0
NoSQL, But Even Less Security      Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team© 201...
Agenda             Eventual Consistency             REST APIs and CSRF             NoSQL Injection             SSJS Inject...
NoSQL databases© 2011 Adobe Systems Incorporated. All Rights Reserved.
Eric Brewer’s CAP Theorem       Choose any two:                                                                        Ava...
Eventual consistency in social networking© 2011 Adobe Systems Incorporated. All Rights Reserved.
Writes don’t propagate immediately© 2011 Adobe Systems Incorporated. All Rights Reserved.
Reading stale data© 2011 Adobe Systems Incorporated. All Rights Reserved.
Reading stale data – a more serious case© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda             Eventual Consistency             REST APIs and CSRF             NoSQL Injection             SSJS Inject...
Authentication is unsupported or discouraged       From the MongoDB documentation                 “One valid way to run ...
Port scanning       If an attacker finds an open port, he’s already won…                Database                         ...
Port Scanning Demo© 2011 Adobe Systems Incorporated. All Rights Reserved.
Port scanning       If an attacker finds an open port, he’s already won…                Database                         ...
REST document API examples (CouchDB)           Retrieve a document                            Update a document      GET...
Cross-Site Request Forgery (CSRF) firewall bypass© 2011 Adobe Systems Incorporated. All Rights Reserved.
REST document API examples (CouchDB)           Retrieve a document                            Update a document      GET...
Traditional GET-based CSRF           <img src="http://nosql:5984/_all_dbs"/>       Easy to make a potential victim reques...
RIA GET-based CSRF  <script>                var xhr = new XMLHttpRequest();                xhr.open(get, http://nosql:5984...
POST-based CSRF  <form method=post action=http://nosql:5984/db>               <input type=hidden name={"data"} value= />  ...
REST-CSRF Demo© 2011 Adobe Systems Incorporated. All Rights Reserved.
POST is all an attacker needs                                                          Insert arbitrary data              ...
Agenda             Eventual Consistency             REST APIs and CSRF             NoSQL Injection             SSJS Inject...
NoSQL injection       Most developers believe they don’t have to worry        about things like this  “…with MongoDB we a...
MongoDB and PHP       MongoDB expects input in JSON array format        find( { artist : The Black Keys } )       In PHP...
MongoDB and PHP       You also use associative arrays for query criteria        find( { album_year : { $gte : 2011} } )  ...
NoSQL Injection Demo© 2011 Adobe Systems Incorporated. All Rights Reserved.
$where queries       The $where clause lets you specify script to filter results        find( { $where : function() { ret...
NoSQL Injection Demo #2© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda             Eventual Consistency             REST APIs and CSRF             NoSQL Injection             SSJS Inject...
Browser war fallout    Browser wars have given us incredibly fast and powerful JS engines                           V8   ...
Server-side JavaScript injection vs. XSS       Client-side JavaScript injection        (aka XSS) is #2 on OWASP Top Ten  ...
Server-Side Javascript Injection (SSJI)© 2011 Adobe Systems Incorporated. All Rights Reserved.
SSJI red flags       $where clauses             Built with user input             Injected from querystring manipulatio...
Wrapping Up© 2011 Adobe Systems Incorporated. All Rights Reserved.
Conclusions  1.           Always use authentication/authorization.                    Firewalls alone are not sufficient ...
Read my blog: http://blogs.adobe.com/asset  Email me: brsulliv© 2011 Adobe Systems Incorporated. All Rights Reserved.
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Upcoming SlideShare
Loading in...5
×

No sql but even less security

2,684

Published on

NoSQL, But Even Less Security

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,684
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
55
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "No sql but even less security"

