though.
Apr 05, 2020 rated it it was amazing
Started reading, realized the book is dated but was not able to put it down. Exquisite read
Apr 10, 2021 rated it it was amazing
Introductions to Cybersecurity and application security in general are hard to find. The Tangled Web stayed relevant and for the content is relatively consumable by newbs.
Mikko Kärkkäinen
Oct 23, 2013 rated it it was amazing
This was the first book I've read about web security, recommended by a fellow who lectured on the subject at our company. It wasn't organized exactly how I expected, but I think that was a good thing. I was expecting the book to list the vulnerabilities outlined in OWASP one by one, explaining what they are and how to prevent them. However, those were not discussed until at the very end of the book. Instead, the bulk of the book was really about understanding every little piece of the puzzle tha ...more
Sergey Machulskis
Nov 03, 2019 rated it it was amazing
Shelves: professional, best
Awesome book, joy to read. It's dense, but written in a cheerful tone. The author knows a lot about web security. It's not bound to a narrow set of technologies, frameworks, OSes or browsers. It touches a little bit of everything. But it doesn't make it shallow. I wasn't aware about 90% of information presented in this book. It has no cumbersome and useless terms security charlatans like. It's very practical and full of advice.

I felt slightly uncomfortable because it was written around 2011. Som
Jari Pirhonen
Excellent source for browser and web application related security features. Underlines the current reality, that web app environment is (too) complex and full of features that are easy to forget, misconfigure or overlook. I must admit that I just browsed parts of the book because of its technicality, but this is a keeper in case I need to check some nitty-gritty details of browser, web protocols, plugins, Javascript, etc.

The book has a chapter of planned new security features, also. It was ment
Frank Caron
Aug 28, 2013 rated it it was amazing  ·  review of another edition
A really important read for anyone working on web front-ends in 2015. Great overview of a ton of major issues and concerns, including a bunch of stuff that less-technical folk (like product owners) would benefit from knowing, particularly when it comes to thinking through test scenarios in highly-stringent environments (e.g., where PCI compliance is a concern). Very thorough and complete without being obtuse.
Not as good as I was expecting. I am actually surprised by the good reviews given above?!

The book is not technical .. just list of complains and not so much details about attacks or attacks vectors

If you're looking for the real deal .. check out: WAHH!
It's much more technical and detailed..

I will write full reviewed about it once done
Mostafa Siraj
Feb 12, 2012 rated it it was amazing
One of the best web security books I read. Although the book is focusing mainly on browser security, you can learn 10s of relevant sophisticated web attacks by understanding browser security. The book is of course for advanced security professionals and not for beginners.
Oct 12, 2012 rated it really liked it
A wonderful book, that albeit highly specific to the state of browsers in the first decade of the 21st century, should still somewhat stand the test of time since, on the whole, industry doesn't seem to always take the time to learn from the past. ...more
Zbyszek Sokolowski
Feb 02, 2013 rated it really liked it  ·  review of another edition
Shelves: technical
On one hand book is pretty interesting it shows that Web and it browsers are big security hole. Especially historical causes when people were unaware of security issues led to many problems. Reading this book confirms common bias that using Internet Explorer is not wisest idea.
Feb 22, 2012 rated it really liked it
Very detailed overview of web browser design and security. Will be dated soon, but for now, is the best resource of its kind. I'm still amazed that the web can be so exploitable, yet work so well. ...more
Vaibhav Gupta
Nov 12, 2012 rated it it was amazing
The book discusses common web application vulnerabilities and also certain browser quirks which seem surprising and scary.
« previous 1 next »
There are no discussion topics on this book yet. Be the first to start one »

Readers also enjoyed

  • The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
  • Bezpieczeństwo aplikacji webowych
  • Fermat's Enigma: The Epic Quest to Solve the World's Greatest Mathematical Problem
  • Scott Pilgrim, Volume 5: Scott Pilgrim vs. the Universe
  • Scott Pilgrim, Volume 2: Scott Pilgrim vs. The World
  • Scott Pilgrim, Volume 3: Scott Pilgrim & The Infinite Sadness
  • Scott Pilgrim, Volume 4: Scott Pilgrim Gets It Together
  • Scott Pilgrim, Volume 6: Scott Pilgrim's Finest Hour
  • Introduction to Electrodynamics
  • Principles of Quantum Mechanics
  • The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
  • The Pragmatic Programmer: From Journeyman to Master
  • Rootkits: Subverting the Windows Kernel
  • Jaronizmy. Część I.
  • Universal Principles of Design: 100 Ways to Enhance Usability, Influence Perception, Increase Appeal, Make Better Design Decisions, and Teach Through Design
  • Working Effectively with Legacy Code
  • Reversing: Secrets of Reverse Engineering
See similar books…

Goodreads is hiring!

If you like books and love to build cool products, we may be looking for you.
Learn more »

Related Articles

“I'm in a weird place because the book is about to come out. So I'm basically just walking around like a raw nerve and I'm not sure that I...
43 likes · 9 comments