• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
NoSQL, no SQL injections?
 

NoSQL, no SQL injections?

on

  • 6,898 views

This talk was given at DEF CON 2010 by Kuon Ding and Wayne Huang ...

This talk was given at DEF CON 2010 by Kuon Ding and Wayne Huang

https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang

NOSQL == NO SQL INJECTIONS?

This is a short talk on NoSQL technologies and their impacts on traditional injection threats such as SQL injection. This talk surveys existing NoSQL technologies, and then demos proof-of-concept threats found with CouchDB. We then discuss impacts of NoSQL technologies to existing security technologies such as blackbox scanning, static analysis, and web application firewalls.

Statistics

Views

Total Views
6,898
Views on SlideShare
6,437
Embed Views
461

Actions

Likes
5
Downloads
155
Comments
0

20 Embeds 461

http://blog.armorize.com 187
http://armorize-cht.blogspot.com 120
http://feeds.feedburner.com 71
http://armorize-cht.blogspot.tw 41
http://www.linkedin.com 8
http://www.am82.com 7
http://dschool.co 5
https://www.linkedin.com 4
http://feeds2.feedburner.com 2
http://xianguo.com 2
http://armorize-cht.blogspot.hk 2
http://theoldreader.com 2
https://twitter.com 2
http://webcache.googleusercontent.com 2
http://static.slidesharecdn.com 1
http://translate.googleusercontent.com 1
http://www.zhuaxia.com 1
http://www.hanrss.com 1
http://www.slashdocs.com 1
http://lancurs.blogspot.tw 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    NoSQL, no SQL injections? NoSQL, no SQL injections? Presentation Transcript

