Deals on our brands for businesses
Enjoy fast, free delivery, exclusive deals, and award-winning movies & TV shows.
Buy new:
-39% $36.48
FREE delivery Wednesday, January 7
Ships from: Amazon
Sold by: TRIO ALLIANCE
Kindle app logo image

Download the free Kindle app and start reading Kindle books instantly on your smartphone, tablet, or computer - no Kindle device required.

Read instantly on your browser with Kindle for Web.

Using your mobile phone camera - scan the code below and download the Kindle app.

QR code to download the Kindle App

Follow the author

Get new release updates & improved recommendations
Michal Zalewski
Follow
Something went wrong. Please try your request again later.

The Tangled Web: A Guide to Securing Modern Web Applications First Edition

by Michal Zalewski (Author)
{"desktop_buybox_group_1":[{"displayPrice":"$36.48","priceAmount":36.48,"currencySymbol":"$","integerValue":"36","decimalSeparator":".","fractionalValue":"48","symbolPosition":"left","hasSpace":false,"showFractionalPartIfEmpty":true,"offerListingId":"eYI2PRy6NcmQY4CHr%2FHstO5TJW8sjCmfupO3ihUMK%2BOYYgHisbIgY09yYsLuDKGeCfY4EcMrUbegmLSg9i1mRJY6FwfThU7Vb1D5sGr0ytnvfBpbPzVfge0dd5bITpkwdlQyTp1zo1aka0p%2BlF8s0GMfW6vqkfxABx8WUiJKLWSEzJx23peI%2BHho9ck3gRNY","locale":"en-US","buyingOptionType":"NEW","aapiBuyingOptionIndex":0}, {"displayPrice":"$14.88","priceAmount":14.88,"currencySymbol":"$","integerValue":"14","decimalSeparator":".","fractionalValue":"88","symbolPosition":"left","hasSpace":false,"showFractionalPartIfEmpty":true,"offerListingId":"eYI2PRy6NcmQY4CHr%2FHstO5TJW8sjCmfYdvPYMyNoA8gb9Abuga39rsarURkNS4vOOTrEA6z%2Fd2BevXmYroTowMgLNdRshol1ywx%2FNAlPhxNHf7ptufQVRghnLBnlB7uU5tMNWVoH1BWgTIFCrK%2B2NPafrHPP%2Bz8CircrUnbYhu69Z17C2Ec%2FA%3D%3D","locale":"en-US","buyingOptionType":"USED","aapiBuyingOptionIndex":1}]}

Purchase options and add-ons

"Thorough and comprehensive coverage from one of the foremost experts in browser security."
--Tavis Ormandy, Google Inc.

Modern web applications are built on a tangle of technologies that have been developed over time and then haphazardly pieced together. Every piece of the web application stack, from HTTP requests to browser-side scripts, comes with important yet subtle security consequences. To keep users safe, it is essential for developers to confidently navigate this landscape.

In The Tangled Web, Michal Zalewski, one of the world's top browser security experts, offers a compelling narrative that explains exactly how browsers work and why they're fundamentally insecure. Rather than dispense simplistic advice on vulnerabilities, Zalewski examines the entire browser security model, revealing weak points and providing crucial information for shoring up web application security. You'll learn how to:
  • Perform common but surprisingly complex tasks such as URL parsing and HTML sanitization
  • Use modern security features like Strict Transport Security, Content Security Policy, and Cross-Origin Resource Sharing
  • Leverage many variants of the same-origin policy to safely compartmentalize complex web applications and protect user credentials in case of XSS bugs
  • Build mashups and embed gadgets without getting stung by the tricky frame navigation policy
  • Embed or host user-supplied content without running into the trap of content sniffing
For quick reference, "Security Engineering Cheat Sheets" at the end of each chapter offer ready solutions to problems you're most likely to encounter. With coverage extending as far as planned HTML5 features, The Tangled Web will help you create secure web applications that stand the test of time.
Read more
Previous slide of product details
  1. ISBN-10
    1593273886
  2. ISBN-13
    978-1593273880
  3. Edition
    First Edition
  4. Publisher
    No Starch Press
  5. Publication date
    November 15, 2011
  6. Language
    English
  7. Dimensions
    6.94 x 0.79 x 9.19 inches
  8. Print length
    320 pages
Next slide of product details

