// Comparison
Black Hat GraphQL vs A Bug Hunter's Diary: Which Should You Read?
Two cybersecurity books on Offensive, compared honestly: who each is for, what each does best, and which to read first.
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
A Guided Tour Through the Wilds of Software Security
Tobias Klein
Tobias Klein walks through seven real vulnerabilities he found and exploited, in the form of personal lab notes, what he tried, what failed, and what eventually shipped to vendors.
Read this if
Skip this if
Key takeaways
- Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
- Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
- Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.
- Real vulnerability research is mostly hypothesis-and-failure; Klein's diary format teaches the resilience the field demands.
- Sample selection (which target, which feature, which bug class) is the highest-leverage choice; the book makes this explicit in a way most write-ups skip.
- Disclosure tradecraft (vendor coordination, patch tracking, advisory writing) is part of the work; the chapters on it are the calmest treatment in print.
How they compare
Black Hat GraphQL and A Bug Hunter's Diary are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.
Both books target intermediate-level readers, so the choice is about topic, not difficulty.
Black Hat GraphQL and A Bug Hunter's Diary both cover Offensive, so reading them in sequence reinforces the same material from different angles.