// Comparison
Hacking APIs vs The Tangled Web: Which Should You Read?
Two cybersecurity books on Web Security, compared honestly: who each is for, what each does best, and which to read first.
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
The deepest book ever written on the strange, accreted security model of the web browser.
Read this if
Skip this if
Key takeaways
- API attack surface is dramatically underexploited compared to HTML attack surface; for most public bug bounty programs, the API is where the bounties hide.
- BOLA (broken object-level authorization) is the dominant API bug class and the one that pays best; Ball's framing is the cleanest in print.
- Burp Suite Professional + Postman + a custom recon pipeline is the practical toolset; the book justifies the choice and shows you how to use them together.
- The web's security model is not designed; it is excavated.
- Origins, schemes, and trust boundaries are the only real abstractions; everything else is a leaky negotiation.
- Specifications and reality diverge constantly, and the divergence is where bugs live.
How they compare
We rate The Tangled Web higher (5/5 against 4/5 for Hacking APIs). For most readers, that means The Tangled Web is the primary pick and Hacking APIs is a useful follow-up.
Hacking APIs is pitched at intermediate level. The Tangled Web is pitched at advanced level. Read the easier one first if you're not yet comfortable with the topic.
Hacking APIs and The Tangled Web both cover Web Security, AppSec, so reading them in sequence reinforces the same material from different angles.