Goodreads helps you keep track of books you want to read.
Start by marking “The Tangled Web: A Guide to Securing Modern Web Applications” as Want to Read:
The Tangled Web: A Guide to Securing Modern Web Applications
Enlarge cover
Rate this book
Clear rating
Open Preview

The Tangled Web: A Guide to Securing Modern Web Applications

4.06  ·  Rating details ·  429 ratings  ·  34 reviews
"Thorough and comprehensive coverage from one of the foremost experts in browser security."

—Tavis Ormandy, Google Inc.

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle sec
...more
Paperback, 320 pages
Published November 26th 2011 by No Starch Press (first published September 22nd 2011)
More Details... edit details

Friend Reviews

To see what your friends thought of this book, please sign up.

Reader Q&A

To ask other readers questions about The Tangled Web, please sign up.

Be the first to ask a question about The Tangled Web

Community Reviews

Showing 1-30
4.06  · 
Rating details
 ·  429 ratings  ·  34 reviews


More filters
 | 
Sort order
Wilson Jimenez
Mar 22, 2018 rated it really liked it
Shelves: web-dev
Review

A bit dated as any 7 year old web related book, I picked it up to get a good grasp of the definition and impact of things like XSS, XSRF, Header splitting, etc.

Most of the book is still relevant but some stuff should be revalidated since they may be deprecated like XDomainRequest.

What I like about these older books concerning the web is that they're an easy read, that is, by having a bit of knowledge of some of the concepts, getting a deeper understanding is straight forward.

Notes

It St
...more
Michael
Mar 14, 2012 rated it it was amazing
Shelves: security
I’ve been interested in IT security for a long time, but obviously even more so since I started working professionally in this area. Since web applications have become ubiquitous in recent years, they constitute a big part of our penetration testing work. This is a very broad topic, so The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski is an ambitious project.

The first thing I noticed was that the book is comparatively thin. At around 300 pages it’s only about one th
...more
Keith
Nov 21, 2012 rated it it was amazing
Pretty horrifying to find out just how fucked the modern web is.
Alex  Gyoshev
Mar 06, 2019 rated it really liked it
Shows the numerous ways in which the web has failed in terms of security. More importantly, the book shows the reasons why these problems have occurred.

Even though some of the discussed problems have been mitigated during the years, and there are more secure methods available, the book is still very interesting, and some of the attacks are still relevant.
JP
Jan 13, 2019 rated it really liked it
The Tangled Web: A Guide to Securing Modern Web Applications is a fairly solid introduction to computer security in the context of web sites/browsers with one fairly major downside: it was published 7 years ago. In the context of the Internet, that's... quite a while.

Which this book was published, IE had a 40% market share, followed by Firefox with 30%, and Chrome with only 20%. Given that more recent numbers show Chrome with 70%, FF with 10%, and IE + Edge together only at 10%... the Internet
...more
Steve
Oct 19, 2016 rated it really liked it
I got through maybe 1/4 of this book, then skimmed the rest for takeaways. What I got was great, and I will keep it around as a reference. Recommended. Although dense, I could get through half a chapter at a time before I felt like I was on information overload. For a technical book, that is pretty great.
Muhammad
Feb 12, 2013 rated it it was ok
This book has a ton of complaints and not many suggestions to fix those issues.
Pam
Sep 03, 2018 rated it did not like it  ·  review of another edition
Even accounting for the fact that this came out a while ago and the web is a fast-moving target, this is not a good book.

I have a background in developing web applications on both the server and the front end, so I feel like I ought to be able to get something out of this. But the book has a pattern of going on for a long time into internet basics that I'm already familiar with, then suddenly dives into particular vulnerabilities that are so poorly explained that I can't tell whether they're hap
...more
Ioannis Papagiannis
Aug 13, 2017 rated it really liked it
Needs an update for sure, but quite enjoyable still. The tongue-in-cheek intro about academics looking into web security was quite funny. Definitely protested inside "but they really are manifestations of the confused deputy problem"!

"Part of the problem is that said experts have long been dismissive of the whole web security ruckus, unable to understand what it was all about. They have been quick to label web security flaws as trivial manifestations of the confused deputy problem[1] or of some
...more
Jarek
Sep 01, 2017 rated it liked it
Shelves: nonfiction
This can perhaps be boiled down to "user-generated content is hard."

But really: decently interesting read, though definitely in more of a reference format than Silence on the Wire. I learned a few new things, and would definitely come back if building a site with user accounts. Yes, at six years old some parts are getting a little dated (IE6 security problems aren't that much of a burden, thankfully), but it's not like XSS isn't an issue these days.
Hao Ca Vien
Aug 03, 2018 rated it it was amazing
A great read about Cross-Site Web Forgery and other exploits that a developer should be aware of when developing for the web. A lot of his techniques have since been patched, but are cool to note that they were once problematic. Novice web-developers and web-designers should be aware of these problems before developing. I highly recommend reading it through once.
Gary Boland
Jan 19, 2018 rated it liked it
It is a little dated but still a worthwhile listing of vulnerabilities in browsers
Alessandro Baffa
Jul 01, 2018 rated it it was amazing
A fundamental read for all those who work with web applications.
Mikko Kärkkäinen
Oct 23, 2013 rated it it was amazing
This was the first book I've read about web security, recommended by a fellow who lectured on the subject at our company. It wasn't organized exactly how I expected, but I think that was a good thing. I was expecting the book to list the vulnerabilities outlined in OWASP one by one, explaining what they are and how to prevent them. However, those were not discussed until at the very end of the book. Instead, the bulk of the book was really about understanding every little piece of the puzzle tha ...more
Will
Nov 24, 2013 rated it really liked it
This is an excellent book. However, it's not so much about securing modern web applications as it is about describing browser holes. As it should be, since much of it was taken from Google's Browser Security Handbook -- still, it's distracting to see so much space being devoted to the topic of Java applets and frames when the best way to secure a modern web application is to NOT USE JAVA APPLETS OR FRAMES. So I took off a star for that.

