// Comparison

Black Hat GraphQL vs Real-World Cryptography: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52023

Attacking Next Generation APIs

Nick Aleks, Dolev Farhi

Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.

Intermediate

5/52021

Real-World Cryptography

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Read this if

Anyone whose bug bounty or pentest scope includes GraphQL — and who keeps finding nothing because they're using web-app methodology. Aleks and Farhi cover introspection abuse, batching attacks, depth/complexity DoS, auth flaws, and the way GraphQL flattens the typical web threat model.

Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.

Skip this if

Readers without GraphQL exposure in their work; the book is a specialization, not a general intro.

Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.

Key takeaways

Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.

Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.

How they compare

We rate Real-World Cryptography higher (5/5 against 4/5 for Black Hat GraphQL). For most readers, that means Real-World Cryptography is the primary pick and Black Hat GraphQL is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Black Hat GraphQL and Real-World Cryptography both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Black Hat GraphQL

→ Alternatives to Black Hat GraphQL → What to read after Black Hat GraphQL