Whitepaper called Exploiting Web 2.0, Real Life XSS-Worm.

No Starch Press: $49.95

If you are a security engineer, a researcher, a hacker or just someone who keeps your ear to the ground when it comes to computer security, chances are you have seen the name Michal Zalewski. He has been responsible for an abundance of tools, research, proof of concepts and helpful insight to many over the years. He recently released a book called "The Tangled Web - A Guide To Securing Modern Web Applications".

Normally, when I read books about securing web applications, I find many parallels where authors will give an initial lay of the land, dictating what technologies they will address, what programming languages they will encompass and a decent amount of detail on vulnerabilities that exist along with some remediation tactics. Such books are invaluable for people in this line of work, but there is a bigger picture that needs to be addressed and it includes quite a bit of secret knowledge rarely divulged in the security community. You hear it in passing conversation over beers with colleagues or discover it through random tests on your own. But rarely are the oddities documented anywhere in a thorough manner.

Before we go any further, let us take a step back in time. Well over a decade ago, the web was still in its infancy and an amusing vulnerability known as the phf exploit surfaced. It was nothing more than a simple input validation bug that resulted in arbitrary code execution. The average hacker enjoyed this (and many more bugs like it) during this golden age. At the time, developers of web applications had a hard enough time getting their code to work and rarely took security implications into account. Years later, cross site scripting was discovered and there was much debate about whether or not a cross site scripting vulnerability was that important. After all, it was an issue that restricted itself to the web ecosystem and did not give us a shell on the server. Rhetoric on mailing lists mocked such findings and we (Packet Storm) received many emails saying that by archiving these issues we were degrading the quality of the site. But as the web evolved, people starting banking online, their credit records were online and before you knew it, people were checking their social network updates on their phone every five minutes. All of a sudden, something as small as a cross site scripting vulnerability mattered greatly.

To make the situation worse, many programs were developed to support web-related technologies. In the corporate world, being first to market or putting out a new feature in a timely fashion trumphs security. Backwards compatibility that feeds poor design became a must for any of the larger browser vendors. The "browser wars" began and everyone had different ideas on how to solve different issues. To say web-related technologies brought many levels of complexity to the modern computing experience is a great understatement. Browser-side programming languages, such as JavaScript, became a playground for hackers. Understanding the Document Object Model (DOM) and the implications of poorly coded applications became one of those lunch discussions that could cause you to put your face into your mashed potatoes. Enter "The Tangled Web".

This book puts some very complicated nuances in plain (enough) english. It starts out with Zalewski giving a brief synopsis of the security industry and the web. Breakdowns of the basics are provided and it is written in a way that is inviting for anyone to read. It goes on to cover a wide array of topics inclusive to the operation of browsers, the protocols involved, the various types of documents handled and the languages supported. Armed with this knowledge, the reader is enabled to tackle the next section detailing browser security features. As the author puts it, it covers "everything from the well-known but often misunderstood same-origin policy to the obscure and proprietary zone settings of Internet Explorer". Browsers, it ends up, have a ridiculous amount of odd dynamics for even the simplest acts. The last section wraps things up with upcoming security features and various browser mechanisms to note.

I found it a credit to the diversity of the book that technical discussion could also trail off to give historical notes on poor industry behavior. When it noted DNS hijacking by various providers it reminded me of the very distinct and constantly apparent disconnect between business and knowledge of technology. When noting how non-HTTP servers were being leveraged to commit cross site scripting attacks, Zalewski also made it a point to note how the Internet Explorer releases only have a handful of prohibited ports but all other browsers have dozens that they block. The delicate balance of understanding alongside context is vital when using information from this book and applying it to design.