Frequently bought together

This item: The Tangled Web: A Guide to Securing Modern Web Applications
$36.48
Get it as soon as Wednesday, Jan 7
Only 1 left in stock - order soon.
Sold by TRIO ALLIANCE and ships from Amazon Fulfillment.
+
The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
$32.49
Get it as soon as Wednesday, Jan 7
In Stock
Ships from and sold by Amazon.com.
+
Hacking: The Art of Exploitation, 2nd Edition
$31.33
Get it as soon as Wednesday, Jan 7
Sold by sevenflowers7 and ships from Amazon Fulfillment.
Total price: $00
To see our price, add these items to your cart.
Details
Added to Cart
Some of these items ship sooner than the others.
Show details Hide details
Choose items to buy together.

What other items do customers buy after viewing this item?

Page 1 of 1 Start over
Previous set of slides
  2. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws
    Dafydd Stuttard
    Paperback
    $32.49
    Get it as soon as Wednesday, Jan 7
    FREE Shipping on orders over $35 shipped by Amazon
  3. Web Application Security: Exploitation and Countermeasures for Modern Web Applications
    Andrew Hoffman
    Paperback
    $44.94
    Get it as soon as Wednesday, Jan 7
    FREE Shipping by Amazon
    Only 3 left in stock (more on the way).
  4. Web Security for Developers: Real Threats, Practical Defense
    Malcolm McDonald
    Paperback
    $23.00
    Get it as soon as Wednesday, Jan 7
    FREE Shipping on orders over $35 shipped by Amazon
    Only 2 left in stock - order soon.
  5. The Browser Hacker's Handbook
    Wade Alcorn
    Paperback
    $32.20
    Get it as soon as Wednesday, Jan 7
    FREE Shipping on orders over $35 shipped by Amazon
    Only 3 left in stock (more on the way).
  6. Designing Secure Software: A Guide for Developers
    Loren Kohnfelder
    Paperback
    $39.21
    Get it as soon as Wednesday, Jan 7
    FREE Shipping by Amazon
    Only 1 left in stock - order soon.
Next set of slides

Customers also bought or read

Page 1 of 1Start over
Previous page
  2. Hacking: The Art of Exploitation, 2nd Edition
    Paperback
    $31.33
    Delivery Sat, Jan 10
  4. Real-World Bug Hunting: A Field Guide to Web Hacking
    Paperback
    $32.16
    $3.99 delivery Tue, Jan 27
  6. Designing Secure Software: A Guide for Developers
    Paperback
    $39.21
    FREE delivery Wednesday
  8. The Browser Hacker's Handbook
    Paperback
    $32.20
    Delivery Wednesday
  11. Penetration Testing: A Hands-On Introduction to Hacking
    Paperback
    $24.90
    Delivery Wednesday
  13. JavaScript for hackers: Learn to think like a hacker
    Paperback
    $40.00
    FREE delivery Thursday
  23. RTFM: Red Team Field Manual v2
    Paperback
    $13.99
    Delivery Wednesday
  24. iOS Hacker's Handbook
    Paperback
    $29.43
    Delivery Sat, Jan 24
Next page
Loading...

Editorial Reviews

Review

"A classic – arguably canon – as far as security training books go, and especially when it comes to web application security."
—Britt Kemp, Bishop Fox Labs

About the Author

Michal Zalewski is an internationally recognized information security expert with a long track record of delivering cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire (No Starch Press), Google's "Browser Security Handbook," and numerous important research papers.