    • DEF CON 2010 Kuon Ding, Wayne Huang
    • Agenda  What is NoSQL  Types of NoSQL  Who uses NoSQL?  NoSQL Architecture  Security Issues  Prevention and Detection !?
    • What is NoSQL  No SQL technologies do not support SQL  No SQL technologies are not vulnerable to threats such as SQL injection
    • What is NoSQL  One of the most commonly accepted definitions--Not only a SQL
    • What is NoSQL  The storage itself is a “none-relational DBMS”  Semi-structured  Schema-less
    • Types of NoSQL 1. Key-value based 2. Column-based 3. Document-based 4. Graph-based 5. Object-based 6. …
    • Types of NoSQL What’s challenging for security researchers:   NoSQL is resembled by its diversity   Within the same family of NoSQL, implementations (of the client library) differ widely
    • Why NoSQL 1.  Performance 2.  Scalability
    • Who’d use NoSQL? (What’s the impact?) 1.  Cloud computing  Saas vendors 2.  SNS providers 3.  Portal websites  Use a mixture of databases
    • NoSQL Architecture Web Application Web Services Client Library Data Storage
    • NoSQL Architecture Web Application Web Services a Client Library Data Storage
    • The Client Library   No Standards such as ODBC, JDBC, ADO, PDO   H w is it implemented?   What interfaces does it support?  Query interface?
    • Why a SQL-like interface?   Easier for developers   SQL statements can be reused during migration from RDBMS to NoSQL
    • NoSQL Architecture Web Application Web Services a Client Library Data Storage
    • NoSQL Architecture Client Library
    • NoSQL Architecture Old vectors SQL ODBC JDBC ADO PDO Client Library QL-like impl impl impl implimpl key-value New vectors None-QL impl impl impl impl impl QL-like impl impl impl impl impl column None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl document None-QL impl impl impl impl impl
    • NoSQL Architecture SQL Old vectors ODBC JDBC ADO PDO Client Library QL-like impl impl impl impl impl graph None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl key-value New vectors None-QL impl impl impl impl impl QL-like impl impl impl impl impl column None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl document None-QL impl impl impl impl impl
    • NoSQL Architecture SQL Old vectors ODBC JDBC ADO PDO QL-like impl impl impl impl impl object Client Library None-QL impl impl impl impl impl QL-like impl impl impl impl impl graph None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl key-value None-QL impl impl impl impl New vectors impl QL-like impl impl impl impl impl column None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl document None-QL impl impl impl impl impl
    • A Blessing? In the past:  Notion of RDBMS matured  Notion of SQL matured  SQL implementation standards matured ODBC, JDBC, etc
    • NoSQL Architecture SQL Old vectors ODBC JDBC ADO PDO QL-like impl impl impl impl impl object Client Library None-QL impl impl impl impl impl QL-like impl impl impl impl impl graph None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl key-value None-QL impl impl impl impl New vectors impl QL-like impl impl impl impl impl column None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl document None-QL impl impl impl impl impl
    • NoSQL Vulnerabilities 1.  Connection Pollution 2.  JSON Injection 3.  View Injection 4.  Key Bruteforcing
    • Connection Pollution Using CouchDB as example   RESTful   Cross- Database/ Pool Access   CouchDB’s Global and DB Handler   Easier: Handlers are all RESTful Ex:   NoSQL.connect(http://couchDB/_restart”)
    • Connection Pollution Using CouchDB as example   RESTful   Cross- Database/ Pool Access   CouchDB’s Global and DB Handler   Harder: Even when an injection vector exist, crossing DB is difficult   Traditional SQL: ConnectSQL injectionJump DB or table Ex:   NoSQL.connect(“http://”.$Pool.”/DC18/”)   NoSQL.connect(“http://POOL/”.$Database)
    • Document-Based Issues: JSON Injection (CouchDB) DATA Manipulation!!  DRY Don’t Repeat Yourself -- leverage existing JSON implementations  If we really need to implement our own JSON parser  Troublemaker is the String type •  Try to use the Collection type such as hash and map  When handing tainted strings, must escapeJSON() / unescapeJSON()
    • Document-based Issue: View Injection (CouchDB) Application Manipulation!!  CouchDB is scriptable--use SpiderMonkey as the scripting engine  These javascripts are called “Views”  Predefined Views and Temporary Views  Views are to do map reduce  Retrieve arbitrary data, modify return values to manipulate control flow, etc
    • Key-Value Based Problem Key bruteforcing   It’s schema-free  No schema guessing required   How to speedup attacks?   Depends on the implementation of client library & architecture   CHALLENGE Can we make context-sensitive attack? http://IP/app/action?key=1aD33rSq Ex:   $value = NoSQL.Get($key)
    • Key-Value Based Security Key bruteforcing Prevention (application-level)  How data is modeled  Key Size  Key Space  Unpredictable key generation algorithm  Challenge-based (eg. Captchas)
    • NoSQL vs. WAS 1.  For traditional scanning, how to handle unknown error messages? 2.  For blind injections,  If xQL exist, how to perform logic -based blind injections?  Time-based differential attacks? Based on statistical analysis?
    • NoSQL vs. WAS 3.  Different types of attack payload  Languages (data and programming)   JSON injections (data)   View injections (programming)  Schema-less  Attack surface is redefined  Data is modeled not by SQL but by the application  Much more sensitive to the entry point 4.  Different attack concepts(ex bruteforcing key?)
    • NoSQL vs. WAS / pentesting Selecting the payload requires understanding of the underlying DB How to blindly identify URLs involving NoSQL?   The SQL support will be a subset of SQL-92/95   Features (ex: Unions) that will impact parallelization will be removed
    • NoSQL vs. SCA 1.  Checks by data flow, less problems 2.  Diversity is a big problem  Unsupported Client Library 3.  In general, a lot easier than WAS
    • NoSQL vs. WAF 1.  Key bruteforcing is not injection attack   Block by access threshold 2.  URL integrity check (ex: add token)   Transparency to the backend Ex: http://IP/app/action?key=1aD33rSq[HMAC($key)] 3.  Definition of attack payloads   What is a data (ex JSON) injection?   What is a view (ex javascript) injection?
    • Conclusion   Threat analysis must be conducted under a NoSQL mindset   Modeling of data is done by the application logic and not the SQL statements or DB schema   Threat very sensitive to entry point   Threat types are different   Key bruteforcing   Impacts existing security technologies
    • Comments please!! We are considering implementing static and blackbox scanners for NoSQL technologies Please give us some comments!