One of the most often successfully attacked targets is the data that resides in a database server. SQL Server is considered “secure by default”, but this is only relevant until the first databases and configurations have been changed. Which is why most of the exploited weaknesses are due to misconfiguration or weak coding practices as opposed to security bugs in SQL Server itself. In this purely demo-based session, Andreas Wolter, former Program Manager for Access Control in SQL at Microsoft will show several real-life attacks, from mere reading up to disrupting service availability via various types of manuals performed SQL Injection, including an elevation of privileges attack to sysadmin level. If you have a database-server which is accessible by processes beyond your direct control or that even can be reached by some kind of frontend applications and you are unsure regarding the possible security implications to watch out for, this session is meant for you.