NoSQL, no SQL injections?

  • 6,730 views
Uploaded on

This talk was given at DEF CON 2010 by Kuon Ding and Wayne Huang …

This talk was given at DEF CON 2010 by Kuon Ding and Wayne Huang

https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang

NOSQL == NO SQL INJECTIONS?

This is a short talk on NoSQL technologies and their impacts on traditional injection threats such as SQL injection. This talk surveys existing NoSQL technologies, and then demos proof-of-concept threats found with CouchDB. We then discuss impacts of NoSQL technologies to existing security technologies such as blackbox scanning, static analysis, and web application firewalls.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,730
On Slideshare
0
From Embeds
0
Number of Embeds
11

Actions

Shares
Downloads
170
Comments
0
Likes
6

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. DEF CON 2010 Kuon Ding, Wayne Huang
  • 2. Agenda  What is NoSQL  Types of NoSQL  Who uses NoSQL?  NoSQL Architecture  Security Issues  Prevention and Detection !?
  • 3. What is NoSQL  No SQL technologies do not support SQL  No SQL technologies are not vulnerable to threats such as SQL injection
  • 4. What is NoSQL  One of the most commonly accepted definitions--Not only a SQL
  • 5. What is NoSQL  The storage itself is a “none-relational DBMS”  Semi-structured  Schema-less
  • 6. Types of NoSQL 1. Key-value based 2. Column-based 3. Document-based 4. Graph-based 5. Object-based 6. …
  • 7. Types of NoSQL What’s challenging for security researchers:   NoSQL is resembled by its diversity   Within the same family of NoSQL, implementations (of the client library) differ widely
  • 8. Why NoSQL 1.  Performance 2.  Scalability
  • 9. Who’d use NoSQL? (What’s the impact?) 1.  Cloud computing  Saas vendors 2.  SNS providers 3.  Portal websites  Use a mixture of databases
  • 10. NoSQL Architecture Web Application Web Services Client Library Data Storage
  • 11. NoSQL Architecture Web Application Web Services a Client Library Data Storage
  • 12. The Client Library   No Standards such as ODBC, JDBC, ADO, PDO   H w is it implemented?   What interfaces does it support?  Query interface?
  • 13. Why a SQL-like interface?   Easier for developers   SQL statements can be reused during migration from RDBMS to NoSQL
  • 14. NoSQL Architecture Web Application Web Services a Client Library Data Storage
  • 15. NoSQL Architecture Client Library
  • 16. NoSQL Architecture Old vectors SQL ODBC JDBC ADO PDO Client Library QL-like impl impl impl implimpl key-value New vectors None-QL impl impl impl impl impl QL-like impl impl impl impl impl column None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl document None-QL impl impl impl impl impl
  • 17. NoSQL Architecture SQL Old vectors ODBC JDBC ADO PDO Client Library QL-like impl impl impl impl impl graph None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl key-value New vectors None-QL impl impl impl impl impl QL-like impl impl impl impl impl column None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl document None-QL impl impl impl impl impl
  • 18. NoSQL Architecture SQL Old vectors ODBC JDBC ADO PDO QL-like impl impl impl impl impl object Client Library None-QL impl impl impl impl impl QL-like impl impl impl impl impl graph None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl key-value None-QL impl impl impl impl New vectors impl QL-like impl impl impl impl impl column None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl document None-QL impl impl impl impl impl
  • 19. A Blessing? In the past:  Notion of RDBMS matured  Notion of SQL matured  SQL implementation standards matured ODBC, JDBC, etc
  • 20. NoSQL Architecture SQL Old vectors ODBC JDBC ADO PDO QL-like impl impl impl impl impl object Client Library None-QL impl impl impl impl impl QL-like impl impl impl impl impl graph None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl key-value None-QL impl impl impl impl New vectors impl QL-like impl impl impl impl impl column None-QL impl impl impl impl impl impl QL-like impl impl impl impl impl document None-QL impl impl impl impl impl
  • 21. NoSQL Vulnerabilities 1.  Connection Pollution 2.  JSON Injection 3.  View Injection 4.  Key Bruteforcing
  • 22. Connection Pollution Using CouchDB as example   RESTful   Cross- Database/ Pool Access   CouchDB’s Global and DB Handler   Easier: Handlers are all RESTful Ex:   NoSQL.connect(http://couchDB/_restart”)
  • 23. Connection Pollution Using CouchDB as example   RESTful   Cross- Database/ Pool Access   CouchDB’s Global and DB Handler   Harder: Even when an injection vector exist, crossing DB is difficult   Traditional SQL: ConnectSQL injectionJump DB or table Ex:   NoSQL.connect(“http://”.$Pool.”/DC18/”)   NoSQL.connect(“http://POOL/”.$Database)
  • 24. Document-Based Issues: JSON Injection (CouchDB) DATA Manipulation!!  DRY Don’t Repeat Yourself -- leverage existing JSON implementations  If we really need to implement our own JSON parser  Troublemaker is the String type •  Try to use the Collection type such as hash and map  When handing tainted strings, must escapeJSON() / unescapeJSON()
  • 25. Document-based Issue: View Injection (CouchDB) Application Manipulation!!  CouchDB is scriptable--use SpiderMonkey as the scripting engine  These javascripts are called “Views”  Predefined Views and Temporary Views  Views are to do map reduce  Retrieve arbitrary data, modify return values to manipulate control flow, etc
  • 26. Key-Value Based Problem Key bruteforcing   It’s schema-free  No schema guessing required   How to speedup attacks?   Depends on the implementation of client library & architecture   CHALLENGE Can we make context-sensitive attack? http://IP/app/action?key=1aD33rSq Ex:   $value = NoSQL.Get($key)
  • 27. Key-Value Based Security Key bruteforcing Prevention (application-level)  How data is modeled  Key Size  Key Space  Unpredictable key generation algorithm  Challenge-based (eg. Captchas)
  • 28. NoSQL vs. WAS 1.  For traditional scanning, how to handle unknown error messages? 2.  For blind injections,  If xQL exist, how to perform logic -based blind injections?  Time-based differential attacks? Based on statistical analysis?
  • 29. NoSQL vs. WAS 3.  Different types of attack payload  Languages (data and programming)   JSON injections (data)   View injections (programming)  Schema-less  Attack surface is redefined  Data is modeled not by SQL but by the application  Much more sensitive to the entry point 4.  Different attack concepts(ex bruteforcing key?)
  • 30. NoSQL vs. WAS / pentesting Selecting the payload requires understanding of the underlying DB How to blindly identify URLs involving NoSQL?   The SQL support will be a subset of SQL-92/95   Features (ex: Unions) that will impact parallelization will be removed
  • 31. NoSQL vs. SCA 1.  Checks by data flow, less problems 2.  Diversity is a big problem  Unsupported Client Library 3.  In general, a lot easier than WAS
  • 32. NoSQL vs. WAF 1.  Key bruteforcing is not injection attack   Block by access threshold 2.  URL integrity check (ex: add token)   Transparency to the backend Ex: http://IP/app/action?key=1aD33rSq[HMAC($key)] 3.  Definition of attack payloads   What is a data (ex JSON) injection?   What is a view (ex javascript) injection?
  • 33. Conclusion   Threat analysis must be conducted under a NoSQL mindset   Modeling of data is done by the application logic and not the SQL statements or DB schema   Threat very sensitive to entry point   Threat types are different   Key bruteforcing   Impacts existing security technologies
  • 34. Comments please!! We are considering implementing static and blackbox scanners for NoSQL technologies Please give us some comments!