SlideShare a Scribd company logo

NoSQL - No Security?

Gavin Holt
Gavin Holt
Technology
1 of 62
NoSQL – No Security? A way to lose even more stuff Gavin Holt (@GavinHolt)
/me Third Year Ethical Hacking & Countermeasures Student Business Systems Developer for a utilities company (Responsible for Internal Workflow Application and building towards whole ERP) Background in Web Applications
What we will cover today What is Big Data? What is NoSQL? Why NoSQL Security is an issue Traditional Database Attack Vectors NoSQL Attack Vectors Securing NoSQL Installations
What is Big Data? Datasets that are so large or complex that they are difficult to process using traditional database processing applications
2.5 quintillion bytes (1 followed by 18 zeros) Data being generated every day (IBM)
2.5 Petabytes (1048576 Gigabytes) The size of Walmarts transaction data (The Economist)
40 Terabytes per second Data generated by experiments on the LHC at CERN (The Economist)
72 Hours per Minute Video uploaded to YouTube (Google Inc.)
That is a lot of data Trying running that lot in M$ Access! Data of this scale and complexity needs a different approach, different tools and different storage mechanisms that create similar, but distinctly different problems for developers.
What is NoSQL? “Not Only SQL”
What is NoSQL? Umbrella term for Database Management Systems that do not use the Relational Model Identifying NoSQL Systems: Generally don’t use tables Generally don’t use SQL for data manipulation Optimised for retrieves and appends Do very little other than record storage Highly scalable Focuses on huge quantities of data where a relational model isn’t required
Graph Data
Graph Data
Why use NoSQL?
Eventual Consitancy There is always going to be a delay when writing Performance gains of NoSQL vs MySQL mean that it is favoured when consistency is important
User Updates Social Network Social Network uses a load balancer
Writes don’t propagate immediately Data is now inconsistent
Reading Stale Data Users now being served old data from nodes that haven’t been updated
A more serious example Data needs to be propagated quickly – NoSQL allows for that Diagram from Adobe Security Labs
Why look at NoSQL Security?
NoSQL is Popular! Scalability Redundancy Flexibility Rapid Development / Deployment Cost
NoSQL holds a lot of stuff If a data breach on *relatively* small database is bad, what is a breach on a Big Data database?! Incorrectly configured and implemented – NoSQL is just a way to lose more data even quicker than before!
NoSQL Solutions are easy to identify Product Default Ports MongoDB 27017 28017 27080 CouchDB 5984 Hbase 9000 Neo4j 7474 Riak 8098
Redis is designed to be accessed by NoSQL doesn’t trusted clients inside trusted environments. This means that like the outside usually it is not a good idea to world. expose the Redis instance directly • Redis to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. In general, Redis is not optimized for maximum security but for maximum performance and simplicity. (Redis Documentation)
The most effective way to reduce NoSQL doesn’t risk for MongoDB deployments is to run your entire MongoDB like the outside deployment in a trusted world. environment. (mongoDB • Redis Documentation) • MongoDB
NoSQL isn’t fussy about who it talks to. “When you start out fresh, CouchDB allows any request to be made by anyone. Create a database? No problem, here you go. Delete some documents? Same deal. CouchDB calls this the Admin Party. Everybody has privileges to do anything. Neat. While it is incredibly easy to get started with CouchDB that way, it should be obvious that putting a default installation into the wild is adventurous. Any rogue client could come along and delete a database.” (CouchDB Documentation) NB: Newer versions have began to only allow access from localhost upon installation
Relational Database Attack Vectors
Relational Database Attack Vectors Software vulnerabilities Credential brute forcing Authorization weaknesses Injection attacks Privilege escalation Insecure configurations
SQL Injection: Basics
Basics of SQL Injection SQL SELECT command has three basic parts SELECT – The Data you want FROM – Where you want it from WHERE – What selection criteria to use SELECT * FROM `users` WHERE `email`=gavin@pwned.org AND `password`=‘letmein’ Attacker Submits Email: gavin@pwned.org Password: X’ OR 1=1– SELECT * FROM `users` WHERE `email`=gavin@pwned.org AND `password`=‘X’ OR 1=1– 1 ALWAYS equals 1 Logs user in
NoSQL Vulnerabilities How do these compare to traditional databases?
Authentication
Authentication NoSQL Weak authentication methods Weak password storage Password bruteforcing opportunities Relational Database Extensive authentication support Creds hashed with stored offline
Authentication – Source of the problem Both CouchDB and mongoDB both have limited security by default. Does not scale well beyond the local security system
Weak authentication methods HTTP/RESTful authentication HTTP BASIC or Cookie Based Vulnerable to replay and MITM Attacks Inherently insecure if SSL is not implemented or is compromised
