Muutke küpsiste eelistusi

Tangled Web [Pehme köide]

4.05/5 (1033 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 320 pages, kõrgus x laius: 234x178 mm
  • Ilmumisaeg: 15-Nov-2011
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1593273886
  • ISBN-13: 9781593273880
Teised raamatud teemal:
Tangled WebSuurem pilt
  • Formaat: Paperback / softback, 320 pages, kõrgus x laius: 234x178 mm
  • Ilmumisaeg: 15-Nov-2011
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1593273886
  • ISBN-13: 9781593273880
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781593273880.html
Märksõnad:
Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape. In The Tangled Web, Michal Zalewski, one of the world s top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they re fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You ll learn how to: Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs Build mashups and embed gadgets without getting stung by the tricky frame navigation policy Embed or host user-supplied content without running into the trap of content sniffing For quick reference, 'Security Engineering Cheat Sheets' at the end of each chapter offer ready solutions to problems you re most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.

Arvustused

"A classic arguably canon as far as security training books go, and especially when it comes to web application security." Britt Kemp, Bishop Fox Labs

Preface xvii
Acknowledgments xix
1 Security In The World Of Web Applications
1(20)
Information Security in a Nutshell
1(7)
Flirting with Formal Solutions
2(2)
Enter Risk Management
4(2)
Enlightenment Through Taxonomy
6(1)
Toward Practical Approaches
7(1)
A Brief History of the Web
8(6)
Tales of the Stone Age: 1945 to 1994
8(2)
The First Browser Wars: 1995 to 1999
10(1)
The Boring Period: 2000 to 2003
11(1)
Web 2.0 and the Second Browser Wars: 2004 and Beyond
12(2)
The Evolution of a Threat
14(7)
The User as a Security Flaw
14(1)
The Cloud, or the Joys of Communal Living
15(1)
Nonconvergence of Visions
15(1)
Cross-Browser Interactions: Synergy in Failure
16(1)
The Breakdown of the Client-Server Divide
17(4)
PART I ANATOMY OF THE WEB
21(118)
2 It Starts With A Url
23(18)
Uniform Resource Locator Structure
24(7)
Scheme Name
24(1)
Indicator of a Hierarchical URL
25(1)
Credentials to Access the Resource
26(1)
Server Address
26(1)
Server Port
27(1)
Hierarchical File Path
27(1)
Query String
28(1)
Fragment ID
28(1)
Putting It All Together Again
29(2)
Reserved Characters and Percent Encoding
31(5)
Handling of Non-US-ASCII Text
32(4)
Common URL Schemes and Their Function
36(2)
Browser-Supported, Document-Fetching Protocols
36(1)
Protocols Claimed by Third-Party Applications and Plug-ins
36(1)
Nonencapsulating Pseudo-Protocols
37(1)
Encapsulating Pseudo-Protocols
37(1)
Closing Note on Scheme Detection
38(1)
Resolution of Relative URLs
38(2)
Security Engineering Cheat Sheet
40(1)
When Constructing Brand-New URLs Based on User Input
40(1)
When Designing URL Input Filters
40(1)
When Decoding Parameters Received Through URLs
40(1)
3 Hypertext Transfer Protocol
41(28)
Basic Syntax of HTTP Traffic
42(10)
The Consequences of Supporting HTTP/0.9
44(1)
Newline Handling Quirks
45(1)
Proxy Requests
46(1)
Resolution of Duplicate or Conflicting Headers
47(1)
Semicolon-Delimited Header Values
48(1)
Header Character Set and Encoding Schemes
49(2)
Referer Header Behavior
51(1)
HTTP Request Types
52(2)
GET
52(1)
POST
52(1)
HEAD
53(1)
OPTIONS
53(1)
PUT
53(1)
DELETE
53(1)
TRACE
53(1)
CONNECT
54(1)
Other HTTP Methods
54(1)
Server Response Codes
54(2)
200-299: Success
54(1)
300-399: Redirection and Other Status Messages
55(1)
400-499: Client-Side Error
55(1)
500-599: Server-Side Error
56(1)
Consistency of HTTP Code Signaling
56(1)
Keepalive Sessions
56(1)
Chunked Data Transfers
57(1)
Caching Behavior
58(2)
HTTP Cookie Semantics
60(2)
HTTP Authentication
62(2)
Protocol-Level Encryption and Client Certificates
64(3)
Extended Validation Certificates
65(1)
Error-Handling Rules
65(2)
Security Engineering Cheat Sheet
67(2)
When Handling User-Controlled Filenames in Content-Disposition Headers
67(1)
When Putting User Data in HTTP Cookies
67(1)
When Sending User-Controlled Location Headers
