// Comparison
Black Hat GraphQL vs The Tangled Web: Which Should You Read?
Two cybersecurity books on Web Security, compared honestly: who each is for, what each does best, and which to read first.
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
The deepest book ever written on the strange, accreted security model of the web browser.
Read this if
Skip this if
Key takeaways
- Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
- Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
- Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.
- The web's security model is not designed; it is excavated.
- Origins, schemes, and trust boundaries are the only real abstractions; everything else is a leaky negotiation.
- Specifications and reality diverge constantly, and the divergence is where bugs live.
How they compare
We rate The Tangled Web higher (5/5 against 4/5 for Black Hat GraphQL). For most readers, that means The Tangled Web is the primary pick and Black Hat GraphQL is a useful follow-up.
Black Hat GraphQL is pitched at intermediate level. The Tangled Web is pitched at advanced level. Read the easier one first if you're not yet comfortable with the topic.
Black Hat GraphQL and The Tangled Web both cover Web Security, AppSec, so reading them in sequence reinforces the same material from different angles.