// Comparison
Hacking APIs vs Real-World Cryptography: Which Should You Read?
Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
Read this if
Skip this if
Key takeaways
- API attack surface is dramatically underexploited compared to HTML attack surface; for most public bug bounty programs, the API is where the bounties hide.
- BOLA (broken object-level authorization) is the dominant API bug class and the one that pays best; Ball's framing is the cleanest in print.
- Burp Suite Professional + Postman + a custom recon pipeline is the practical toolset; the book justifies the choice and shows you how to use them together.
- Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
- TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
- Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.
How they compare
We rate Real-World Cryptography higher (5/5 against 4/5 for Hacking APIs). For most readers, that means Real-World Cryptography is the primary pick and Hacking APIs is a useful follow-up.
Both books target intermediate-level readers, so the choice is about topic, not difficulty.
Hacking APIs and Real-World Cryptography both cover AppSec, so reading them in sequence reinforces the same material from different angles.