NoSQL – NoSecurity?A way to lose even more stuffGavin Holt (@GavinHolt)
What we will cover todayWhat is Big Data?What is NoSQL?Why NoSQL Security is an issueNoSQL VulnerabilitiesSecuring NoSQL I...
What is Big Data?Datasets that are so large or complex that they aredifficult to process using traditional databaseprocess...
2.5 quintillion bytes(1followed by 18 zeros)Data being generated everyday (IBM)
2.5 Petabytes(1048576Gigabytes)The total size of Walmartstransaction database (TheEconomist)
40 Terabytes per secondData generated byexperiments on the LHC atCERN(The Economist)
72 Hours per MinuteVideo uploaded to YouTube(Google Inc.)
That is a lot of data!Try running any of them in MSAccess
What is NoSQL?“Not Only SQL”
Umbrella TermType of System – Not aProduct
Not the Traditional Relational Model
Generally don’t use tables
Optimised for appends and retrievesDo very little other than recordstorage
Highly Scalable & Very QuickThis is all about speed andsize
Why use NoSQL?Why the Big Data/NoSQL Hype?
Eventual ConsistencyDelays in writing across nodesslow down your application
User Updates Social NetworkSocial Network uses a load balancer
Writes don’t propagate immediatelyData is now inconsistent
Reading Stale DataUsers now being served old data from nodes that haven’t been updated
Amore serious exampleData needs to be propagated quickly – NoSQL allows for thatDiagram from Adobe Security Labs
NoSQL VulnerabilitiesHow do these compare to traditional databases?
The DeveloperBy Laziness or Ignorance
Little to no Authentication“Trusted Environments”
NoSQL Injection
Helpful isn’t always usefulFlattening associative arrays
MongoDB Examplehttp://example.com/login.php?username=admin&passwd=mysuperpassword
MongoDB Examplehttp://example.com/login.php?username=admin&passwd[$ne]=1
MongoDB Examplehttp://example.com/login.php?username=admin&passwd[$ne]=1
MongoDB ExampleMYSQL NOSQL
MongoDB ExampleMYSQL NOSQL
Server Side Javascript Injection
Server Side Javascript Injection
Server Side Javascript Injection
Server Side Javascript Injection
Server Side Javascript Injection
Server Side Javascript Injection
Example of an Attack
CSFR can be used to bypass firewallsDiagram from Adobe Security Labs
POST is all an Attacker needsInserting DataInserting Script DataExecute any REST command from inside the firewall
Securing NoSQLOne does not simply secure NoSQL </meme>
Sanitize InputsDon’t trust users (or othersystems!)
Be in control of your query buildingDon’t simply concatenate userinput
Check how your solution worksRead the manual
All other SQL Best PracticeThese aren’t different attackvectors – just new
Questions?Twitter: @GavinHoltLinkedIn: http://uk.linkedin.com/in/gavinholt/Email: gavin@gavin-holt.comAround all day – Gra...
NoSQL – NoSecurity?A way to lose even more stuffGavin Holt (@GavinHolt)
Upcoming SlideShare
Loading in...5
×

NoSQL - No Security? - The BSides Edition

448

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
448
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • What is Big Data and why it is distinct from average sized DataWhat NoSQL Actually isWhy the issue of NoSQL Security should be important to DevelopersNoSQL Attack VectorsHow to secure NoSQL Deployments
  • Buzzword
  • Traditional Relational solutions not appropriate for this magnitude of Data
  • Attacker compromised a user of the application using a CSFR, They execute the command on the DB on the Attackers behalf
  • Post crap data into the databasePost Script data into the database – give yourself access to moreFull control, bypassing the firewall as you are using a trusted client
  • NoSQL - No Security? - The BSides Edition

    1. 1. NoSQL – NoSecurity?A way to lose even more stuffGavin Holt (@GavinHolt)
    2. 2. What we will cover todayWhat is Big Data?What is NoSQL?Why NoSQL Security is an issueNoSQL VulnerabilitiesSecuring NoSQL Installations
    3. 3. What is Big Data?Datasets that are so large or complex that they aredifficult to process using traditional databaseprocessing applications
    4. 4. 2.5 quintillion bytes(1followed by 18 zeros)Data being generated everyday (IBM)
    5. 5. 2.5 Petabytes(1048576Gigabytes)The total size of Walmartstransaction database (TheEconomist)
    6. 6. 40 Terabytes per secondData generated byexperiments on the LHC atCERN(The Economist)
    7. 7. 72 Hours per MinuteVideo uploaded to YouTube(Google Inc.)
    8. 8. That is a lot of data!Try running any of them in MSAccess
    9. 9. What is NoSQL?“Not Only SQL”
    10. 10. Umbrella TermType of System – Not aProduct
    11. 11. Not the Traditional Relational Model
    12. 12. Generally don’t use tables
    13. 13. Optimised for appends and retrievesDo very little other than recordstorage
    14. 14. Highly Scalable & Very QuickThis is all about speed andsize
    15. 15. Why use NoSQL?Why the Big Data/NoSQL Hype?
    16. 16. Eventual ConsistencyDelays in writing across nodesslow down your application
    17. 17. User Updates Social NetworkSocial Network uses a load balancer
    18. 18. Writes don’t propagate immediatelyData is now inconsistent
    19. 19. Reading Stale DataUsers now being served old data from nodes that haven’t been updated
    20. 20. Amore serious exampleData needs to be propagated quickly – NoSQL allows for thatDiagram from Adobe Security Labs
    21. 21. NoSQL VulnerabilitiesHow do these compare to traditional databases?
    22. 22. The DeveloperBy Laziness or Ignorance
    23. 23. Little to no Authentication“Trusted Environments”
    24. 24. NoSQL Injection
    25. 25. Helpful isn’t always usefulFlattening associative arrays
    26. 26. MongoDB Examplehttp://example.com/login.php?username=admin&passwd=mysuperpassword
    27. 27. MongoDB Examplehttp://example.com/login.php?username=admin&passwd[$ne]=1
    28. 28. MongoDB Examplehttp://example.com/login.php?username=admin&passwd[$ne]=1
    29. 29. MongoDB ExampleMYSQL NOSQL
    30. 30. MongoDB ExampleMYSQL NOSQL
    31. 31. Server Side Javascript Injection
    32. 32. Server Side Javascript Injection
    33. 33. Server Side Javascript Injection
    34. 34. Server Side Javascript Injection
    35. 35. Server Side Javascript Injection
    36. 36. Server Side Javascript Injection
    37. 37. Example of an Attack
    38. 38. CSFR can be used to bypass firewallsDiagram from Adobe Security Labs
    39. 39. POST is all an Attacker needsInserting DataInserting Script DataExecute any REST command from inside the firewall
    40. 40. Securing NoSQLOne does not simply secure NoSQL </meme>
    41. 41. Sanitize InputsDon’t trust users (or othersystems!)
    42. 42. Be in control of your query buildingDon’t simply concatenate userinput
    43. 43. Check how your solution worksRead the manual
    44. 44. All other SQL Best PracticeThese aren’t different attackvectors – just new
    45. 45. Questions?Twitter: @GavinHoltLinkedIn: http://uk.linkedin.com/in/gavinholt/Email: gavin@gavin-holt.comAround all day – Grab me for a chat.
    46. 46. NoSQL – NoSecurity?A way to lose even more stuffGavin Holt (@GavinHolt)
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×