You are previewing The Tangled Web.
O'Reilly logo
The Tangled Web

Book Description

In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security.

Table of Contents

  1. The Tangled Web
  2. PRAISE FOR THE TANGLED WEB
    1. PRAISE FOR SILENCE ON THE WIRE BY MICHAL ZALEWSKI
  3. Dedication
  4. Preface
    1. Acknowledgments
  5. 1. Security in the World of Web Applications
    1. Information Security in a Nutshell
      1. Flirting with Formal Solutions
      2. Enter Risk Management
      3. Enlightenment Through Taxonomy
      4. Toward Practical Approaches
    2. A Brief History of the Web
      1. Tales of the Stone Age: 1945 to 1994
      2. The First Browser Wars: 1995 to 1999
      3. The Boring Period: 2000 to 2003
      4. Web 2.0 and the Second Browser Wars: 2004 and Beyond
    3. The Evolution of a Threat
      1. The User as a Security Flaw
      2. The Cloud, or the Joys of Communal Living
      3. Nonconvergence of Visions
      4. Cross-Browser Interactions: Synergy in Failure
      5. The Breakdown of the Client-Server Divide
    4. Global browser market share, May 2011
  6. I. Anatomy of the Web
    1. 2. It Starts with a URL
      1. Uniform Resource Locator Structure
        1. Scheme Name
        2. Indicator of a Hierarchical URL
        3. Credentials to Access the Resource
        4. Server Address
        5. Server Port
        6. Hierarchical File Path
        7. Query String
        8. Fragment ID
        9. Putting It All Together Again
      2. Reserved Characters and Percent Encoding
        1. Handling of Non-US-ASCII Text
      3. Common URL Schemes and Their Function
        1. Browser-Supported, Document-Fetching Protocols
        2. Protocols Claimed by Third-Party Applications and Plug-ins
        3. Nonencapsulating Pseudo-Protocols
        4. Encapsulating Pseudo-Protocols
        5. Closing Note on Scheme Detection
      4. Resolution of Relative URLs
    2. 3. Hypertext Transfer Protocol
      1. Basic Syntax of HTTP Traffic
        1. The Consequences of Supporting HTTP/0.9
        2. Newline Handling Quirks
        3. Proxy Requests
        4. Resolution of Duplicate or Conflicting Headers
        5. Semicolon-Delimited Header Values
        6. Header Character Set and Encoding Schemes
        7. Referer Header Behavior
      2. HTTP Request Types
        1. GET
        2. POST
        3. HEAD
        4. OPTIONS
        5. PUT
        6. DELETE
        7. TRACE
        8. CONNECT
        9. Other HTTP Methods
      3. Server Response Codes
        1. 200-299: Success
        2. 300-399: Redirection and Other Status Messages
        3. 400-499: Client-Side Error
        4. 500-599: Server-Side Error
        5. Consistency of HTTP Code Signaling
      4. Keepalive Sessions
      5. Chunked Data Transfers
      6. Caching Behavior
      7. HTTP Cookie Semantics
      8. HTTP Authentication
      9. Protocol-Level Encryption and Client Certificates
        1. Extended Validation Certificates
        2. Error-Handling Rules
    3. 4. Hypertext Markup Language
      1. Basic Concepts Behind HTML Documents
        1. Document Parsing Modes
        2. The Battle over Semantics
      2. Understanding HTML Parser Behavior
        1. Interactions Between Multiple Tags
        2. Explicit and Implicit Conditionals
        3. HTML Parsing Survival Tips
      3. Entity Encoding
      4. HTTP/HTML Integration Semantics
      5. Hyperlinking and Content Inclusion
        1. Plain Links
        2. Forms and Form-Triggered Requests
        3. Frames
        4. Type-Specific Content Inclusion
        5. A Note on Cross-Site Request Forgery
    4. 5. Cascading Style Sheets
      1. Basic CSS Syntax
        1. Property Definitions
        2. @ Directives and XBL Bindings
        3. Interactions with HTML
      2. Parser Resynchronization Risks
      3. Character Encoding
    5. 6. Browser-Side Scripts
      1. Basic Characteristics of JavaScript
        1. Script Processing Model
          1. Parsing
          2. Function Resolution
          3. Code Execution
        2. Execution Ordering Control
        3. Code and Object Inspection Capabilities
        4. Modifying the Runtime Environment
          1. Overriding Built-Ins
          2. Setters and Getters
          3. Impact on Potential Uses of the Language
        5. JavaScript Object Notation and Other Data Serializations
        6. E4X and Other Syntax Extensions
      2. Standard Object Hierarchy
        1. The Document Object Model
        2. Access to Other Documents
      3. Script Character Encoding
      4. Code Inclusion Modes and Nesting Risks
      5. The Living Dead: Visual Basic
    6. 7. Non-HTML Document Types
      1. Plaintext Files
      2. Bitmap Images
      3. Audio and Video
      4. XML-Based Documents
        1. Generic XML View
        2. Scalable Vector Graphics
        3. Mathematical Markup Language
        4. XML User Interface Language
        5. Wireless Markup Language
        6. RSS and Atom Feeds
      5. A Note on Nonrenderable File Types
    7. 8. Content Rendering with Browser Plug-ins
      1. Invoking a Plug-in