Passwords
Weak Password Storage Passwords should NEVER be stored in plain text But they are: Redis, Some configurations of CouchDB Passwords should be hashed or encrypted (or both!) Password = MD5(“My Password”+salt) Access to password storage should be limited
Password Brute Forcing Online password bruteforcing Redis’ AUTH commands are not rate limited or restricted in anyway An attacker can issue this command until the correct password is found
Injection
Injection Database diversity is awesome for flexible linking to various applications It also gives us a tonne of attack surfaces Command-based queries CQL JSON BSON Javascript Injection Attack Surfaces are increasing As well as traditional Query injection. We now have Schema and Javascript Injection
Schema Injection Used to override existing fields JSON Object QUERY Last keys take precedence over previous fields Allows attacker to overwrite protected attributes as POST is iterated on {"user":"gavin","admin":"False","password":"hacklab,"admin":"True""} When Processed {"user":"gavin","admin":"True","password":"hacklab"} Similar to HTTP Parameter Pollution
Schema Injection - Mitigations MySQL mitigates this using strongly typed tables and fields Key Enforcement Whitelist POST data that can be modified from any given page Blacklist application managed data “admin” can never by set via POST Manage your JSON When adding to objects, concatenate keys as opposed to the string of text
Query Injection JSON (JavaScript Object Notation) The Good News: Most languages have implemented JSON safely as native objects The Bad News: Strings can still be used to inject into queries in poorly written applications Language Specific issues PHP Superglobals String to JSON Conversion
PHP Superglobals PHP Automagically converts superglobal values to multidimensional arrays Handy when dealing with web forms <input type=“text” name=“person[name]” /> Can be referenced as $_POST[‘person’][‘name’] PHP also uses arrays for MongoDB documents
PHP Superglobals This means that an Attacker can insert MongoDB operations into the query by GETting or POSTing keys Forgot.php?email=gavin@pwned.org&security_questions[$ne]=1 Array( “email” => “gavin@pwned.org”, “security_question” => array(“$ne”=>1) ); $ne = Not Equal.
Javascript Injection (SSJI) Browser Wars have given us incredibly fast and powerful JS engines But they are used for a lot more than just browsers Like…..NoSQL database engines
Javascript Injection (SSJI) Client Side JavaScript injection (More commonly XSS) is Number 2 on the OWASP Top Ten Used to steal auth cookies Impersonate Users Create inline phishing sites Self Replicating worms Nasty Stuff But Server-side is MUCH worse
Javascript Injection (SSJI) $where clauses Built with user input Injected from manipulating querystrings Eval clauses Map/Reduce (Compensates for a lack of Native SQL Functions)
Mitigating Injection Attacks Use safe strings / JSON Operators Escape Inputs Avoid concatenation when building queries User native JSON Objects where avalible Be careful using GET & POST Variables Check for $operators Validate all Non-JSON Strings Validate Schemas before committing to DB Identify and Sanitize JavaScript inputs Check for server-side JavaScript injection on IPS/WAF (It won’t hurt!)
Authorisation
Authorisation MySQL – Fine Grained: SELECT UPDATE INSERT DELETE NoSQL – Course Grained: READ WRITE
Encryption
Encryption Protecting data at rest and in transit - MySQL In Transit SSL/TLS At Rest Integrated cryptographic functionally Ability to encrypt data in the database Easy access to hashing functions NoSQL In Transit Some SSL Support At Rest Not a lot
Example of an Attack
CSFR can be used to bypass firewalls Diagram from Adobe Security Labs
CSFR Not particularly useful for stealing data <script> var xhr = new XMLHttpRequest(); xhr.open('get', 'http://nosql:5984/_all_dbs'); xhr.send(); </script> Just as easy to make a user run the following Same Origin policy won’t allow this
CSFR <form method=post action='http://nosql:5984/db'> <input type='hidden' name='{"data"}' value='' /> </form> <script> // auto-submit the form </script> But it will allow this! Data stolen
POST is all an Attacker needs Inserting Data Inserting Script Data Execute any REST command from inside the firewall
Securing NoSQL One does not simply secure NoSQL </meme>
Understand your solution No two NoSQL solutions are the same RTFM Understand the environment Most NoSQL solutions say they should only be operated in a “Trusted Enviroment” Define your trusted environment Understand what devices potentially have access to your NoSQL Server
Validate your inputs The NoSQL attack surface is diverse Scheme, Query and JavaScript injection attacks affect different solutions differently Understand how these attacks affect your application and NoSQL Enviroment Continue to validate for traditional SQLi and XSS attacks, as well as NoSQLi and SSJI attacks
NoSQL – No Security? A way to lose even more stuff Gavin Holt (@GavinHolt)

