Black Hat GraphQL
Attacking Next Generation APIs
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Nick Aleks,Dolev Farhi
- Published
- 2023
- Publisher
- No Starch Press
- Pages
- 320
- Language
- English
Read this if
Anyone whose bug bounty or pentest scope includes GraphQL — and who keeps finding nothing because they're using web-app methodology. Aleks and Farhi cover introspection abuse, batching attacks, depth/complexity DoS, auth flaws, and the way GraphQL flattens the typical web threat model.
Skip this if
Readers without GraphQL exposure in their work; the book is a specialization, not a general intro.
Key takeaways
- Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
- Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
- Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.
Notes
The only book in print on GraphQL security at this depth. Pair with Hacking APIs (Ball) for the broader API-attack frame and with Real-World Bug Hunting for the disclosure-style case studies. Subscribe to GraphQL-related public bug bounty disclosures alongside reading; the field moves quickly. If you see GraphQL on a program, this book is your edge.
What to read before
What to read before Black Hat GraphQL →Intermediate · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Intermediate · 2011
The Web Application Hacker's Handbook
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Beginner · 2021
Bug Bounty Bootcamp
Vickie Li's pragmatic walk through the bug-bounty workflow, from picking a program and recon to reporting findings that actually pay out.
What to read next
What to read after Black Hat GraphQL →Intermediate · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Intermediate · 2011
The Web Application Hacker's Handbook
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Advanced · 2011
The Tangled Web
The deepest book ever written on the strange, accreted security model of the web browser.
Explore similar books
Alternatives to Black Hat GraphQL →Intermediate · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Intermediate · 2011
The Web Application Hacker's Handbook
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Intermediate · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.