Sometimes the good stuff isn’t on the surface. We turned to decompiling .NET code to find a hidden SQL injection flaw.