reading notes on the web

Posted by deaguero at 2020-03-09

In a flash, I haven't written anything for more than five months, and the time passed quickly. By the end of 2014, I took advantage of the fact that it hasn't become 2015 to send out the notes of the recently read book. I haven't had so much free time since I worked, and I've seen fewer books. The book that was expected to be finished in October was not finished until last Sunday. If you have time in the near future, you may sort out some pits or things you have written recently.

The tangled web – a guide to securing modern web applications

16 format, thick paper, appropriate spacing between lines and sections, small font.

Corrigendum to translator of this book: summary Corrigendum: the web's dilemma, mechanical industry, version 1, printing Corrigendum (or download here)

Reading level: close reading. Recommended level: close reading, repeated reading.

Different from the common security books, the book "trapped in the web" does not arrange chapters according to vulnerability classification (such as SQL injection, XSS, CSRF), nor tell you how to use the security software or system such as Metasploit, nmap. Instead, it starts from a more in-depth bottom layer to show readers a rarely understood but very important detail, and builds a set of A very complete picture of web security.

In the first part of this book, we discuss many details related to RFC protocol specifications and analyze the potential vulnerabilities. First, from the address bar, the URL and HTTP protocol are analyzed; then, from the page presentation, the HTML language, CSS, scripts, non HTML documents and plug-ins are analyzed.

The second part is more inclined to start from the same source, explaining the problems that lurk down due to the scuffle among browsers. In addition, the content recognition mechanism, responding to malicious scripts, peripheral website privileges and other browser security features are also explained.

The third part is the prospect of the current and future development trend of browser security.

Although the body of the book is only 250 pages, it is all inclusive. It is not easy to read it quickly and understand it well. This book has been read intermittently for three months, but it is only limited to the contents (not fully understood) of the book, without a deeper understanding of the references. Maybe after a while, I will read the book again.

The final chapter of this book "safety engineering Checklist" is very good.

The translator of this book is very serious, and also specially released a post to follow up the Corrigendum. There are too many words in this book, and many knowledge points will be difficult to explain, and the mood words in the book can let readers rest in the vast text.

Generally speaking, this is a book that you will regret if you don't read it.

1. Web application security

2. Everything starts from URL

3.HTTP protocol

4.HTML language

5. Cascading style sheet

6. Browser script

7. Non HTML documents

8. Content generated by browser plug-ins

9. Content isolation logic

10. Inheritance of source

11. The world beyond homology

12. Other security boundaries

13. Content recognition mechanism

14. Responding to malicious scripts

15. Peripheral site privileges

16. New browser security features and future prospects

17. Other noteworthy browser mechanisms

18. Common web security vulnerabilities

Download mind map: XMIND Baidu cloud disk (picture)