// Comparison
The Tangled Web vs The Web Application Hacker's Handbook: Which Should You Read?
Two cybersecurity books on Web Security, compared honestly: who each is for, what each does best, and which to read first.
The deepest book ever written on the strange, accreted security model of the web browser.
Finding and Exploiting Security Flaws
Dafydd Stuttard, Marcus Pinto
The exhaustive reference for web app pentesting, comprehensive but increasingly a historical document.
Read this if
Skip this if
Key takeaways
- The web's security model is not designed; it is excavated.
- Origins, schemes, and trust boundaries are the only real abstractions; everything else is a leaky negotiation.
- Specifications and reality diverge constantly, and the divergence is where bugs live.
- Authentication, session management, and access control are still where most real bugs live.
- Methodology beats tooling, the structure of how you map an app matters more than which scanner you run.
- Use it as a reference for the classes of bug, then cross-check with PortSwigger Academy for the modern exploitation details.
How they compare
We rate The Tangled Web higher (5/5 against 4/5 for The Web Application Hacker's Handbook). For most readers, that means The Tangled Web is the primary pick and The Web Application Hacker's Handbook is a useful follow-up.
The Tangled Web is pitched at advanced level. The Web Application Hacker's Handbook is pitched at intermediate level. Read the easier one first if you're not yet comfortable with the topic.
The Tangled Web and The Web Application Hacker's Handbook both cover Web Security, AppSec, so reading them in sequence reinforces the same material from different angles.
Keep reading
The Web Application Hacker's Handbook
→ Alternatives to The Web Application Hacker's Handbook→ What to read after The Web Application Hacker's Handbook