  1. 1. NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team© 2011 Adobe Systems Incorporated. All Rights Reserved.
  2. 2. Agenda Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection© 2011 Adobe Systems Incorporated. All Rights Reserved.
  3. 3. NoSQL databases© 2011 Adobe Systems Incorporated. All Rights Reserved.
  4. 4. Eric Brewer’s CAP Theorem Choose any two: Availability Partition Consistency Tolerance© 2011 Adobe Systems Incorporated. All Rights Reserved.
  5. 5. Eventual consistency in social networking© 2011 Adobe Systems Incorporated. All Rights Reserved.
  6. 6. Writes don’t propagate immediately© 2011 Adobe Systems Incorporated. All Rights Reserved.
  7. 7. Reading stale data© 2011 Adobe Systems Incorporated. All Rights Reserved.
  8. 8. Reading stale data – a more serious case© 2011 Adobe Systems Incorporated. All Rights Reserved.
  9. 9. Agenda Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection© 2011 Adobe Systems Incorporated. All Rights Reserved.
  10. 10. Authentication is unsupported or discouraged  From the MongoDB documentation  “One valid way to run the Mongo database is in a trusted environment, with no security and authentication”  This “is the default option and is recommended”  From the Cassandra Wiki  “The default AllowAllAuthenticator approach is essentially pass-through”  From CouchDB: The Definitive Guide  The “Admin Party”: Everyone can do everything by default  Riak  No authentication or authorization support© 2011 Adobe Systems Incorporated. All Rights Reserved.
  11. 11. Port scanning  If an attacker finds an open port, he’s already won… Database Default Port MongoDB 27017 28017 27080 CouchDB 5984 Hbase 9000 Cassandra 9160 Neo4j 7474 Riak 8098© 2011 Adobe Systems Incorporated. All Rights Reserved.
  12. 12. Port Scanning Demo© 2011 Adobe Systems Incorporated. All Rights Reserved.
  13. 13. Port scanning  If an attacker finds an open port, he’s already won… Database Default Port MongoDB 27017 28017 27080 CouchDB 5984 Hbase 9000 Cassandra 9160 Neo4j 7474 Riak 8098© 2011 Adobe Systems Incorporated. All Rights Reserved.
  14. 14. REST document API examples (CouchDB)  Retrieve a document  Update a document GET /mydb/doc_id HTTP/1.0 PUT /mydb/doc_id HTTP/1.0 { "album" : "Brothers", "artist" : "The Black Keys" }  Create a document  Delete a document POST /mydb/ HTTP/1.0 DELETE /mydb/doc_id? { rev=12345 HTTP/1.0 "album" : "Brothers", "artist" : "Black Keys" }© 2011 Adobe Systems Incorporated. All Rights Reserved.
  15. 15. Cross-Site Request Forgery (CSRF) firewall bypass© 2011 Adobe Systems Incorporated. All Rights Reserved.
  16. 16. REST document API examples (CouchDB)  Retrieve a document  Update a document GET /mydb/doc_id HTTP/1.0 PUT /mydb/doc_id HTTP/1.0 { "album" : "Brothers", "artist" : "The Black Keys" }  Create a document  Delete a document POST /mydb/ HTTP/1.0 DELETE /mydb/doc_id? { rev=12345 HTTP/1.0 "album" : "Brothers", "artist" : "Black Keys" }© 2011 Adobe Systems Incorporated. All Rights Reserved.
  17. 17. Traditional GET-based CSRF <img src="http://nosql:5984/_all_dbs"/>  Easy to make a potential victim request this URL  But it doesn’t do the attacker any good  He needs to get the data back out to himself© 2011 Adobe Systems Incorporated. All Rights Reserved.
  18. 18. RIA GET-based CSRF <script> var xhr = new XMLHttpRequest(); xhr.open(get, http://nosql:5984/_all_dbs); xhr.send(); </script>  Just as easy to make a potential victim request this URL  Same-origin policy won’t allow this (usually)  Same issue for PUT and DELETE© 2011 Adobe Systems Incorporated. All Rights Reserved.
  19. 19. POST-based CSRF <form method=post action=http://nosql:5984/db> <input type=hidden name={"data"} value= /> </form> <script> // auto-submit the form </script>  Ok by the same-origin policy!© 2011 Adobe Systems Incorporated. All Rights Reserved.
