// Comparison

Black Hat GraphQL vs Web Security for Developers: Which Should You Read?

Two cybersecurity books on Web Security, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52023

Black Hat GraphQL

Attacking Next Generation APIs

Nick Aleks, Dolev Farhi

Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.

Beginner

4/52020

Web Security for Developers

Real Threats, Practical Defense

Malcolm McDonald

Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.

Read this if

Anyone whose bug bounty or pentest scope includes GraphQL — and who keeps finding nothing because they're using web-app methodology. Aleks and Farhi cover introspection abuse, batching attacks, depth/complexity DoS, auth flaws, and the way GraphQL flattens the typical web threat model.

Developers who want to understand security without security people in the loop. McDonald is the rare author who explains XSS, CSRF, SQLi, auth and sessions without offensive tooling distractions, in the language a working coder uses.

Skip this if

Readers without GraphQL exposure in their work; the book is a specialization, not a general intro.

Practitioners who already know OWASP cold, or readers wanting depth on modern bug classes (SSRF chains, prototype pollution, race conditions). The book is foundational, not advanced.

Key takeaways

Disabled introspection is not a security control; the book explains how to enumerate schemas without it and why that matters.
Batching and aliasing attacks let one HTTP request do many things; classic rate-limit defenses fail unless GraphQL-aware.
Depth and complexity attacks are the GraphQL equivalent of regex DoS, usually possible, often forgotten, sometimes catastrophic.

The framing "real threats, practical defense" is the book's design choice and its strongest pedagogical move; every chapter starts with the attack and ends with the defensive code pattern.
Web security is mostly the same dozen mistakes for two decades; once you know the taxonomy, modern variants are recognizable.
The chapter on session management and the chapter on third-party JS are the two highest-leverage pieces of the book for engineers who already know the basics.

How they compare

Black Hat GraphQL and Web Security for Developers are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Black Hat GraphQL is pitched at intermediate level. Web Security for Developers is pitched at beginner level. Read the easier one first if you're not yet comfortable with the topic.

Black Hat GraphQL and Web Security for Developers both cover Web Security, AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading