NoSQL Database Attacksx
Download
Report
Transcript NoSQL Database Attacksx
NoSQL Database Attacks
Majid Salehi
Sina Sajadmanesh
Majid Salehi , Sina Sajadmanesh
1
Outline
• What is Big Data?
• What is NoSQL ?
• NoSQL Vulnerabilities
• Some Attacks
Majid Salehi , Sina Sajadmanesh
2
Big Data
• Datasets that are so large or complex that they are difficult to process using
traditional database processing applications.
• 2.5 quintillion ( 1 followed by 18 zeros ) bytes data being generated every
day.
• 72 hours per minute video uploaded to youtube.
• Data of this scale and complexity needs a different approach, different tools
and different storage mechanisms that create similar, but distinctly different
problems for developers.
Majid Salehi , Sina Sajadmanesh
3
NoSQL
• Not Only SQL
• Umbrella term for data management systems that do not use the relational model.
• Identifying NoSQL Systems:
Generally don’t use tables
Generally don’t use SQL for data manipulation
Optimised for retrieves and appends.
Do very little over than record storage
Highly scalable
Focused on huge quantities of data where a relational model isn’t required.
Majid Salehi , Sina Sajadmanesh
4
NoSQL Vulnerabilities
Schema Injection
Query Injection
JavaScript Injection
Connection Pollution
Password Bruteforcing
…
Majid Salehi , Sina Sajadmanesh
5
NoSQL Vulnerabilities
Schema Injection
Allows an attacker to insert arbitrary key/value pairs into document
Majid Salehi , Sina Sajadmanesh
6
NoSQL Vulnerabilities
Schema Injection
Allows an attacker to insert arbitrary key/value pairs into document
Majid Salehi , Sina Sajadmanesh
7
NoSQL Vulnerabilities
Query Injection
This means that an attacker can insert operations into the query by GETing or
POSTing keys.
Majid Salehi , Sina Sajadmanesh
8
NoSQL Vulnerabilities
Query Injection
This means that an attacker can insert operations into the query by GETing or
POSTing keys.
Majid Salehi , Sina Sajadmanesh
9
NoSQL Vulnerabilities
Server-Side Javascript Injection
$query = 'function() {var search_year = \'' . $_GET['year'] .
'\';' .
'return this.publicationYear == search_year || ' .
' this.filmingYear == search_year || ' .
' this.recordingYear == search_year;}';
$cursor = $collection->find(array('$where' => $query));
http://server/app.php?year=1995';while(1);var%20foo='bar
Majid Salehi , Sina Sajadmanesh
10
NoSQL Vulnerabilities
Connection Pollution
Using CouchDB as example
RESTful
Cross-Database / Pool Access
CouchDB’s global and DB handler
Ex:
NoSQL.connect(http://couchDB/_restart)
Majid Salehi , Sina Sajadmanesh
11
NoSQL Vulnerabilities
Connection Pollution
Majid Salehi , Sina Sajadmanesh
12
NoSQL Vulnerabilities
Password Bruteforcing
Redis’ AUTH commands are not rate limited or restricted in any way
Majid Salehi , Sina Sajadmanesh
13
References
1. Bryan Sullivan from Adobe: "Server-Side JavaScript Injection" - https://media.blackhat.com/bh-us11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf
2. Bryan Sullivan from Adobe: "NoSQL, But Even Less Security" http://blogs.adobe.com/asset/files/2011/04/NoSQL-But-Even-Less-Security.pdf
3. Erlend from Bekk Consulting: "[Security] NOSQL-injection" http://erlend.oftedal.no/blog/?blogid=110
4. Felipe Aragon from Syhunt: "NoSQL/SSJS Injection" http://www.syhunt.com/?n=Articles.NoSQLInjection
5. MongoDB Documentation: "How does MongoDB address SQL or Query injection?" http://docs.mongodb.org/manual/faq/developers/#how-does-mongodb-address-sql-or-queryinjection
6. PHP Documentation: "MongoCollection::find" - http://php.net/manual/en/mongocollection.find.php
7. "Hacking NodeJS and MongoDB" - http://blog.websecurify.com/2014/08/hacking-nodejs-andmongodb.html
Majid Salehi , Sina Sajadmanesh
14
Question?!
Majid Salehi , Sina Sajadmanesh
15
Thanks
Majid Salehi , Sina Sajadmanesh
16