Product details

About the author

Follow authors to get new release updates, plus improved recommendations.
Michal Zalewski

Michal Zalewski

Brief content visible, double tap to read full content.
Full content visible, double tap to read brief content.

Discover more of the author’s books, see similar authors, read book recommendations and more.

Related books

Page 1 of 1Start Over
Sponsored
Previous page
  1. Shop the Store on Amazon ›
    Mastering the Art of Rapport: Your Ultimate Guide to Building Meaningful Connections
    Mastering the Art of Rapport: Your Ultimate Guide to Building Meaningful Connections
    4.94.9 out of 5 stars36
    $12.99
  2. Shop the Store on Amazon ›
    Python QuickStart Guide: The Simplified Beginner's Guide to Python Programming Using Hands-On Projects and Real-World Applications (Coding & Programming - QuickStart Guides)
    Python QuickStart Guide: The Simplified Beginner's Guide to Python Programming Using Hands-On Projects and Real-World Applications (Coding & Programming - QuickStart Guides)
    4.54.5 out of 5 stars326
    $24.99 List:$34.99
  3. Shop the Store on Amazon ›
    Java for Beginners: Build Your Dream Tech Career with Engaging Lessons and Projects
    Java for Beginners: Build Your Dream Tech Career with Engaging Lessons and Projects
    4.64.6 out of 5 stars144
    $14.40
  4. Shop the Store on Amazon ›
    Building Patterns: Ultimate Guide to Designing Patterns for Clothing (Landauer) Garment Design and Essential Tips and Techniques - Master Pattern Making from Slopers to Construction
    Building Patterns: Ultimate Guide to Designing Patterns for Clothing (Landauer) Garment Design and Essential Tips and Techniques - Master Pattern Making from Slopers to Construction
    5.05.0 out of 5 stars27
    $22.14 List:$27.99
  5. Shop the Store on Amazon ›
    How to Make Money in Any Market
    How to Make Money in Any Market
    4.74.7 out of 5 stars596
    30% offLimited time deal
    $20.99 List:$30.00
Next page

Customer reviews

4.4 out of 5 stars
95 global ratings

Customers say

Customers praise the book's systematic coverage of browser security, with one review highlighting its bottom-up approach to understanding how modern browsers operate. Moreover, they consider it mandatory reading for web developers. However, the book receives mixed feedback regarding its depth and content quality. Additionally, the organization receives criticism, with one customer noting its somewhat rambling structure.
AI Generated from the text of customer reviews

Select to learn more

6 customers mention browser security, 5 positive, 1 negative
Customers appreciate the book's comprehensive coverage of browser security, with one customer highlighting its systematic approach to modern web application vulnerabilities, while another notes how it provides a bottom-up understanding of browser operations.
The book provides systematic coverage of browser security....Read more
It's an impressive web and browser insideout. This book is for you, if you want to learn the pitfalls.Read more
...sums up why "The Tangled Web" is, hands down, the best book on web and browser security....Read more
The book is very well written and goes through modern web application vulnerabilities....Read more
6 customers mention literacy, 5 positive, 1 negative
Customers find the book to be a mandatory read for web developers, with one customer noting it serves as a great reference for security engineers.
...This book should be mandatory reading for every web-developer. Highly recommend it.Read more
...It's certainly a book for application security professionals, not for beginners.Read more
...Some of the content is a little dated but the guidance is very applicable.Read more
...A great reference book for all security web engineers.Read more
3 customers mention content quality, 2 positive, 1 negative
Customers have mixed opinions about the content quality of the book.
Solid content to help one understand all the sad quirks of our Web standards! A great reference book for all security web engineers.Read more
...The content is superficial at best and lacks examples....Read more
The content is good but the organization of the book is somewhat rambling, jumping around....Read more
3 customers mention depth, 2 positive, 1 negative
Customers have mixed opinions about the depth of the book, with some praising its tremendous insight, while one customer notes it lacks depth.
...The first 6 pages of chapter 1 provide brilliant insight into why formal security models, risk management and taxonomies fail to deliver promised...Read more
...It does have some interesting bits, but it lacks depth, does not manage to pull my attention....Read more
...In this book Michal Zalewski walks us through the history and the evolution of the architecture of the popular browsers, servers, protocols, and...Read more
4 customers mention organization, 1 positive, 3 negative
Customers find the organization of the book somewhat rambling and poorly structured.
...This book is poorly structured....Read more
...It feels like I'm reading an encyclopedia, but without the depth or organization. At other times it feels like an extended dictionary....Read more
...The author, as always, gives examples and very clear explanations.Read more
The content is good but the organization of the book is somewhat rambling, jumping around....Read more

