Goodreads helps you keep track of books you want to read.
Start by marking “The Tangled Web: A Guide to Securing Modern Web Applications” as Want to Read:
The Tangled Web: A Guide to Securing Modern Web Applications
Enlarge cover
Rate this book
Clear rating
Open Preview

The Tangled Web: A Guide to Securing Modern Web Applications

4.06  ·  Rating details ·  525 ratings  ·  40 reviews

The Tangled Web is destined to be the definitive guide to web application security. Rather than simply enumerate known vulnerabilities or lay down a series of commandments from on high, famed security expert Michal Zalewski takes an in-depth look at how browsers actually work, how to leverage their features, and what pitfalls lurk in the shadows. An outgrowth of Zalewski's

Kindle Edition, 493 pages
Published November 19th 2011 by No Starch Press (first published September 22nd 2011)
More Details... Edit Details

Friend Reviews

To see what your friends thought of this book, please sign up.
This book is not yet featured on Listopia. Add this book to your favorite list »

Community Reviews

Showing 1-30
Average rating 4.06  · 
Rating details
 ·  525 ratings  ·  40 reviews

More filters
Sort order
Start your review of The Tangled Web: A Guide to Securing Modern Web Applications
Rose Smith
Oct 11, 2019 rated it it was amazing  ·  review of another edition
I should have read this book at the bgeinning of my career. On the other hand, after 10 years experience I may appreciate it even more.
Wilson Jimenez
Mar 22, 2018 rated it really liked it  ·  review of another edition
Shelves: web-development

A bit dated as any 7 year old web related book, I picked it up to get a good grasp of the definition and impact of things like XSS, XSRF, Header splitting, etc.

Most of the book is still relevant but some stuff should be revalidated since they may be deprecated like XDomainRequest.

What I like about these older books concerning the web is that they're an easy read, that is, by having a bit of knowledge of some of the concepts, getting a deeper understanding is straight forward.


Ahmed Sultan
Nov 08, 2015 rated it liked it  ·  review of another edition
Shelves: tech
Read about 2 times , Not bad to get an idea about the Client-side and browser's holes
But for web app pentesting generally!!!
It might not help a lot
But still suggest reading specially for those who already done with the classic web vulnerabilities and need deeper look at the browser's side
would classify it in the same category off "browser hacker's handbook" , but to be honest there is some nice tricks and notes regarding web technologies in this book and that's why am giving it 3*
Nov 24, 2022 rated it liked it  ·  review of another edition
Considering the OWASP Top Ten lists the same/similar security issued even after a decade, Tangled Web is still a worth read keeping in mind that most of the specifics are very much outdated.
Mar 14, 2012 rated it it was amazing  ·  review of another edition
Shelves: security
I’ve been interested in IT security for a long time, but obviously even more so since I started working professionally in this area. Since web applications have become ubiquitous in recent years, they constitute a big part of our penetration testing work. This is a very broad topic, so The Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski is an ambitious project.

The first thing I noticed was that the book is comparatively thin. At around 300 pages it’s only about one th
Jan 13, 2019 rated it really liked it  ·  review of another edition
The Tangled Web: A Guide to Securing Modern Web Applications is a fairly solid introduction to computer security in the context of web sites/browsers with one fairly major downside: it was published 7 years ago. In the context of the Internet, that's... quite a while.

Which this book was published, IE had a 40% market share, followed by Firefox with 30%, and Chrome with only 20%. Given that more recent numbers show Chrome with 70%, FF with 10%, and IE + Edge together only at 10%... the Internet
Alex  Gyoshev
Mar 06, 2019 rated it really liked it  ·  review of another edition
Shows the numerous ways in which the web has failed in terms of security. More importantly, the book shows the reasons why these problems have occurred.

Even though some of the discussed problems have been mitigated during the years, and there are more secure methods available, the book is still very interesting, and some of the attacks are still relevant.
Nov 21, 2012 rated it it was amazing  ·  review of another edition
Pretty horrifying to find out just how fucked the modern web is.
Gene Ishchuk
some of the basics is still relevant today but the vast majority has been adjusted / edited;
well, the book has been published in 2012 (I have got my hands on the Polish version from 2012).
I stopped reading it somewhere in the middle, hm, I have a feeling lots of things are extremely dated and fairly s0 (for example, there is info on Internet Explorer and Flash - dead as of Jan 2021)
But still, if you come across it - it is a fine read
Oct 19, 2016 rated it really liked it  ·  review of another edition
I got through maybe 1/4 of this book, then skimmed the rest for takeaways. What I got was great, and I will keep it around as a reference. Recommended. Although dense, I could get through half a chapter at a time before I felt like I was on information overload. For a technical book, that is pretty great.
Very detailed overview of web browser design and security. Will be dated soon, but for now, is the best resource of its kind. I'm still amazed that the web can be so exploitable, yet work so well. ...more
Feb 12, 2013 rated it it was ok  ·  review of another edition
This book has a ton of complaints and not many suggestions to fix those issues.
Sep 03, 2018 rated it did not like it
Even accounting for the fact that this came out a while ago and the web is a fast-moving target, this is not a good book.

I have a background in developing web applications on both the server and the front end, so I feel like I ought to be able to get something out of this. But the book has a pattern of going on for a long time into internet basics that I'm already familiar with, then suddenly dives into particular vulnerabilities that are so poorly explained that I can't tell whether they're hap
Ioannis Papagiannis
Needs an update for sure, but quite enjoyable still. The tongue-in-cheek intro about academics looking into web security was quite funny. Definitely protested inside "but they really are manifestations of the confused deputy problem"!