Recommended

NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?Wayne Huang
 
NoSQL, no security?
NoSQL, no security?NoSQL, no security?
NoSQL, no security?wurbanski
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionGavin Holt
 
DjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling DisqusDjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling Disquszeeg
 
Why Play Framework is fast
Why Play Framework is fastWhy Play Framework is fast
Why Play Framework is fastLegacy Typesafe (now Lightbend)
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 

Recommended

NoSQL, no SQL injections?
NoSQL, no SQL injections?NoSQL, no SQL injections?
NoSQL, no SQL injections?Wayne Huang
 
NoSQL, no security?
NoSQL, no security?NoSQL, no security?
NoSQL, no security?wurbanski
 
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...
44CON 2014 - Pentesting NoSQL DB's Using NoSQL Exploitation Framework, Franci...44CON
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
NoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionNoSQL - No Security? - The BSides Edition
NoSQL - No Security? - The BSides EditionGavin Holt
 
DjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling DisqusDjangoCon 2010 Scaling Disqus
DjangoCon 2010 Scaling Disquszeeg
 
Why Play Framework is fast
Why Play Framework is fastWhy Play Framework is fast
Why Play Framework is fastLegacy Typesafe (now Lightbend)
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
Being RDBMS Free -- Alternate Approaches to Data Persistence
Being RDBMS Free -- Alternate Approaches to Data PersistenceBeing RDBMS Free -- Alternate Approaches to Data Persistence
Being RDBMS Free -- Alternate Approaches to Data PersistenceDavid Hoerster
 
Scala play-framework
Scala play-frameworkScala play-framework
Scala play-frameworkAbdhesh Kumar
 
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Lucidworks
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
Full stack development with node and NoSQL - All Things Open - October 2017
Full stack development with node and NoSQL - All Things Open - October 2017Full stack development with node and NoSQL - All Things Open - October 2017
Full stack development with node and NoSQL - All Things Open - October 2017Matthew Groves
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Ganesh Kondal
 
Brk2051 sql server on linux and docker
Brk2051 sql server on linux and dockerBrk2051 sql server on linux and docker
Brk2051 sql server on linux and dockerBob Ward
 
CQRS Evolved - CQRS + Akka.NET
CQRS Evolved - CQRS + Akka.NETCQRS Evolved - CQRS + Akka.NET
CQRS Evolved - CQRS + Akka.NETDavid Hoerster
 
WebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewWebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewJames Bayer
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Scaling with mongo db (with notes)
Scaling with mongo db (with notes)Scaling with mongo db (with notes)
Scaling with mongo db (with notes)emiltamas
 
Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Andy Kucharski
 
Play framework productivity formula
Play framework productivity formula Play framework productivity formula
Play framework productivity formula Sorin Chiprian
 
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»DataArt
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and ActivatorKevin Webber
 
Past, Present, and Future of Apache Storm
Past, Present, and Future of Apache StormPast, Present, and Future of Apache Storm
Past, Present, and Future of Apache StormP. Taylor Goetz
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Spark Streaming @ Scale (Clicktale)
Spark Streaming @ Scale (Clicktale)Spark Streaming @ Scale (Clicktale)
Spark Streaming @ Scale (Clicktale)Yuval Itzchakov
 
Node js for enterprise
Node js for enterpriseNode js for enterprise
Node js for enterpriseravisankar munusamy
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 

More Related Content

What's hot

Being RDBMS Free -- Alternate Approaches to Data Persistence
Being RDBMS Free -- Alternate Approaches to Data PersistenceBeing RDBMS Free -- Alternate Approaches to Data Persistence
Being RDBMS Free -- Alternate Approaches to Data PersistenceDavid Hoerster
 
Scala play-framework
Scala play-frameworkScala play-framework
Scala play-frameworkAbdhesh Kumar
 
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Lucidworks
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 
Full stack development with node and NoSQL - All Things Open - October 2017
Full stack development with node and NoSQL - All Things Open - October 2017Full stack development with node and NoSQL - All Things Open - October 2017
Full stack development with node and NoSQL - All Things Open - October 2017Matthew Groves
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Ganesh Kondal
 
Brk2051 sql server on linux and docker
Brk2051 sql server on linux and dockerBrk2051 sql server on linux and docker
Brk2051 sql server on linux and dockerBob Ward
 
CQRS Evolved - CQRS + Akka.NET
CQRS Evolved - CQRS + Akka.NETCQRS Evolved - CQRS + Akka.NET
CQRS Evolved - CQRS + Akka.NETDavid Hoerster
 
WebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewWebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewJames Bayer
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Scaling with mongo db (with notes)
Scaling with mongo db (with notes)Scaling with mongo db (with notes)
Scaling with mongo db (with notes)emiltamas
 
Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Andy Kucharski
 
Play framework productivity formula
Play framework productivity formula Play framework productivity formula
Play framework productivity formula Sorin Chiprian
 
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»DataArt
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and ActivatorKevin Webber
 
Past, Present, and Future of Apache Storm
Past, Present, and Future of Apache StormPast, Present, and Future of Apache Storm
Past, Present, and Future of Apache StormP. Taylor Goetz
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Spark Streaming @ Scale (Clicktale)
Spark Streaming @ Scale (Clicktale)Spark Streaming @ Scale (Clicktale)
Spark Streaming @ Scale (Clicktale)Yuval Itzchakov
 

What's hot (20)

Being RDBMS Free -- Alternate Approaches to Data Persistence
Being RDBMS Free -- Alternate Approaches to Data PersistenceBeing RDBMS Free -- Alternate Approaches to Data Persistence
Being RDBMS Free -- Alternate Approaches to Data Persistence
 
Scala play-framework
Scala play-frameworkScala play-framework
Scala play-framework
 
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
Full stack development with node and NoSQL - All Things Open - October 2017
Full stack development with node and NoSQL - All Things Open - October 2017Full stack development with node and NoSQL - All Things Open - October 2017
Full stack development with node and NoSQL - All Things Open - October 2017
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6
 
Brk2051 sql server on linux and docker
Brk2051 sql server on linux and dockerBrk2051 sql server on linux and docker
Brk2051 sql server on linux and docker
 
CQRS Evolved - CQRS + Akka.NET
CQRS Evolved - CQRS + Akka.NETCQRS Evolved - CQRS + Akka.NET
CQRS Evolved - CQRS + Akka.NET
 
WebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewWebLogic Scripting Tool Overview
WebLogic Scripting Tool Overview
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
 
Scaling with mongo db (with notes)
Scaling with mongo db (with notes)Scaling with mongo db (with notes)
Scaling with mongo db (with notes)
 
Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...
 