Every page offers some bit of interesting knowledge that dives deep. It takes the time to note the odd behaviors small mistakes can cause and also points out where flawed security implementations exist. This book touches on the old and the new and many things other security books have overlooked. Another nice addition is that it provides security engineering cheatsheets at the end of each chapter. To be thorough, it explains both the initiatives set out by RFCs while it also documents different paths various browser vendors have taken in tackling tricky security issues. Google's Chrome, Mozilla's Firefox, Microsoft's Internet Explorer, Apple's Safari and Opera are compared and contrasted greatly throughout this book.

In my opinion, the web has become a layer cake over the years. New shiny technologies and add-ons have been thrown into the user experience and with each of them comes a new set of security implications. One-off findings are constantly discovered and documented (and at Packet Storm we try to archive every one of them), but this is the first time I have seen a comprehensive guide that focuses on everything from cross-domain content inclusion to content-sniffing. It is the sort of book that should be required reading for every web developer.

 -Todd

AJAM reported on tribal communities and offered coverage on Indian Country that few could match

Canada hit by COVID cheque fraud; Webex, Teams under attack, more COVID email scams and three big data breaches Welcome to Cyber Security Today. It’s Friday May 8th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below: It didn’t take long for cybercriminals to take advantage…

Mark Webber believes Red Bull underperformed at the Italian Grand Prix and missed out on an opportunity to take a more commanding lead in the championship

Mark Webber said he was 'stoked' for everybody involved with the Red Bull Racing team after his second place behind team-mate Sebastian Vettel helped the team seal its first constructors' title

Mark Webber said he was happy with his team's philosophy on team orders after finishing second behind team-mate Sebastian Vettel in the Brazilian Grand Prix

Mark Webber will not start from the front row of the grid at the Canadian Grand Prix, after Red Bull decided to change his gearbox on Sunday morning

Mark Webber was left in a philosophical frame of mind after finishing fifth in the Canadian Grand Prix

Red Bull Racing driver Mark confessed himself "shocked" by the lack of overtaking at the season's opening Bahrain Grand Prix

Mark Webber believes the narrower front tyres introduced this season to improve the car's balance were key to the lack of overtaking at the Bahrain Grand Prix

Mark Webber has apologised for crashing into Lewis Hamilton in the closing stages of the Australian Grand Prix

Lewis Hamilton has labelled Mark Webber's botched attempt to pass him at the Australian Grand Prix in the closing stages as "silly"

Sebastian Vettel recorded a start-to-finish victory at an incident-packed Japanese Grand Prix, with team-mate Mark Webber taking second to complete a perfect weekend for Red Bull

Mark Webber said he was happy to finish second behind team-mate Sebastian Vettel and maintain his lead at the top of the championship standings

Mark Webber completed a start-to-finish victory in the Monaco Grand Prix, his second win in succession, to go joint top in the drivers' championship with team-mate Sebastian Vettel

Mark Webber said his win in the Monaco Grand Prix was "one of the greatest days" of his life.

Sebastian Vettel said he was simply outpaced by his Red Bull team-mate Mark Webber at the Monaco Grand Prix

The purpose of any website is to earn profit for the owner. The website not only upholds the brand value of the products, it attracts customers for the business. For that reason the website must be attractive, user-friendly, well...

The OECD organised a webinar "The Future of Open Government Data in Mexico: Challenges and Experiences in OECD countries". The webinar was open to everyone and seeked to help the Mexican Government to prioritise the definition and implementation of strategic actions that contribute to the continuity and maturity of OGD policy in the short and medium term.

To increase transparency and improve understanding of different countries’ situations, the OECD has developed an interactive map that brings to life key climate change mitigation statistics and policy settings. The webinar on Monday 16 November 2015, 15h00-16h30 (Paris time) consisted of a summary of the main messages of the report "Climate Change Mitigation: Policies and Progress" and a demonstration of the interactive tool.

Cloudy head on climate change? Join the webinar on Wednesday 30 March 2016 from 1-2 pm (Paris time) with Professor Per Espen Stoknes on What we think about... when we try not to think about... global warming!

