Cyber Shelf
Florian Amette
April 30, 20263 min read

Best Web Application Security Books in 2026

Seven web application security books worth reading in 2026, from foundational taxonomy to modern API and GraphQL attacks.

#web-security#application-security#reading-list#appsec

Web application security has the strangest book market of any subfield: most of the canonical texts are over a decade old, the web has changed completely, and yet they still teach you things you can't get elsewhere.

Here is how to read the field in 2026.

The taxonomy book (read it anyway, despite the date)

The Web Application Hacker's Handbook by Stuttard and Pinto is from 2011. The specific exploits are dated, several entire categories (modern auth, GraphQL, cloud-native attack surface) are missing or thin. And it's still required reading.

The reason: nothing else gives you the taxonomy this clearly. Once you know the shape of every web bug class, modern variants are recognizable. Pair the book with PortSwigger Academy for current details.

The browser-security mental model

The Tangled Web by Michal Zalewski is the best book ever written on why the web is the way it is. Origins, content type negotiation, cookies, the layered absurdity that is the modern browser security model. Older but evergreen on principles.

Read it before you write your first content security policy.

The developer's primer

Web Security for Developers by Malcolm McDonald is the calmest, most practical book on web security in print. Even if you don't write code, reading the developer's view shows you exactly which mistakes show up in your bug bounty submissions.

The API book

Hacking APIs by Corey Ball is the modern web security book that doesn't exist for monolithic apps. REST, GraphQL discovery, BOLA, mass assignment, JWT abuses. Most production attack surface today is API; this is your book for it.

The GraphQL specialist

Black Hat GraphQL by Aleksandrov, Boemer, and Cherny is the only serious book in print on GraphQL attacks. Introspection, batching, depth-of-field abuse, query cost attacks. Skip if you don't see GraphQL in your work; required if you do.

The bug bounty practitioners' books

Real-World Bug Hunting by Peter Yaworski is the case-study book: 30+ real bug bounty disclosures, each broken down. It's how you learn the gap between knowing a vulnerability class and actually finding it.

Bug Bounty Bootcamp by Vickie Li is the practical companion: methodology, recon, automation, and the specific bug classes you'll find on modern programs. More current than WAHH on the modern bug landscape.

A practical reading order

For an aspiring web security pro, this is the order we'd give:

  1. Web Security for Developers (the developer's view).
  2. PortSwigger Academy alongside The Web Application Hacker's Handbook.
  3. The Tangled Web for browser-security mental model.
  4. Hacking APIs when you start testing modern targets.
  5. Real-World Bug Hunting + Bug Bounty Bootcamp when you start hunting.
  6. Black Hat GraphQL as needed.

Web security is the easiest specialization to break into and the hardest to be excellent at. The books cover the easy part. Excellence comes from breaking real applications, slowly, for years.