Alok Menghrajani

Security engineer at Square. Previously co-author of Hack and put the 's' in https at Facebook. Maker of CTFs.

Home | Contact me | Github | Twitter | Facebook

I poked at a web application looking for SQL injection and cross site scripting bugs. This was part of a white box security testing of a pretty large codebase.

At one point, I found a common coding pattern which I knew would result in a security hole. For a second, I thought that I had stumbled upon dozens of SQL injections!

It turned out that while I had theoretically found a whole bunch of flaws, none of them were exploitable in practice. The reason is because the first thing that the web application did with these user inputs was to cast them to an integer. Unfortunately (or fortunately depending on your point of view), you can't do much damage using only numbers.

While the casting to an integer had been put in place for documentation and ease of development purpose, it turned out to also provide a layer of security. I think types in general provide goodness at various layers and this is only one such example.

A few months later, the code was re-written to use a better library to manipulate SQL, which removed the risk of SQL injections.