alt Hacker News"The values passed to _sort were concatenated directly into SQL ORDER BY clauses with no validation" - sounds to me like this project had some low-hanging fruit!
Looks like every single one of the 38 vulnerabilities were either SQL injection, XSS, path traversal or "Insecure Direct Object Reference" aka failing to check the caller was allowed to access the record.
This is actually a pretty good example of the value of AI security scanners - even really strong development teams still occasionally let bugs like this slip through, having an AI scanner that can spot them feels worthwhile to me.
Replies
I don't think strong development teams are still letting SQL injection vulnerabilities through by manually concatenating strings to build queries with user-provided data. Not in the year 2026.
There are Static code analyzers which already would have detected that.
And these were also automatic. Looks very likely that the team didn’t give a damn about top basic security and good practices.
Like a house made of paper wouldn’t be an example of the insecurity of the construction industry.
I think SQL Injection detectors were pretty mature even before the "AI" version?
Honestly those all sound like common linters could find things like string concatenation.
“even really strong development teams”
One would think a single really strong developer, let alone a team, would look for interpolation in strings fed to RDBMS?
> This is actually a pretty good example of the value of AI security scanners
Are you fuckin' serious? This would be caught with any self-respecting scanner even 5 years ago and with most educated juniors even earlier.
I use AI every day, but I'm not deep enough in the dilulu to believe that everything above two brain cells should be a transformer.
> Looks like every single one of the 38 vulnerabilities were either SQL injection, XSS, path traversal or "Insecure Direct Object Reference" aka failing to check the caller was allowed to access the record.
Seems like code review against a checklist of the most common vulnerabilities would have prevented these problems. So I guess there are two takeaways here:
First, AI scanners are useful for catching security problems your team has overlooked.
Second, maintaining a checklist of the most-common vulnerabilities and using it during code review is likely to not only prevent most of the problems that AI is likely to catch, but also show your development team many of their security blind spots at review time and teach them how to light those areas. That is, the team learns how to avoid creating those security mistakes in the first place.