Play framework productivity formula
Play framework productivity formula Play framework productivity formula
Play framework productivity formula
 
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»
 
Play Framework and Activator
Play Framework and ActivatorPlay Framework and Activator
Play Framework and Activator
 
Past, Present, and Future of Apache Storm
Past, Present, and Future of Apache StormPast, Present, and Future of Apache Storm
Past, Present, and Future of Apache Storm
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Spark Streaming @ Scale (Clicktale)
Spark Streaming @ Scale (Clicktale)Spark Streaming @ Scale (Clicktale)
Spark Streaming @ Scale (Clicktale)
 
Node js for enterprise
Node js for enterpriseNode js for enterprise
Node js for enterprise
 

Viewers also liked

Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Kevin Minder
 
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Hortonworks
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: OverviewCloudera, Inc.
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
An Introduction to Accumulo
An Introduction to AccumuloAn Introduction to Accumulo
An Introduction to AccumuloDonald Miner
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 

Viewers also liked (8)

Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
 
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
An Introduction to Accumulo
An Introduction to AccumuloAn Introduction to Accumulo
An Introduction to Accumulo
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 

Similar to NoSQL - No Security?

Experiences using CouchDB inside Microsoft's Azure team
Experiences using CouchDB inside Microsoft's Azure teamExperiences using CouchDB inside Microsoft's Azure team
Experiences using CouchDB inside Microsoft's Azure teamBrian Benz
 
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
20141021 AWS Cloud Taekwon - Startup Best Practices on AWSAmazon Web Services Korea
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
MongoDB vs Mysql. A devops point of view
MongoDB vs Mysql. A devops point of viewMongoDB vs Mysql. A devops point of view
MongoDB vs Mysql. A devops point of viewPierre Baillet
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]Huy Do
 
Data Handning with Sqlite for Android
Data Handning with Sqlite for AndroidData Handning with Sqlite for Android
Data Handning with Sqlite for AndroidJakir Hossain
 
NoSQL Endgame LWJUG 2021
NoSQL Endgame LWJUG 2021NoSQL Endgame LWJUG 2021
NoSQL Endgame LWJUG 2021Thodoris Bais
 
Document Databases & RavenDB
Document Databases & RavenDBDocument Databases & RavenDB
Document Databases & RavenDBBrian Ritchie
 
Using Redgate, AKS and Azure to bring DevOps to your database
Using Redgate, AKS and Azure to bring DevOps to your databaseUsing Redgate, AKS and Azure to bring DevOps to your database
Using Redgate, AKS and Azure to bring DevOps to your databaseRed Gate Software
 
Using Redgate, AKS and Azure to bring DevOps to your Database
Using Redgate, AKS and Azure to bring DevOps to your DatabaseUsing Redgate, AKS and Azure to bring DevOps to your Database
Using Redgate, AKS and Azure to bring DevOps to your DatabaseRed Gate Software
 
How leading financial services organisations are winning with tech
How leading financial services organisations are winning with techHow leading financial services organisations are winning with tech
How leading financial services organisations are winning with techMongoDB
 
Introduction to NoSQL Database
Introduction to NoSQL DatabaseIntroduction to NoSQL Database
Introduction to NoSQL DatabaseMohammad Alghanem
 
MongoDB.pptx
MongoDB.pptxMongoDB.pptx
MongoDB.pptxSigit52
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldDave Stokes
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersTobias Koprowski
 

Similar to NoSQL - No Security? (20)

Experiences using CouchDB inside Microsoft's Azure team
Experiences using CouchDB inside Microsoft's Azure teamExperiences using CouchDB inside Microsoft's Azure team
Experiences using CouchDB inside Microsoft's Azure team
 
