“SQL Attack…ed” – SQL Server under attack: SQL Injection
One of the most often successfully attacked targets is the data that resides in a database server. SQL Server is considered "secure by default" and has in fact been the officially most secure database for 5 years in a row, but most of the exploited weaknesses are due to misconfiguration or weak coding practices.
In this purely demo-based session, I will show several real-life attacks, from mere reading up to disrupting service availability via various types of manual and automated SQL Injection, including a broadly unknown
elevation of privileges attack for a non-sa account.
If you have a database which can be reached by a web-server or other processes beyond your direct control and you are unsure regarding the possible security implications to watch out for as a developer or administrator, this session is meant for you.
– Note: The focus is not to give instructions on how to attack a system, but rather to highlight common weaknesses and why they can be fatal.
Andreas Wolter is both a Microsoft Certified Master (MCM) on SQL Server 2008 and a Microsoft Certified Solutions Master Data Platform (MCSM) SQL Server 2012 and has also been awarded with the MVP for SQL Server.
He is the founder of Sarpedon Quality Lab, a Germany-based company that specializes in Development and Optimization of SQL Server Database- and Datawarehouse-architectures with focus on performance and scalability as well as a special passion for security.
With over a decade of experience with SQL Server he can be met at various international conferences and delivering training for the SQL Server Master-Class seminar-series held in Europe.
You can follow him at Twitter at @AndreasWolter.