"Part of the problem is that said experts have long been dismissive of the whole web security ruckus, unable to understand what it was all about. They have been quick to label web security flaws as trivial manifestations of the confused deputy problem[1] or of some
Sep 01, 2017 rated it liked it  ·  review of another edition
Shelves: nonfiction
This can perhaps be boiled down to "user-generated content is hard."

But really: decently interesting read, though definitely in more of a reference format than Silence on the Wire. I learned a few new things, and would definitely come back if building a site with user accounts. Yes, at six years old some parts are getting a little dated (IE6 security problems aren't that much of a burden, thankfully), but it's not like XSS isn't an issue these days.
Hao Ca Vien
Aug 03, 2018 rated it it was amazing  ·  review of another edition
A great read about Cross-Site Web Forgery and other exploits that a developer should be aware of when developing for the web. A lot of his techniques have since been patched, but are cool to note that they were once problematic. Novice web-developers and web-designers should be aware of these problems before developing. I highly recommend reading it through once.
Gary Boland
It is a little dated but still a worthwhile listing of vulnerabilities in browsers
Alessandro Baffa
A fundamental read for all those who work with web applications.
The contents are in many places outdated at this point. Still an interesting book though.
Apr 05, 2020 rated it it was amazing  ·  review of another edition
Started reading, realized the book is dated but was not able to put it down. Exquisite read
Apr 10, 2021 rated it it was amazing  ·  review of another edition
Introductions to Cybersecurity and application security in general are hard to find. The Tangled Web stayed relevant and for the content is relatively consumable by newbs.
Avraam Mavridis
I guess this book was legendary 10-15 years ago but is not really a book to read on 2021, most of the things mentioned are either obsolete or dead technologies.
Mikko Kärkkäinen
This was the first book I've read about web security, recommended by a fellow who lectured on the subject at our company. It wasn't organized exactly how I expected, but I think that was a good thing. I was expecting the book to list the vulnerabilities outlined in OWASP one by one, explaining what they are and how to prevent them. However, those were not discussed until at the very end of the book. Instead, the bulk of the book was really about understanding every little piece of the puzzle tha ...more
Sergey Machulskis
Nov 03, 2019 rated it it was amazing  ·  review of another edition
Shelves: best, professional
Awesome book, joy to read. It's dense, but written in a cheerful tone. The author knows a lot about web security. It's not bound to a narrow set of technologies, frameworks, OSes or browsers. It touches a little bit of everything. But it doesn't make it shallow. I wasn't aware about 90% of information presented in this book. It has no cumbersome and useless terms security charlatans like. It's very practical and full of advice.

I felt slightly uncomfortable because it was written around 2011. Som
Jari Pirhonen
Excellent source for browser and web application related security features. Underlines the current reality, that web app environment is (too) complex and full of features that are easy to forget, misconfigure or overlook. I must admit that I just browsed parts of the book because of its technicality, but this is a keeper in case I need to check some nitty-gritty details of browser, web protocols, plugins, Javascript, etc.

The book has a chapter of planned new security features, also. It was ment
Frank Caron
Aug 28, 2013 rated it it was amazing  ·  review of another edition
A really important read for anyone working on web front-ends in 2015. Great overview of a ton of major issues and concerns, including a bunch of stuff that less-technical folk (like product owners) would benefit from knowing, particularly when it comes to thinking through test scenarios in highly-stringent environments (e.g., where PCI compliance is a concern). Very thorough and complete without being obtuse.
Not as good as I was expecting. I am actually surprised by the good reviews given above?!

The book is not technical .. just list of complains and not so much details about attacks or attacks vectors

If you're looking for the real deal .. check out: WAHH!
It's much more technical and detailed..

I will write full reviewed about it once done
Mostafa Siraj
Feb 12, 2012 rated it it was amazing  ·  review of another edition
One of the best web security books I read. Although the book is focusing mainly on browser security, you can learn 10s of relevant sophisticated web attacks by understanding browser security. The book is of course for advanced security professionals and not for beginners.
Oct 12, 2012 rated it really liked it  ·  review of another edition
A wonderful book, that albeit highly specific to the state of browsers in the first decade of the 21st century, should still somewhat stand the test of time since, on the whole, industry doesn't seem to always take the time to learn from the past. ...more
Zbyszek Sokolowski
Feb 02, 2013 rated it really liked it  ·  review of another edition
Shelves: technical
On one hand book is pretty interesting it shows that Web and it browsers are big security hole. Especially historical causes when people were unaware of security issues led to many problems. Reading this book confirms common bias that using Internet Explorer is not wisest idea.
« previous 1 next »
There are no discussion topics on this book yet. Be the first to start one »

Readers also enjoyed

  • The Dawn of Everything: A New History of Humanity
  • Tõde ja õigus II
  • Tõde ja õigus V
  • Tõde ja õigus III
  • Tõde ja õigus IV
  • Foundation (Foundation, #1)
  • Tõde ja õigus I
  • The World Set Free
  • The Chip: How Two Americans Invented the Microchip and Launched a Revolution
  • Putin's Propaganda Machine: Soft Power and Russian Foreign Policy
  • The Trial
  • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
  • Can't Hurt Me: Master Your Mind and Defy the Odds
  • Applied Cryptanalysis: Breaking Ciphers in the Real World
  • Clean Code in Python: Refactor your legacy codebase
  • Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools
  • The Ghidra Book
  • Building Data Science Applications with FastAPI: Develop, manage, and deploy efficient machine learning applications with Python
See similar books…

Goodreads is hiring!

If you like books and love to build cool products, we may be looking for you.
Learn more »

News & Interviews

Need another excuse to treat yourself to a new book this week? We've got you covered with the buzziest new releases of the day. To create our...
24 likes · 5 comments