Top reviews from the United States

  • Ilya Grigorik
    5.0 out of 5 stars Mandatory reading for every web developer
    Reviewed in the United States on June 9, 2012
    Format: PaperbackVerified Purchase
    "Gaining insights into the underlying mechanics of web applications is far more important that memorizing several thousand random and often unnecessary terms."

    That one sentence sums up why "The Tangled Web" is, hands down, the best book on web and browser security. It is all too easy to criticize, lament, and create paranoid scenarios about the "unsound security foundations" of the web. Truth is, all of that criticism is true, and yet the web has proven to be an incredibly robust platform. In this book Michal Zalewski walks us through the history and the evolution of the architecture of the popular browsers, servers, protocols, and everything in between - as it relates security of modern web applications.

    Instead of focusing on the usual security acronyms and "attack classes", this book will give you something much more powerful: a bottom up understanding of how a modern browser operates, why it does what it does, and what implications this has for designing more secure applications. This book should be mandatory reading for every web-developer. Highly recommend it.
    4 people found this helpful
    Helpful
     Report
  • Marcin Antkiewicz
    5.0 out of 5 stars Systematic coverage of browser security
    Reviewed in the United States on December 1, 2011
    Format: PaperbackVerified Purchase
    The book provides systematic coverage of browser security. The first 6 pages of chapter 1 provide brilliant insight into why formal security models, risk management and taxonomies fail to deliver promised security improvements to organizations that embrace them. I used to explain the same with a lot of hand weaving, Zalewski's approach and insight are far superior.

    Make no mistake, the book is focused on the browser and related technologies rather than the theory of security. The same tremendous insight, that made me nod with appreciation and wish that I had the book 5 years ago while working on security policies, illuminates browser concepts like in-browser content separation, scripting, and much more.

    I appreciate the authors treatment of each of the concepts in the context of the browser as a complex and still evolving technology, with it's own history, standards, market requirements and politics.
    6 people found this helpful
    Helpful
     Report
  • Henrique Ferraz Arcoverde
    5.0 out of 5 stars At first i was conservative about this book because of ...
    Reviewed in the United States on December 13, 2014
    Format: PaperbackVerified Purchase
    At first i was conservative about this book because of the topics, URL, HTML, etc... However, since i'm a Zalewski's fan, i decided to try it. When i read the first chapter, i got my mind blown. So many details where in front of me and i didn't realize until now. It's certainly a book for application security professionals, not for beginners.
    One person found this helpful
    Helpful
     Report
  • Hugo Assuncao
    4.0 out of 5 stars The pitfalls of web and browsers
    Reviewed in the United States on September 4, 2017
    Format: KindleVerified Purchase
    It's an impressive web and browser insideout.
    This book is for you, if you want to learn the pitfalls.
    One person found this helpful
    Helpful
     Report
  • Maxim Kachurovskiy
    5.0 out of 5 stars Best applied tech book I've ever read
    Reviewed in the United States on April 11, 2013
    Format: PaperbackVerified Purchase
    This book is AWESOME. One should not be allowed to work on sensitive product without studying it.

    Before I didn't even realized that e.g. when Flash makes cross domain requests it appends all ambient credentials - and there are so many insights like this in this book.