Webinar presenting OECD’s and UNEP’s Compendium of Best Practices in Green Public Procurement

On 7 May 2015, the Green Growth Knowledge Platform (GGKP) will hold a webinar on 'Trade and Green Growth: Measuring the impact of environmental policy on economic competitiveness' from 1-2 PM Geneva time.

On 28 May 2015, the Green Growth Knowledge Platform (GGKP) webinar will examine how proper planning can help lay the foundation for both a stable climate and good development path; explore how countries can create the right enabling environment so that the needed technology, infrastructure and financing are available; and discuss how countries can carefully manage the transition, given vital political economy considerations.

Addressing climate change requires urgent policy action to drive a global infrastructure and technological transformation. The latest report 'Aligning Policies for a Low-carbon Economy' presents the first diagnosis of the alignments of policy and regulatory frameworks with climate policy goals. Join the Green Growth Knowledge Platform (GGKP) for a webinar exploring these issues on 5 October 2015, 15:00-16:30 (Paris time).

Join the Green Growth Knowledge Platform (GGKP) for a webinar on 20 April from 16:00-17:30 (Geneva time), to debate where and how the way we measure our progress towards an inclusive green economy, including how this relates to the SDGs can be improved.

Join the Green Growth Knowledge Platform (GGKP) for a webinar on 25 May 2016, 9:00-10:40am (CST, Costa Rica time) to explore issues affecting the LAC region, including: inclusive green growth, implementation of clean, efficient, resilient and socially inclusive innovations. Please note that the webinar will be held in Spanish.

Register for the Green Growth Knowledge Platform (GGKP) Webinar on Sustainable Cities and Structural Transformation through a presentation of this year's African Economic Outlook (AEO). The webinar will take place on 20 July 2016, 2:00-3:30pm (Geneva time).

Join the GGKP for a webinar on 1 November from 3:00pm - 4:30pm (Geneva time) to learn more about the Global Green Growth Institute (GGGI)'s Green Growth Potential Assessment (GGPA) tool which helps countries find ways to turn risks into green growth opportunities, and the ways in which it has been applied to unlock green growth potential in Colombia and Peru.

Are you interested to create a website but do not have any idea where to begin? Well, it is perhaps the most important facet of a website. Although functionality and content are very...

The webinars enabled serious discussion on the concept of ‘local economic resilience’ in an informal setting that facilitates interaction and questions. The format featured presentations from policy experts and a roundtable discussion with the audience.

The webinars will enable serious discussion on the concept of ‘local economic resilience’ in an informal setting that facilitates interaction and questions. The format will feature presentations from policy experts and a roundtable discussion with the audience.

Based on the OECD-UNODC-World Bank Anti-Corruption Ethics and Compliance Handbook, this webcast organised by KPMG offered an opportunity for attendees to learn about and understand the value of anti-corruption and ethics compliance best practices and how to use them to enhance their programmes.

Bribery in international business undermines good governance and economic development, perpetuates poverty and distorts international competition.

OECD Deputy Secretary-General Doug Frantz and EUIPO Executive Director António Campinos will launch the joint report “Trade in Counterfeit and Pirated Goods: Mapping the Economic Impact” at 12:00 CET on Monday 18 April at the OECD Conference Centre in Paris.

Archived webinar December 17 2015 - Immigrant Students at School: Easing the Journey towards Integration presented by Presented by Andreas Schleicher, Director for the Directorate of Education and Skills, OECD

Archived Webinar - Friday, 12 February 2016, 10:00 a.m. – 12:00 p.m. (ET) - The Alliance for Excellent Education and the National Commission on Teaching and America’s Future (NCTAF) joined forces with the Organisation for Economic Co-operation and Development (OECD) to host a joint U.S. release of the OECD’s new report Supporting Teacher Professionalism.

Archived webinar - Low-performing Students: Why they Fall Behind and How to Help them Succeed (February 10, 2016) with Andreas Schleicher, Director for Education and Skills, OECD, and Daniel Salinas, Analyst, OECD.