67(1)
When Sending User-Controlled Redirect Headers
67(1)
When Constructing Other Types of User-Controlled Requests or Responses
67(2)
4 Hypertext Markup Language
69(18)
Basic Concepts Behind HTML Documents
70(3)
Document Parsing Modes
71(1)
The Battle over Semantics
72(1)
Understanding HTML Parser Behavior
73(3)
Interactions Between Multiple Tags
74(1)
Explicit and Implicit Conditionals
75(1)
HTML Parsing Survival Tips
76(1)
Entity Encoding
76(2)
HTTP/HTML Integration Semantics
78(1)
Hyperlinking and Content Inclusion
79(6)
Plain Links
79(1)
Forms and Form-Triggered Requests
80(2)
Frames
82(1)
Type-Specific Content Inclusion
82(2)
A Note on Cross-Site Request Forgery
84(1)
Security Engineering Cheat Sheet
85(2)
Good Engineering Hygiene for All HTML Documents
85(1)
When Generating HTML Documents with Attacker-Controlled Bits
85(1)
When Converting HTML to Plaintext
85(1)
When Writing a Markup Filter for User Content
86(1)
5 Cascading Style Sheets
87(8)
Basic CSS Syntax
88(2)
Property Definitions
89(1)
@ Directives and XBL Bindings
89(1)
Interactions with HTML
90(1)
Parser Resynchronization Risks
90(1)
Character Encoding
91(2)
Security Engineering Cheat Sheet
93(2)
When Loading Remote Stylesheets
93(1)
When Putting Attacker-Controlled Values into CSS
93(1)
When Filtering User-Supplied CSS
93(1)
When Allowing User-Specified Class Values on HTML Markup
93(2)
6 Browser-Side Scripts
95(22)
Basic Characteristics of JavaScript
96(11)
Script Processing Model
97(3)
Execution Ordering Control
100(1)
Code and Object Inspection Capabilities
101(1)
Modifying the Runtime Environment
102(2)
JavaScript Object Notation and Other Data Serializations
104(2)
E4X and Other Syntax Extensions
106(1)
Standard Object Hierarchy
107(5)
The Document Object Model
109(2)
Access to Other Documents
111(1)
Script Character Encoding
112(1)
Code Inclusion Modes and Nesting Risks
113(1)
The Living Dead: Visual Basic
114(1)
Security Engineering Cheat Sheet
115(2)
When Loading Remote Scripts
115(1)
When Parsing JSON Received from the Server
115(1)
When Putting User-Supplied Data Inside JavaScript Blocks
115(1)
When Interacting with Browser Objects on the Client Side
115(1)
If You Want to Allow User-Controlled Scripts on Your Page
116(1)
7 Non-Html Document Types
117(10)
Plaintext Files
117(1)
Bitmap Images
118(1)
Audio and Video
119(1)
XML-Based Documents
119(5)
Generic XML View
120(1)
Scalable Vector Graphics
121(1)
Mathematical Markup Language
122(1)
XML User Interface Language
122(1)
Wireless Markup Language
123(1)
RSS and Atom Feeds
123(1)
A Note on Nonrenderable File Types
124(1)
Security Engineering Cheat Sheet
125(2)
When Hosting XML-Based Document Formats
125(1)
On All Non-HTML Document Types
125(2)
8 Content Rendering With Browser Plug-Ins
127(12)
Invoking a Plug-in
128(2)
The Perils of Plug-in Content-Type Handling
129(1)
Document Rendering Helpers
130(1)
Plug-in-Based Application Frameworks
131(5)
Adobe Flash
132(2)
Microsoft Silverlight
134(1)
Sun Java
134(1)
XML Browser Applications (XBAP)
135(1)
ActiveX Controls
136(1)
Living with Other Plug-ins
137(1)
Security Engineering Cheat Sheet
138(1)
When Serving Plug-in-Handled Files
138(1)
When Embedding Plug-in-Handled Files
138(1)
If You Want to Write a New Browser Plug-in or ActiveX Component
138(1)
PART II BROWSER SECURITY FEATURES
139(94)
9 Content Isolation Logic
141(24)
Same-Origin Policy for the Document Object Model
142(4)
Document.Domain
143(1)
Postmessage(...)
144(1)
Interactions with Browser Credentials
145(1)
Same-Origin Policy for XMLHttpRequest
146(2)
Same-Origin Policy for Web Storage
148(1)
Security Policy for Cookies
149(4)
Impact of Cookies on the Same-Origin Policy
150(1)
Problems with Domain Restrictions
151(1)
The Unusual Danger of "localhost"
152(1)
Cookies and "Legitimate" DNS Hijacking
153(1)
Plug-in Security Rules
153(5)
Adobe Flash
154(3)
Microsoft Silverlight
157(1)
Java
157(1)
Coping with Ambiguous or Unexpected Origins
158(3)
IP Addresses
158(1)
Hostnames with Extra Periods
159(1)
Non-Fully Qualified Hostnames
159(1)
Local Files
159(2)
Pseudo-URLs
161(1)
Browser Extensions and UI
161(1)
Other Uses of Origins
161(1)
Security Engineering Cheat Sheet
162(3)