    While reading I also found a bunch of critical vulnerabilities in the projects I know.
    Helpful
     Report
  • rpm507
    5.0 out of 5 stars Good guidance for developing secure web applications
    Reviewed in the United States on July 4, 2014
    Format: KindleVerified Purchase
    Did you know that every web application should have a crossdomain.xml? Check the top level of most popular sites. That is just one of the tips available in the Security Engineering Cheat Sheets in this book. Some of the content is a little dated but the guidance is very applicable.
    Helpful
     Report
  • Gunnar Wolf
    2.0 out of 5 stars Weak...
    Reviewed in the United States on December 11, 2014
    Format: KindleVerified Purchase
    Really expected more from this book. It does have some interesting bits, but it lacks depth, does not manage to pull my attention. I develop Web systems for a living and am security-minded, so I might be biased on this, but it is the demographics I think it would most cater to!
    2 people found this helpful
    Helpful
     Report
  • E. Gutesman
    5.0 out of 5 stars Zalewski again, driving the security practices
    Reviewed in the United States on August 23, 2013
    Format: PaperbackVerified Purchase
    The book is very well written and goes through modern web application vulnerabilities. The author, as always, gives examples and very clear explanations.
    Helpful
     Report

Top reviews from other countries

Translate all reviews to English
  • Thomas
    1.0 out of 5 stars Pas de table des matières dans le Kindle
    Reviewed in France on May 27, 2021
    Format: KindleVerified Purchase
    Ce livre est sans doute intéressant, mais il manque une table des matières dans la version Kindle, ce qui le rend peu pratique si l'on a acheté ce livre comme outil plutôt qu'un livre qui se lit de la première à la dernière page.
    Report
  • David M
    5.0 out of 5 stars Excellent
    Reviewed in the United Kingdom on January 1, 2020
    Format: PaperbackVerified Purchase
    Reading some of the reviews on the main amazon.com website it's quite clear to understand that this book is not for a developer trying to understand how to defend their websites against attack, and I'd certainly not recommend it for that purpose. What it is excellent at is giving an overview of the mess that is modern browser security. It's getting old now, but the way it's written (and I assume the reason that it is a little rambling) it's a dude trying to explain what he feels you should know about the way the internet works, many times during the book even before I've asked 'does this mean x is possible if we get it wrong' - he's got an example of it. It's a great book, and if you take it for what it is, there's nothing that has the gives you the same insight and depth into the (well in 2020 not so much) way the modern web works and the pitfalls that are all too easy to fall into. 5*
    Report
  • Akhenaton
    5.0 out of 5 stars Untangled my tangled understanding
    Reviewed in Germany on December 3, 2012
    Format: KindleVerified Purchase
    Zalewski's clear, often humorous, always broad and superbly documented "archaeology" of the web had a sanitizing effect on my understanding that standard security books do not provide. As he walks you down and around the paths, decisions, insights and mistakes (and mistakes and mistakes and mistakes) that made the web so tangled, he not only provides much useful information on, and "an attitude" towards security, but may in fact untangle a web-tangled understanding of somewhat confusing issues. To top it all, it's a great read - I hardly felt I was reading something so technical. Very recommended.
    Report
  • Andrea Berardi
    5.0 out of 5 stars Ottimo libro, assolutamente consigliato!
    Reviewed in Italy on July 28, 2020
    Format: PaperbackVerified Purchase
    Veramente un ottimo libro, molto interessante e chiaro.
    Come al solito No Starch Press non delude, contenuti ottimi e anche attuali. D’altronde la sicurezza sul web è uno dei temi centrali dei nostri tempi.
    Report
  • Jonathan
    4.0 out of 5 stars Outdated but good resource
    Reviewed in Canada on April 26, 2024
    Format: PaperbackVerified Purchase
    In 2024, I would not recommend this book simply because it is outdated now. When it was written, this is an adequate guide for learning about web security design and application.
    Report