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
20141021 AWS Cloud Taekwon - Startup Best Practices on AWS
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
MongoDB vs Mysql. A devops point of view
MongoDB vs Mysql. A devops point of viewMongoDB vs Mysql. A devops point of view
MongoDB vs Mysql. A devops point of view
 
Mysql
MysqlMysql
Mysql
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]NoSQL for great good [hanoi.rb talk]
NoSQL for great good [hanoi.rb talk]
 
Data Handning with Sqlite for Android
Data Handning with Sqlite for AndroidData Handning with Sqlite for Android
Data Handning with Sqlite for Android
 
Intro to Databases
Intro to DatabasesIntro to Databases
Intro to Databases
 
NoSQL Endgame LWJUG 2021
NoSQL Endgame LWJUG 2021NoSQL Endgame LWJUG 2021
NoSQL Endgame LWJUG 2021
 
Document Databases & RavenDB
Document Databases & RavenDBDocument Databases & RavenDB
Document Databases & RavenDB
 
Using Redgate, AKS and Azure to bring DevOps to your database
Using Redgate, AKS and Azure to bring DevOps to your databaseUsing Redgate, AKS and Azure to bring DevOps to your database
Using Redgate, AKS and Azure to bring DevOps to your database
 
Using Redgate, AKS and Azure to bring DevOps to your Database
Using Redgate, AKS and Azure to bring DevOps to your DatabaseUsing Redgate, AKS and Azure to bring DevOps to your Database
Using Redgate, AKS and Azure to bring DevOps to your Database
 
How leading financial services organisations are winning with tech
How leading financial services organisations are winning with techHow leading financial services organisations are winning with tech
How leading financial services organisations are winning with tech
 
MongoDB
MongoDBMongoDB
MongoDB
 
Introduction to NoSQL Database
Introduction to NoSQL DatabaseIntroduction to NoSQL Database
Introduction to NoSQL Database
 
NoSql Databases
NoSql DatabasesNoSql Databases
NoSql Databases
 
MongoDB.pptx
MongoDB.pptxMongoDB.pptx
MongoDB.pptx
 
MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
 
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginnersSQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
SQLSaturday#290_Kiev_WindowsAzureDatabaseForBeginners
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

NoSQL - No Security?

