SQLBits 2014

“SQL Attack…ed” - SQL Server under attack: SQL Injection

In this purely demo-based session, I will show several real-life attacks, from mere reading up to disrupting service availability via various types of manual and automated SQL Injection, including a broadly unknown elevation of privileges attack.
One of the most often successfully attacked targets is the data that resides in a database server. SQL Server is considered "secure by default" and has in fact been the officially most secure database for 5 years in a row, but most of the exploited weaknesses are due to misconfiguration or weak coding practices.

In this purely demo-based session, I will show several real-life attacks, from mere reading up to disrupting service availability via various types of manual and automated SQL Injection, including a broadly unknown
elevation of privileges attack for a non-sa account.

If you have a database which can be reached by a web-server or other processes beyond your direct control and you are unsure regarding the possible security implications to watch out for as a developer or administrator, this session is meant for you.

– Note: The focus is not to give instructions on how to attack a system, but rather to highlight common weaknesses and why they can be fatal.