Alok Menghrajani

Previously: security engineer at Square, co-author of HackLang, put the 's' in https at Facebook. Maker of CTFs.


This blog does not use any tracking cookies and does not serve any ads. Enjoy your anonymity; I have no idea who you are, where you came from, and where you are headed to. Let's dream of an Internet from times past.


Home | Contact me | Github | RSS feed | Consulting services | Tools & games

I poked at a web application looking for SQL injection and cross site scripting bugs. This was part of a white box security testing of a pretty large codebase.

At one point, I found a common coding pattern which I knew would result in a security hole. For a second, I thought that I had stumbled upon dozens of SQL injections!

It turned out that while I had theoretically found a whole bunch of flaws, none of them were exploitable in practice. The reason is because the first thing that the web application did with these user inputs was to cast them to an integer. Unfortunately (or fortunately depending on your point of view), you can't do much damage using only numbers.

While the casting to an integer had been put in place for documentation and ease of development purpose, it turned out to also provide a layer of security. I think types in general provide goodness at various layers and this is only one such example.

A few months later, the code was re-written to use a better library to manipulate SQL, which removed the risk of SQL injections.