SQL Injection Is Boring—Advanced Threats You’re Not Watching

Kranthi Kiran Burada, Narendra Tawar

Everyone knows how to prevent basic SQL injection—but modern attackers have moved far beyond textbook exploits. In high-traffic PostgreSQL deployments, subtle misconfigurations and overlooked features can open doors to far more sophisticated attacks. This talk uncovers the next generation of database threats that rarely make it into security checklists. We’ll examine:

• Privilege Escalation via Extensions and Foreign Data Wrappers – how seemingly harmless extensions or FDWs can leak credentials or access external systems.
• Timing and Side-Channel Attacks – extracting secrets by measuring query latency and caching behavior.
• Abusing Logical Replication and LISTEN/NOTIFY – stealthy data exfiltration channels hidden in plain sight.
• Role Inheritance & Row-Level Security Pitfalls – ways attackers exploit complex permission hierarchies. Attendees will learn how to recognize these attack surfaces, configure PostgreSQL securely, and implement defense-in-depth strategies such as strict role design, immutable infrastructure, and continuous auditing. Whether you’re a DBA, developer, or security engineer, this session will challenge the assumption that SQL injection is the only real database risk—and provide actionable steps to harden your PostgreSQL environment against today’s most overlooked threats.

 Overview  Program