Good Security Policy Hygiene for All Websites
162(1)
When Relying on HTTP Cookies for Authentication
162(1)
When Arranging Cross-Domain Communications in JavaScript
162(1)
When Embedding Plug-in-Handled Active Content from Third Parties
162(1)
When Hosting Your Own Plug-in-Executed Content
163(1)
When Writing Browser Extensions
163(2)
10 Origin Inheritance
165(8)
Origin Inheritance for about: blank
166(1)
Inheritance for data: URLs
167(2)
Inheritance for javascript: and vbscript: URLs
169(1)
A Note on Restricted Pseudo-URLs
170(2)
Security Engineering Cheat Sheet
172(1)
11 Life Outside Same-Origin Rules
173(14)
Window and Frame Interactions
174(7)
Changing the Location of Existing Documents
174(4)
Unsolicited Framing
178(3)
Cross-Domain Content Inclusion
181(3)
A Note on Cross-Origin Subresources
183(1)
Privacy-Related Side Channels
184(1)
Other SOP Loopholes and Their Uses
185(1)
Security Engineering Cheat Sheet
186(1)
Good Security Hygiene for All Websites
186(1)
When Including Cross-Domain Resources
186(1)
When Arranging Cross-Domain Communications in JavaScript
186(1)
12 Other Security Boundaries
187(10)
Navigation to Sensitive Schemes
188(1)
Access to Internal Networks
189(1)
Prohibited Ports
190(2)
Limitations on Third-Party Cookies
192(3)
Security Engineering Cheat Sheet
195(2)
When Building Web Applications on Internal Networks
195(1)
When Launching Non-HTTP Services, Particularly on Nonstandard Ports
195(1)
When Using Third-Party Cookies for Gadgets or Sandboxed Content
195(2)
13 Content Recognition Mechanisms
197(16)
Document Type Detection Logic
198(8)
Malformed MIME Types
199(1)
Special Content-Type Values
200(2)
Unrecognized Content Type
202(1)
Defensive Uses of Content-Disposition
203(1)
Content Directives on Subresources
204(1)
Downloaded Files and Other Non-HTTP Content
205(1)
Character Set Handling
206(6)
Byte Order Marks
208(1)
Character Set Inheritance and Override
209(1)
Markup-Controlled Charset on Subresources
209(1)
Detection for Non-HTTP Files
210(2)
Security Engineering Cheat Sheet
212(1)
Good Security Practices for All Websites
212(1)
When Generating Documents with Partly Attacker-Controlled Contents
212(1)
When Hosting User-Generated Files
212(1)
14 Dealing With Rogue Scripts
213(12)
Denial-of-Service Attacks
214(5)
Execution Time and Memory Use Restrictions
215(1)
Connection Limits
216(1)
Pop-Up Filtering
217(1)
Dialog Use Restrictions
218(1)
Window-Positioning and Appearance Problems
219(3)
Timing Attacks on User Interfaces
222(2)
Security Engineering Cheat Sheet
224(1)
When Permitting User-Created <iframe>Gadgets on Your Site
224(1)
When Building Security-Sensitive Uls
224(1)
15 Extrinsic Site Privileges
225(8)
Browser- and Plug-in-Managed Site Permissions
226(1)
Hardcoded Domains
227(1)
Form-Based Password Managers
227(2)
Internet Explorer's Zone Model
229(3)
Mark of the Web and Zone.Identifier
231(1)
Security Engineering Cheat Sheet
232(1)
When Requesting Elevated Permissions from Within a Web Application
232(1)
When Writing Plug-ins or Extensions That Recognize Privileged Origins
232(1)
PART III A GLIMPSE OF THINGS TO COME
233(34)
16 New And Upcoming Security Features
235(20)
Security Model Extension Frameworks
236(5)
Cross-Domain Requests
236(3)
XDomainRequest
239(1)
Other Uses of the Origin Header
240(1)
Security Model Restriction Frameworks
241(9)
Content Security Policy
242(3)
Sandboxed Frames
245(3)
Strict Transport Security
248(1)
Private Browsing Modes
249(1)
Other Developments
250(3)
In-Browser HTML Sanitizers
250(1)
XSS Filtering
251(2)
Security Engineering Cheat Sheet
253(2)
17 Other Browser Mechanisms Of Note
255(6)
URL- and Protocol-Level Proposals
256(2)
Content-Level Features
258(1)
I/O Interfaces
259(2)
18 Common Web Vulnerabilities
261(6)
Vulnerabilities Specific to Web Applications
262(1)
Problems to Keep in Mind in Web Application Design
263(2)
Common Problems Unique to Server-Side Code
265(2)
Epilogue 267(2)
Notes 269(4)
Index 273
Michal Zalewski is an internationally recognized information security expert with a long track record of delivering cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire (No Starch Press), Google's "Browser Security Handbook," and numerous important research papers.