  • 1. NoSQL – No Security? A way to lose even more stuff Gavin Holt (@GavinHolt)
  • 2. /me Third Year Ethical Hacking & Countermeasures Student Business Systems Developer for a utilities company (Responsible for Internal Workflow Application and building towards whole ERP) Background in Web Applications
  • 3. What we will cover today What is Big Data? What is NoSQL? Why NoSQL Security is an issue Traditional Database Attack Vectors NoSQL Attack Vectors Securing NoSQL Installations
  • 4. What is Big Data? Datasets that are so large or complex that they are difficult to process using traditional database processing applications
  • 5. 2.5 quintillion bytes (1 followed by 18 zeros) Data being generated every day (IBM)
  • 6. 2.5 Petabytes (1048576 Gigabytes) The size of Walmarts transaction data (The Economist)
  • 7. 40 Terabytes per second Data generated by experiments on the LHC at CERN (The Economist)
  • 8. 72 Hours per Minute Video uploaded to YouTube (Google Inc.)
  • 9. That is a lot of data Trying running that lot in M$ Access! Data of this scale and complexity needs a different approach, different tools and different storage mechanisms that create similar, but distinctly different problems for developers.
  • 10. What is NoSQL? “Not Only SQL”
  • 11. What is NoSQL? Umbrella term for Database Management Systems that do not use the Relational Model Identifying NoSQL Systems: Generally don’t use tables Generally don’t use SQL for data manipulation Optimised for retrieves and appends Do very little other than record storage Highly scalable Focuses on huge quantities of data where a relational model isn’t required
  • 15. Eventual Consitancy There is always going to be a delay when writing Performance gains of NoSQL vs MySQL mean that it is favoured when consistency is important
  • 16. User Updates Social Network Social Network uses a load balancer
  • 17. Writes don’t propagate immediately Data is now inconsistent
  • 18. Reading Stale Data Users now being served old data from nodes that haven’t been updated
  • 19. A more serious example Data needs to be propagated quickly – NoSQL allows for that Diagram from Adobe Security Labs
  • 20. Why look at NoSQL Security?
  • 22. NoSQL holds a lot of stuff If a data breach on *relatively* small database is bad, what is a breach on a Big Data database?! Incorrectly configured and implemented – NoSQL is just a way to lose more data even quicker than before!
  • 23. NoSQL Solutions are easy to identify Product Default Ports MongoDB 27017 28017 27080 CouchDB 5984 Hbase 9000 Neo4j 7474 Riak 8098
  • 24. Redis is designed to be accessed by NoSQL doesn’t trusted clients inside trusted environments. This means that like the outside usually it is not a good idea to world. expose the Redis instance directly • Redis to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. In general, Redis is not optimized for maximum security but for maximum performance and simplicity. (Redis Documentation)
  • 25. The most effective way to reduce NoSQL doesn’t risk for MongoDB deployments is to run your entire MongoDB like the outside deployment in a trusted world. environment. (mongoDB • Redis Documentation) • MongoDB
  • 26. NoSQL isn’t fussy about who it talks to. “When you start out fresh, CouchDB allows any request to be made by anyone. Create a database? No problem, here you go. Delete some documents? Same deal. CouchDB calls this the Admin Party. Everybody has privileges to do anything. Neat. While it is incredibly easy to get started with CouchDB that way, it should be obvious that putting a default installation into the wild is adventurous. Any rogue client could come along and delete a database.” (CouchDB Documentation) NB: Newer versions have began to only allow access from localhost upon installation
  • 28. Relational Database Attack Vectors Software vulnerabilities Credential brute forcing Authorization weaknesses Injection attacks Privilege escalation Insecure configurations
  • 30. Basics of SQL Injection SQL SELECT command has three basic parts SELECT – The Data you want FROM – Where you want it from WHERE – What selection criteria to use SELECT * FROM `users` WHERE `email`=gavin@pwned.org AND `password`=‘letmein’ Attacker Submits Email: gavin@pwned.org Password: X’ OR 1=1– SELECT * FROM `users` WHERE `email`=gavin@pwned.org AND `password`=‘X’ OR 1=1– 1 ALWAYS equals 1 Logs user in
  • 31. NoSQL Vulnerabilities How do these compare to traditional databases?
  • 33. Authentication NoSQL Weak authentication methods Weak password storage Password bruteforcing opportunities Relational Database Extensive authentication support Creds hashed with stored offline
  • 34. Authentication – Source of the problem Both CouchDB and mongoDB both have limited security by default. Does not scale well beyond the local security system
  • 35. Weak authentication methods HTTP/RESTful authentication HTTP BASIC or Cookie Based Vulnerable to replay and MITM Attacks Inherently insecure if SSL is not implemented or is compromised
