// Prerequisites
What to read before The Tangled Web
If The Tangled Web feels too steep at advanced level, here is what to read first. Lighter books in the same topics that build the prerequisites this one assumes.
01 · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate4/5Nick Aleks, Dolev Farhi02 · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Intermediate4/5Corey J. Ball03 · 2011
The Web Application Hacker's Handbook
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Intermediate4/5Dafydd Stuttard, Marcus Pinto04 · 2021
Real-World Cryptography
David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.
Intermediate5/5David Wong05 · 2020
Web Security for Developers
Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.
Beginner4/5Malcolm McDonald06 · 2021
Designing Secure Software
Loren Kohnfelder, the original PKI author, on how to weave security thinking through requirements, design, implementation and operations rather than bolt it on at the end.
Intermediate5/5Loren Kohnfelder07 · 2014
Threat Modeling
Adam Shostack's practitioner-oriented introduction to threat modeling: STRIDE, attack trees, and how to fit the practice into a real software-development lifecycle.
Intermediate5/5Adam Shostack08 · 2010
Cryptography Engineering
A working engineer's introduction to cryptography that takes implementation pitfalls more seriously than most.
Intermediate4/5Niels Ferguson, Bruce Schneier, Tadayoshi Kohno