        1. The Perils of Plug-in Content-Type Handling
      2. Document Rendering Helpers
      3. Plug-in-Based Application Frameworks
        1. Adobe Flash
          1. Properties of ActionScript
        2. Microsoft Silverlight
        3. Sun Java
        4. XML Browser Applications (XBAP)
      4. ActiveX Controls
      5. Living with Other Plug-ins
  7. II. Browser Security Features
    1. 9. Content Isolation Logic
      1. Same-Origin Policy for the Document Object Model
        1. document.domain
        2. postMessage(...)
        3. Interactions with Browser Credentials
      2. Same-Origin Policy for XMLHttpRequest
      3. Same-Origin Policy for Web Storage
      4. Security Policy for Cookies
        1. Impact of Cookies on the Same-Origin Policy
        2. Problems with Domain Restrictions
        3. The Unusual Danger of “localhost”
        4. Cookies and “Legitimate” DNS Hijacking
      5. Plug-in Security Rules
        1. Adobe Flash
          1. Markup-Level Security Controls
          2. Security.allowDomain(...)
          3. Cross-Domain Policy Files
          4. Policy File Spoofing Risks
        2. Microsoft Silverlight
        3. Java
      6. Coping with Ambiguous or Unexpected Origins
        1. IP Addresses
        2. Hostnames with Extra Periods
        3. Non-Fully Qualified Hostnames
        4. Local Files
        5. Pseudo-URLs
        6. Browser Extensions and UI
      7. Other Uses of Origins
    2. 10. Origin Inheritance
      1. Origin Inheritance for about:blank
      2. Inheritance for data: URLs
      3. Inheritance for javascript: and vbscript: URLs
      4. A Note on Restricted Pseudo-URLs
    3. 11. Life Outside Same-Origin Rules
      1. Window and Frame Interactions
        1. Changing the Location of Existing Documents
          1. Frame Hijacking Risks
          2. Frame Descendant Policy and Cross-Domain Communications
        2. Unsolicited Framing
          1. Beyond the Threat of a Single Click
      2. Cross-Domain Content Inclusion
        1. A Note on Cross-Origin Subresources
      3. Privacy-Related Side Channels
      4. Other SOP Loopholes and Their Uses
    4. 12. Other Security Boundaries
      1. Navigation to Sensitive Schemes
      2. Access to Internal Networks
      3. Prohibited Ports
      4. Limitations on Third-Party Cookies
    5. 13. Content Recognition Mechanisms
      1. Document Type Detection Logic
        1. Malformed MIME Types
        2. Special Content-Type Values
        3. Unrecognized Content Type
        4. Defensive Uses of Content-Disposition
        5. Content Directives on Subresources
        6. Downloaded Files and Other Non-HTTP Content
      2. Character Set Handling
        1. Byte Order Marks
        2. Character Set Inheritance and Override
        3. Markup-Controlled Charset on Subresources
        4. Detection for Non-HTTP Files
    6. 14. Dealing with Rogue Scripts
      1. Denial-of-Service Attacks
        1. Execution Time and Memory Use Restrictions
        2. Connection Limits
        3. Pop-Up Filtering
        4. Dialog Use Restrictions
      2. Window-Positioning and Appearance Problems
      3. Timing Attacks on User Interfaces
    7. 15. Extrinsic Site Privileges
      1. Browser- and Plug-in-Managed Site Permissions
        1. Hardcoded Domains
      2. Form-Based Password Managers
      3. Internet Explorer’s Zone Model
        1. Mark of the Web and Zone.Identifier
  8. III. A Glimpse of Things to Come
    1. 16. New and Upcoming Security Features
      1. Security Model Extension Frameworks
        1. Cross-Domain Requests
          1. CORS Request Types
          2. Security Checks for Simple Requests
          3. Non-simple Requests and Preflight
          4. Current Status of CORS
        2. XDomainRequest
        3. Other Uses of the Origin Header
      2. Security Model Restriction Frameworks
        1. Content Security Policy
          1. Primary CSP Directives
          2. Policy Violations
          3. Criticisms of CSP
        2. Sandboxed Frames
          1. Scripting, Forms, and Navigation
          2. Synthetic Origins
        3. Strict Transport Security
        4. Private Browsing Modes
      3. Other Developments
        1. In-Browser HTML Sanitizers
        2. XSS Filtering
    2. 17. Other Browser Mechanisms of Note
      1. URL- and Protocol-Level Proposals
      2. Content-Level Features
      3. I/O Interfaces
  9. 18. Common Web Vulnerabilities
    1. Vulnerabilities Specific to Web Applications
    2. Problems to Keep in Mind in Web Application Design
    3. Common Problems Unique to Server-Side Code
  10. A. Epilogue
  11. Notes
        1. Chapter 1
        2. Page 19
        3. Chapter 2
        4. Chapter 3
        5. Chapter 4
        6. Chapter 5
        7. Chapter 6
        8. Chapter 7
        9. Chapter 8
        10. Chapter 9
        11. Chapter 10
        12. Chapter 11
        13. Chapter 12
        14. Chapter 13
        15. Chapter 14
        16. Chapter 15
        17. Chapter 16
        18. Chapter 17
  12. Index
  13. About the Author
  14. UPDATES
  15. Copyright