This is one of those very upsetting books. I found it very hard to read, not because of any fault of the author or the publisher, but because the content made me uncomfortable. I literally squirmed in my seat and would sigh so often that my wife would worriedly ask "What's wrong?"
What's wrong is that the web is a dangerous place.
Where and how that danger lurks is the subject of this book. Its subtitle is "A Guide to Securing Modern Web Applications" which certainly sounds hopeful:
"Yes, there are dangerous creatures in these woods, but we'll be walking with a crack team of highly trained and well armed guides, so we'll be fine".
However, we will not have ventured very far into the Internet forest before we realize that our "crack team" of web browsers is anything but. Most of them can't seem to tell a squirrel from a poisonous snake. When they do decide to point their weapons at something threatening, we had better duck ourselves, because their aim is atrociously bad. Suspicious looking miscreants appear at the edges of our trail and beckon us to follow them into the dark woods; our guides lay down their weapons and, with beaming grins, trot off never to be seen again!
That's what was making me squirm in my seat and annoy my wife with my long and plaintive sighs and soft moans.
At the same time, I was finding guilty pleasure. I love learning how things work. Even more interesting is how things break, how good intentions sometimes fall in a jumbled heap after the most gentle push. That's what this book is really about: breaking stuff.
Oh, sure, there are "Cheat Sheets" in every chapter that contain succinct advice on how you might avoid being p0wned by the various flaws being discussed, and those are a valuable part of the book. But they are not the fun part. As disquieting and upsetting as the security failures may be, they are also fun to read about. Mixing great fun and raw fear might not seem like a recipe for a good book, but it works here.
You won't have to read far before Richard Stallman's comment about web browsing starts to seem more sensible than paranoid:
I generally do not look at web sites from my own machine, aside from a few sites operated for or by the GNU Project, FSF or me. I fetch web pages from other sites by sending mail to a program that fetches them, much like wget, and then mails them back to me.
Michal Zalewski, by the way, is also the author of another of my very favorite security books: Silence on the Wire. If you haven't read that yet, you are denying yourself a real treat.
What Michal does in both books is dive deep. He shows you the history, where it broke, how it broke, why it broke. He tears apart browsers and lays the parts out for close examination. You can find a sample chapter at the book's website, but honestly, if this review has intrigued you that much, you are going to want to read the whole thing, so you might as well just go to Amazon and place your order now.
Fun to read, educational and (if you are actually creating websites) very useful. Even if you are only a consumer of web content, this might help you understand why people like Stallman are so obsessive about security.
By the way: If you will be reading this in the company of someone else, you might warn them in advance about all the sighing and groaning you might be doing. I'm sure they will appreciate that.
The Tangled Web: A Guide to Securing Modern Web Applications