[...]... water here: The Web is relatively young and took its current shape in a setting not that different from what we see today Instead, the key to this riddle probably lies in the tumultuous and unusual way in which the associated technologies have evolved So, pardon me another brief detour as we return to the roots The prehistory of the Web is fairly mundane but still worth a closer look Tales of the Stone... availability), and then called “methodologies.” Frequently, these methodologies are thinly veiled attempts to pass off one of the most frustrating failures of the security industry as yet another success story and, in the end, sell another cure-all Security in the World of Web Appli cati ons 7 product or certification to gullible customers But despite claims to the contrary, such products are no substitute... interest of repentance, The Tangled Web tries to take a small step toward much-needed normalcy, and as such, it may be the first publication to provide a systematic and thorough analysis of the current state of affairs in the world of web application security In the process of doing so, it aims to shed light on the uniqueness of the security challenges that we—security engineers, web developers, and users—have... by other auspices such as the European Computer Manufacturers Association (ECMA), the International Organization for Standardization (ISO), and the Internet Engineering Task Force (IETF) Sadly, the whole of these efforts was seldom in sync, and some discussions and design decisions were dominated by vendors or other stakeholders who did not care much about the long-term prospects of the technology The. .. explain the high number of security problems we see, but by itself it hardly proves that these problems are unique or noteworthy To wrap up this chapter, let’s take a quick look at the very special characteristics behind the most prevalent types of online security threats and explore why these threats had no particularly good equivalents in the years before the Web The User as a Security Flaw Perhaps the. .. taxonomy (a practice seen in many other information security books) I hope, too, that this approach will make The Tangled Web a better read For readers looking for quick answers, I decided to include quick engineering cheat sheets at the end of many of the chapters These cheat sheets outline sensible approaches to some of the most commonly encountered problems in web application design In addition, the. .. to coincide with the arrival of powerful and affordable computers and the expansion of the Internet), the unassuming WWW project turned out to be a sudden hit All right, all right, it turned out to be a “hit” by the standards of the mid1990s Soon, there were no fewer than dozens of web servers running on the Internet By 1993, HTTP traffic accounted for 0.1 percent of all bandwidth in the National Science... Science Foundation backbone network The same year also witnessed the arrival of Mosaic, the first reasonably popular and sophisticated web browser, developed at the University of Illinois Mosaic extended the original World Wide Web code by adding features such as the ability to embed images in HTML documents and submit user data through forms, thus paving the way for the interactive, multimedia applications... doing so, Microsoft contributed greatly to the popularization of the Internet On the other, it undermined the position of competing browsers and could be seen as anticompetitive In the end, the strategy led to a series of protracted legal battles over the possible abuse of monopoly by the company, such as United States v Microsoft 10 Chapter 1 or Flash applets on the user’s machine, and useful but tricky... In addition, the final part of the book offers a quick glossary of the well-known implementation vulnerabilities that one may come across Acknowledgments Many parts of The Tangled Web have their roots in the research done for Google’s Browser Security Handbook, a technical wiki I put together in 2008 and released publicly under a Creative Commons license You can browse the original document online at . TK5105.59.Z354 2011 005.8 dc23 20110 39636 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. The Book of” is a trademark of No Starch Press, Inc. Other. fax: 415.863.9950; info@nostarch.com; www.nostarch.com Library of Congress Cataloging-in-Publication Data Zalewski, Michal. The tangled Web : a guide to securing modern Web applications / Michal. shoulders above other such security-related titles.” —L INUX USER & DEVELOPER THE TANGLED WEB A Guide to Securing Modern Web Applications by Michal Zalewski San Francisco THE TANGLED WEB. Copyright