[WEB SECURITY] TTW

Robert A. robert at webappsec.org
Tue Nov 15 12:37:57 EST 2011


> I don't normally spam mailing lists with commercial crap - but I'm
> actually sort of proud of this one, I think it's sort of unique and
> may be of interest to many readers... so let's see if the moderator is
> asleep?

I'm awake :)

So I don't normally allow posts like this through as you

1. Point out specific product vulns
2. Promoting something

However, it is difficult to find (in one location) the differences between 
the browsers as well as a write up of the browsersec model. For this 
reason I allowed the post as others (including myself) would find it 
useful.

Regards,
- Robert Auger
WASC Co Founder/Moderator of The Web Security Mailing List
http://www.webappsec.org/


>
> Long story short, I wanted to plug "The Tangled Web" - a book that
> partly inspired by my 2008 Browser Security Handbook
> (http://code.google.com/p/browsersec/). TTW is probably the first-ever
> reasonably detailed examination of the browser security model and its
> evolution through the years, covering everything from frame navigation
> policies and some of the less known quirks of plugin handling and
> content sniffing, to many of the current and upcoming HTML5 features.
>
> In addition to that, I think it outlines quite a few novel challenges
> that I think will shape the future of web security, e.g.:
>
> http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html
> http://lcamtuf.blogspot.com/2011/08/subtle-deadly-problem-with-csp.html
>
> And as a final bonus for bug hunters, it also highlights a bunch of
> previously unpublished security issues, such as this Opera origin
> inheritance flaw (reported in Mar 2011, and fixed not that long ago):
>
> PoC: http://lcamtuf.coredump.cx/inherit/opera.html
> Advisory: http://www.opera.com/support/kb/view/995/
>
> For sample chapters, endorsements, etc, you can go there:
>
> http://lcamtuf.coredump.cx/tangled/
>
> Feedback welcome. It's far less of a viable commercial project, and
> more of an attempt to just document the current state of affairs.
>
> /mz
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>




More information about the websecurity mailing list