  20. 20. REST-CSRF Demo© 2011 Adobe Systems Incorporated. All Rights Reserved.
  21. 21. POST is all an attacker needs Insert arbitrary data Insert arbitrary script data Execute any REST command from inside the firewall© 2011 Adobe Systems Incorporated. All Rights Reserved.
  22. 22. Agenda Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection© 2011 Adobe Systems Incorporated. All Rights Reserved.
  23. 23. NoSQL injection  Most developers believe they don’t have to worry about things like this “…with MongoDB we are not building queries from strings, so traditional SQL injection attacks are not a problem.” -MongoDB Developer FAQ  They’re mostly correct© 2011 Adobe Systems Incorporated. All Rights Reserved.
  24. 24. MongoDB and PHP  MongoDB expects input in JSON array format find( { artist : The Black Keys } )  In PHP, you do this with associative arrays $collection->find(array(artist => The Black Keys));  This makes injection attacks difficult  Like parameterized queries for SQL© 2011 Adobe Systems Incorporated. All Rights Reserved.
  25. 25. MongoDB and PHP  You also use associative arrays for query criteria find( { album_year : { $gte : 2011} } ) find( { artist : { $ne : Lady Gaga } } )  But PHP will automatically create associative arrays from querystring inputs with square brackets page.php?param[foo]=bar param == array(foo => bar);© 2011 Adobe Systems Incorporated. All Rights Reserved.
  26. 26. NoSQL Injection Demo© 2011 Adobe Systems Incorporated. All Rights Reserved.
  27. 27. $where queries  The $where clause lets you specify script to filter results find( { $where : function() { return artist == "Weezer"; }} ) find ( $where : function() { var len = artist.length; for (int i=2; i<len; i++) { if (len % I == 0) return false; } return true; })© 2011 Adobe Systems Incorporated. All Rights Reserved.
  28. 28. NoSQL Injection Demo #2© 2011 Adobe Systems Incorporated. All Rights Reserved.
  29. 29. Agenda Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection© 2011 Adobe Systems Incorporated. All Rights Reserved.
  30. 30. Browser war fallout Browser wars have given us incredibly fast and powerful JS engines V8 WebKit SpiderMonkey Nitro Rhino Used for a lot more than just browsers Like NoSQL database engines…© 2011 Adobe Systems Incorporated. All Rights Reserved.
  31. 31. Server-side JavaScript injection vs. XSS  Client-side JavaScript injection (aka XSS) is #2 on OWASP Top Ten  Use it to steal authentication cookies  Impersonate victim  Create inline phishing sites  Self-replicating webworms ie Samy  It’s really bad.  But server-side is much worse.© 2011 Adobe Systems Incorporated. All Rights Reserved.
  32. 32. Server-Side Javascript Injection (SSJI)© 2011 Adobe Systems Incorporated. All Rights Reserved.
  33. 33. SSJI red flags  $where clauses  Built with user input  Injected from querystring manipulation  eval() clauses  Map/Reduce  Stored views/design docs  More CSRF possibilities here© 2011 Adobe Systems Incorporated. All Rights Reserved.
  34. 34. Wrapping Up© 2011 Adobe Systems Incorporated. All Rights Reserved.
  35. 35. Conclusions 1. Always use authentication/authorization.  Firewalls alone are not sufficient  Sometimes you may have to write your own auth code  This is unfortunate but better than the alternative 2. Be extremely careful with server-side script.  Validate, validate, validate  Escape input too© 2011 Adobe Systems Incorporated. All Rights Reserved.
  36. 36. Read my blog: http://blogs.adobe.com/asset Email me: brsulliv© 2011 Adobe Systems Incorporated. All Rights Reserved.
  37. 37. © 2011 Adobe Systems Incorporated. All Rights Reserved.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×