It also falls into the common trap of spending more time det
...more
Jari Pirhonen
Excellent source for browser and web application related security features. Underlines the current reality, that web app environment is (too) complex and full of features that are easy to forget, misconfigure or overlook. I must admit that I just browsed parts of the book because of its technicality, but this is a keeper in case I need to check some nitty-gritty details of browser, web protocols, plugins, Javascript, etc.

The book has a chapter of planned new security features, also. It was ment
...more
Ahmed Sultan
Nov 08, 2015 rated it liked it
Shelves: tech
Read about 2 times , Not bad to get an idea about the Client-side and browser's holes
But for web app pentesting generally!!!
It might not help a lot
But still suggest reading specially for those who already done with the classic web vulnerabilities and need deeper look at the browser's side
would classify it in the same category off "browser hacker's handbook" , but to be honest there is some nice tricks and notes regarding web technologies in this book and that's why am giving it 3*
Frank Caron
Aug 28, 2013 rated it it was amazing  ·  review of another edition
A really important read for anyone working on web front-ends in 2015. Great overview of a ton of major issues and concerns, including a bunch of stuff that less-technical folk (like product owners) would benefit from knowing, particularly when it comes to thinking through test scenarios in highly-stringent environments (e.g., where PCI compliance is a concern). Very thorough and complete without being obtuse.
عَبدُالكَرِيمْ
Not as good as I was expecting. I am actually surprised by the good reviews given above?!

The book is not technical .. just list of complains and not so much details about attacks or attacks vectors

If you're looking for the real deal .. check out: WAHH!
It's much more technical and detailed..

I will write full reviewed about it once done
Mostafa Siraj
Feb 12, 2012 rated it it was amazing
One of the best web security books I read. Although the book is focusing mainly on browser security, you can learn 10s of relevant sophisticated web attacks by understanding browser security. The book is of course for advanced security professionals and not for beginners.
Zbyszek Sokolowski
Feb 02, 2013 rated it really liked it  ·  review of another edition
Shelves: technical
On one hand book is pretty interesting it shows that Web and it browsers are big security hole. Especially historical causes when people were unaware of security issues led to many problems. Reading this book confirms common bias that using Internet Explorer is not wisest idea.
Michael
Oct 12, 2012 rated it really liked it
A wonderful book, that albeit highly specific to the state of browsers in the first decade of the 21st century, should still somewhat stand the test of time since, on the whole, industry doesn't seem to always take the time to learn from the past.
Vaibhav Gupta
Nov 12, 2012 rated it it was amazing
The book discusses common web application vulnerabilities and also certain browser quirks which seem surprising and scary.
David
Feb 22, 2012 rated it really liked it
Very detailed overview of web browser design and security. Will be dated soon, but for now, is the best resource of its kind. I'm still amazed that the web can be so exploitable, yet work so well.
Josh
Oct 04, 2013 rated it really liked it
This book is dripping with information. A second read is required to maximize its usefulness.
George Pollard
Jun 30, 2014 rated it really liked it
Shelves: software
In terms of 'depressing books' this is right up there with Wiesel's 'Night'
Laszlo Mári
Feb 12, 2016 rated it really liked it
Pretty cool book, though at some points it's a bit dated
Kendra
Apr 14, 2015 rated it really liked it
A great book, with a dry sense of humor and clear structure. A lot of it was over my head, but I still felt like it was worth reading.
Nicholas Quirk
Aug 16, 2013 rated it really liked it
Shelves: computing
Good book for anyone new to web development after the dot com era.
Kishor
Sep 13, 2016 rated it it was amazing
Amazingly well written and thought provoking. This book proves that lcamtuf knows his stuff!
« previous 1 next »
There are no discussion topics on this book yet. Be the first to start one »

Readers also enjoyed

  • The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
  • The Practice of Network Security Monitoring: Understanding Incident Detection and Response
  • Metasploit: The Penetration Tester's Guide
  • The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler
  • A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security
  • The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
  • Security Engineering: A Guide to Building Dependable Distributed Systems
  • Penetration Testing: A Hands-On Introduction to Hacking
  • Reversing: Secrets of Reverse Engineering
  • The Shellcoder's Handbook: Discovering and Exploiting Security Holes
  • Gray Hat Python: Python Programming for Hackers and Reverse Engineers
  • Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems
  • Rootkits: Subverting the Windows Kernel
  • Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning
  • The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System
  • Cryptography Engineering: Design Principles and Practical Applications
  • Hacking the Xbox: An Introduction to Reverse Engineering
See similar books…

Goodreads is hiring!

If you like books and love to build cool products, we may be looking for you.
Learn more »