Hacker News Comments on
The Tangled Web: A Guide to Securing Modern Web Applications
·
6
HN comments
- This course is unranked · view top recommended courses
Hacker News Stories and Comments
All the comments and stories posted to Hacker News that reference this book.If you don't know who this is, he wrote one of my favourite books on web (browser) security: "The Tangled Web" [1].Another lesser known book by him is also worth a read: "Silence on the Wire" that takes a look at the full information security stack from the keyboard you type on, to the wires the data transits, to the internet protocols, etc [2] and looking at how each stage exposes/protects data.
And has quite an interesting history in infosec beyond that [3].
[1] https://www.amazon.com/Tangled-Web-Securing-Modern-Applicati...
[2] https://www.amazon.com/Silence-Wire-Passive-Reconnaissance-I...
⬐ iooiHe also had a pretty popular post here a while back about prepping for doomsday [1], interesting read.⬐ alethiophileI just got one of those periodic "wow, those are the same person?" Internet moments; I've both used AFL a fair bit, and read Tangled Web, but never connected the two.Impressive fellow.
⬐ seanhandley"Silence on the Wire" is still my favourite security book!⬐ harryfI loved Silence on the Wire (your [2]) - really changed my perspective on how much we "give away" passively⬐ elorantThat's funny because there is another book [1] with exactly the same title and also about computer security, although it predates the one you mention by a decade.[1] https://www.amazon.com/Tangled-Web-Securing-Modern-Applicati...
⬐ dmix⬐ pjfThat's the same book and link.⬐ elorantOops, my bad. I meant this one:https://www.amazon.com/TANGLED-WEB-Digital-Shadows-Cyberspac...
If you don't know who this is, read his CV: http://lcamtuf.coredump.cx/cv-web-en.pdf⬐ raverbashingyeah I think it's feeling the HN effect already(a bit ironic that it doesn't have https enabled)
⬐ sigjuice⬐ AceJohnny2Not as ironic as the OpenBSD Foundation asking for donations via an http site⬐ krylon⬐ asveikauTheir site is available via https, it just is not default. Which admittedly is a little strange.>> http://lcamtuf.coredump.cx/cv-web-en.pdf> (a bit ironic that it doesn't have https enabled)
That sounds like an interesting trick... MITM the CV of a famous security person in order to land a security job?
Wait, this is lcamtuf? Wow.I've always been in awe of his AFL fuzzer:
http://lcamtuf.coredump.cx/afl/
https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-th...
⬐ alphadevxHe also wrote Ratproxy: https://code.google.com/archive/p/ratproxy/
my biggest realisation of this was when reading the opening chapters to Michel Zalewski's Tangled web [1]. He does an excellent brief intro to how we got to where we are, warts and all.Things like content sniffing where a browser can't work out what type of file it's been given, so has an algorithm to take a guess and render based on that are what we've got to deal with.
[1] https://www.amazon.com/Tangled-Web-Securing-Modern-Applicati...
OWASP is a massively disorganized, vendor-driven, volunteer (read: soapbox-as-a-service) organization littered with half-completed, abandoned projects. That said, there are a small few that are "ok".I like using ASVS as a checklist when doing a webapp pentest:
https://www.owasp.org/index.php/Category:OWASP_Application_S...
The OWASP testing guide is an incredibly verbose walkthrough for finding most types of web vulns:
https://www.owasp.org/index.php/Category:OWASP_Testing_Proje...
Some of the cheat sheets are ok, but many are littered with incorrect and incomplete info, so take them with a grain of salt:
https://www.owasp.org/index.php/Cheat_Sheets
All that said, I think that most (all?) professional web security testers use Burp Suite and have a copy of The Web Application Hacker's Handbook (2nd) on their desk. The book's authors wrote an on-demand assault course to help learn the concepts in the book and it is pretty decent. About $200 and you'll get most of the way through it. A few people I've known that went through it gave it good reviews.
I think the second book most web security testers have on their desk is The Tangled Web by Michal Zalewski (of afl-fuzz and ratproxy fame). If you have a chance, reading the ratproxy source can be an informative way to learn how a web scanner is built and about the vulns it can find:
http://www.amazon.com/The-Tangled-Web-Securing-Applications/...
https://code.google.com/p/ratproxy/
Finally, the last and probably best way to learn web security is to play in a CTF. These are time-compressed challenges that last 24-72 hours where teams of competitors hack purposefully vulnerable applications to score points. Here's a calendar of upcoming competitions and a little guide I wrote about them:
https://trailofbits.github.io/ctf/
EDIT: Ah, I realize I wrote this from the perspective of learning to break web applications and included few development resources. While some of that knowledge is generic (password storage, for instance), much of that knowledge is framework-specific. For example, see the Rails security guide and brakeman:
⬐ wglbWith respect to the comment Some of the cheat sheets are ok, the very best of them is the XSS material contributed by rsnake.
Zalewski was the reason I felt unaccomplished in 2005, when I read his "Silence on the wire" and noted he wasn't much older than I am.His separate guide on CNC is great[1]. He also has a great intro to electronics[2]. His first book is an amazing survey of totally passive attacks[3]. His second book is a comprehensive survey of web application osecurity[4].
[1] http://lcamtuf.coredump.cx/gcnc/
[2] http://lcamtuf.coredump.cx/electronics/
⬐ CamperBob2Wow, that CNC guide is awesome. Is there anything like this for metalworking-oriented machining?⬐ zarothSample chapter of 'Silence on the wire': ftp://ftp.helion.pl/online/bekomp/bekomp-11.pdfEdit: Almost funny to see FTP actually being used to, you know, transfer files. As Scotty would say, "How quaint!"
⬐ agumonkeywarning: sample in polish (as the host dn)
I'd also like to know Security 101 for web developers.In a recent appsec thread, there were two books that a lot of people recommended:
http://www.amazon.com/The-Tangled-Web-Securing-Applications/...
http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...