// Comparison
Black Hat GraphQL vs Hacking APIs: Which Should You Read?
Two cybersecurity books on Web Security, compared honestly: who each is for, what each does best, and which to read first.
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Read this if
Skip this if
Key takeaways
- Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
- Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
- Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.
- API attack surface is dramatically underexploited compared to HTML attack surface; for most public bug bounty programs, the API is where the bounties hide.
- BOLA (broken object-level authorization) is the dominant API bug class and the one that pays best; Ball's framing is the cleanest in print.
- Burp Suite Professional + Postman + a custom recon pipeline is the practical toolset; the book justifies the choice and shows you how to use them together.
How they compare
Black Hat GraphQL and Hacking APIs are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.
Both books target intermediate-level readers, so the choice is about topic, not difficulty.
Black Hat GraphQL and Hacking APIs both cover Web Security, AppSec, Offensive, so reading them in sequence reinforces the same material from different angles.