  • 37. Weak Password Storage Passwords should NEVER be stored in plain text But they are: Redis, Some configurations of CouchDB Passwords should be hashed or encrypted (or both!) Password = MD5(“My Password”+salt) Access to password storage should be limited
  • 38. Password Brute Forcing Online password bruteforcing Redis’ AUTH commands are not rate limited or restricted in anyway An attacker can issue this command until the correct password is found
  • 40. Injection Database diversity is awesome for flexible linking to various applications It also gives us a tonne of attack surfaces Command-based queries CQL JSON BSON Javascript Injection Attack Surfaces are increasing As well as traditional Query injection. We now have Schema and Javascript Injection
  • 41. Schema Injection Used to override existing fields JSON Object QUERY Last keys take precedence over previous fields Allows attacker to overwrite protected attributes as POST is iterated on {"user":"gavin","admin":"False","password":"hacklab,"admin":"True""} When Processed {"user":"gavin","admin":"True","password":"hacklab"} Similar to HTTP Parameter Pollution
  • 42. Schema Injection - Mitigations MySQL mitigates this using strongly typed tables and fields Key Enforcement Whitelist POST data that can be modified from any given page Blacklist application managed data “admin” can never by set via POST Manage your JSON When adding to objects, concatenate keys as opposed to the string of text
  • 43. Query Injection JSON (JavaScript Object Notation) The Good News: Most languages have implemented JSON safely as native objects The Bad News: Strings can still be used to inject into queries in poorly written applications Language Specific issues PHP Superglobals String to JSON Conversion
  • 44. PHP Superglobals PHP Automagically converts superglobal values to multidimensional arrays Handy when dealing with web forms <input type=“text” name=“person[name]” /> Can be referenced as $_POST[‘person’][‘name’] PHP also uses arrays for MongoDB documents
  • 45. PHP Superglobals This means that an Attacker can insert MongoDB operations into the query by GETting or POSTing keys Forgot.php?email=gavin@pwned.org&security_questions[$ne]=1 Array( “email” => “gavin@pwned.org”, “security_question” => array(“$ne”=>1) ); $ne = Not Equal.
  • 46. Javascript Injection (SSJI) Browser Wars have given us incredibly fast and powerful JS engines But they are used for a lot more than just browsers Like…..NoSQL database engines
  • 47. Javascript Injection (SSJI) Client Side JavaScript injection (More commonly XSS) is Number 2 on the OWASP Top Ten Used to steal auth cookies Impersonate Users Create inline phishing sites Self Replicating worms Nasty Stuff But Server-side is MUCH worse
  • 48. Javascript Injection (SSJI) $where clauses Built with user input Injected from manipulating querystrings Eval clauses Map/Reduce (Compensates for a lack of Native SQL Functions)
  • 49. Mitigating Injection Attacks Use safe strings / JSON Operators Escape Inputs Avoid concatenation when building queries User native JSON Objects where avalible Be careful using GET & POST Variables Check for $operators Validate all Non-JSON Strings Validate Schemas before committing to DB Identify and Sanitize JavaScript inputs Check for server-side JavaScript injection on IPS/WAF (It won’t hurt!)
  • 51. Authorisation MySQL – Fine Grained: SELECT UPDATE INSERT DELETE NoSQL – Course Grained: READ WRITE
  • 53. Encryption Protecting data at rest and in transit - MySQL In Transit SSL/TLS At Rest Integrated cryptographic functionally Ability to encrypt data in the database Easy access to hashing functions NoSQL In Transit Some SSL Support At Rest Not a lot
  • 54. Example of an Attack
  • 55. CSFR can be used to bypass firewalls Diagram from Adobe Security Labs
  • 56. CSFR Not particularly useful for stealing data <script> var xhr = new XMLHttpRequest(); xhr.open('get', 'http://nosql:5984/_all_dbs'); xhr.send(); </script> Just as easy to make a user run the following Same Origin policy won’t allow this
  • 57. CSFR <form method=post action='http://nosql:5984/db'> <input type='hidden' name='{"data"}' value='' /> </form> <script> // auto-submit the form </script> But it will allow this! Data stolen
  • 58. POST is all an Attacker needs Inserting Data Inserting Script Data Execute any REST command from inside the firewall
  • 59. Securing NoSQL One does not simply secure NoSQL </meme>
  • 60. Understand your solution No two NoSQL solutions are the same RTFM Understand the environment Most NoSQL solutions say they should only be operated in a “Trusted Enviroment” Define your trusted environment Understand what devices potentially have access to your NoSQL Server
  • 61. Validate your inputs The NoSQL attack surface is diverse Scheme, Query and JavaScript injection attacks affect different solutions differently Understand how these attacks affect your application and NoSQL Enviroment Continue to validate for traditional SQLi and XSS attacks, as well as NoSQLi and SSJI attacks
  • 62. NoSQL – No Security? A way to lose even more stuff Gavin Holt (@GavinHolt)