// Comparison

Black Hat GraphQL vs Real-World Bug Hunting: Which Should You Read?

Two cybersecurity books on Web Security, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52023

Black Hat GraphQL

Attacking Next Generation APIs

Nick Aleks, Dolev Farhi

Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.

Beginner

4/52019

Real-World Bug Hunting

A Field Guide to Web Hacking

Peter Yaworski

Peter Yaworski breaks down real disclosed reports across major bug bounty programs, organized by vulnerability class, so readers can pattern-match real findings rather than learn classes from textbook examples.

Read this if

Anyone whose bug bounty or pentest scope includes GraphQL — and who keeps finding nothing because they're using web-app methodology. Aleks and Farhi cover introspection abuse, batching attacks, depth/complexity DoS, auth flaws, and the way GraphQL flattens the typical web threat model.

Aspiring bug bounty hunters who want to learn the gap between knowing a bug class and finding one. Yaworski's annotated case studies are the closest thing to a textbook for what real disclosures look like.

Skip this if

Readers without GraphQL exposure in their work; the book is a specialization, not a general intro.

Readers wanting a methodology playbook. The book is case-studies-organized-by-class, not workflow-organized; for the workflow side, read Bug Bounty Bootcamp.

Key takeaways

Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.

Reading 30 annotated reports compresses what would otherwise take three months of HackerOne reading; the book is high-leverage for getting started.
The "what to do when you find something" chapter is the most underrated part; reporting is half the bounty, and most beginners write bad reports.
The classes covered (XSS, IDOR, SSRF, OAuth, race conditions, business logic) map directly to what's currently paying on public programs.

How they compare

Black Hat GraphQL and Real-World Bug Hunting are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Black Hat GraphQL is pitched at intermediate level. Real-World Bug Hunting is pitched at beginner level. Read the easier one first if you're not yet comfortable with the topic.

Black Hat GraphQL and Real-World Bug Hunting both cover Web Security, Offensive, so reading them in sequence reinforces the same material from different angles.

Keep reading