// What to read next
What to read after Real-World Bug Hunting
Where to go after Real-World Bug Hunting, picked from our catalog. The next step up from beginner level, weighted toward the topics this book covers.
01 · 2021
Bug Bounty Bootcamp
Vickie Li's pragmatic walk through the bug-bounty workflow, from picking a program and recon to reporting findings that actually pay out.
Beginner4/5Vickie Li02 · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate4/5Nick Aleks, Dolev Farhi03 · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Intermediate4/5Corey J. Ball04 · 2011
The Web Application Hacker's Handbook
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Intermediate4/5Dafydd Stuttard, Marcus Pinto05 · 2008
Hacking: The Art of Exploitation
A from-first-principles tour of low-level exploitation that still teaches the mindset two decades later.
Intermediate5/5Jon Erickson06 · 2011
A Bug Hunter's Diary
Tobias Klein walks through seven real vulnerabilities he found and exploited, in the form of personal lab notes, what he tried, what failed, and what eventually shipped to vendors.
Intermediate4/5Tobias Klein07 · 2024
Black Hat Bash
Nick Aleks and Dolev Farhi on getting offensive work done with the shell: privilege escalation tooling, lateral movement, and pipelining bash with the rest of the toolkit.
Intermediate4/5Nick Aleks, Dolev Farhi08 · 2020
Black Hat Go
Tom Steele, Chris Patten, and Dan Kottmann show how to use Go's networking primitives, concurrency model, and cross-compilation to write offensive tooling that runs almost anywhere.
Intermediate4/5Tom Steele, Chris Patten, Dan Kottmann