The most recent book that we’ve read over here is Black Hat GraphQL: Attacking Next Generation APIs written by Dolev Farhi and Nick Aleks. The book is described as being for, “anyone interested in learning how to break and protect GraphQL APIs with the aid of offensive security testing.”
As someone who works primarily with REST APIs, I was more interested in the introduction that it offered to core concepts. A lot of the time, with books like this, you find yourself bored with the first few chapters and eager to get into the real subject matter, but my lack of familiarity with GraphQL and the fantastic writing had me hooked on this book right from the start. Chapter 1 provides one of the best introductions that I’ve ever seen written on any subject and I immediately knew that I was in for a treat with this book. In fact, I recently saw that the authors teamed up again to write Black Hat Bash and I can’t wait to get my hands on a copy of the book.
A couple of members of the team joined me in reading this, so let’s see what they had to say.
Black Hat GraphQL: Attacking Next Generation APIs by Nick Aleks and Dolev Farhi is a great book to understand APIs that use GraphQL. It covers the basics of GraphQL, how to setup a GraphQL security lab, and how to hack these types of systems. The book is a good resource for API developers and security researchers. I enjoyed all of the book. I really thought Chapter 2: Setting Up a GraphQL Security Lab was well written. They give all the steps you need to setup a modern GraphQL security lab along with references to great tools to use while doing security research against GraphQL APIs. Also, they maintain a repository on Github where they keep their list of security tools updated over time as new tools become available. I highly recommend this book to anyone interested in or using GraphQL.
Rating: 5.0/5.0
– Lane Thames, Principal Cybersecurity Researcher, Fortra
Black Hat GraphQL Attacking Next Generation APIs by Nick Aleks and Dolev Farhi walks the reader through how GraphQL APIs functions, how to fingerprint GraphQL servers, and how GraphQL could suffer from common vulnerabilities. The authors describe how the GraphQL API functions and walks the reader through setting up Damn Vulnerable GraphQL Application (DVGA). DVGA is used to demonstrate the information obtained throughout the book. The authors explain how to fingerprint different versions of the GraphQL servers. The authors inform the reader that each implementation of GraphQL might contain certain quirks that aid in identification. This identification helps in finding known issues with the fingerprinted server.
Rating: 4.4/5.0
– Andrew Swoboda, Senior Cybersecurity Researcher, Fortra
I agree with Lane on this one, this was a 5-star book in my opinion. I think it was fantastically written and have new favourite tech authors to add to my list.
Overall Rating: 4.8/5.0
Up next, we’ll be reading How AI Works: From Sorcery to Science by Ronald T. Kneusel.