ZA
Uploaded byzakieh alizadeh
PDF, PPTX463 views

Session11-NoSQL InjectionPHP Injection

This document discusses NoSQL injection and strategies for preventing it. It begins with an introduction comparing NoSQL and SQL databases. Next, it defines NoSQL injection and how it can occur. The document then discusses various techniques for preventing NoSQL injection attacks, including reviewing code for vulnerabilities and using input validation. It also provides an example of how NoSQL injection could happen in a PHP/MongoDB application and how to validate input as a string to prevent it.

Embed presentation

Download as PDF, PPTX
Web Application Security (PHP) Zakieh Alizadeh zakiehalizadeh@gmail.com APA Laboratory – Ferdowsi University of Mashhad
Session 2 NoSQL Injection
NoSQL Injection  Scenarios :  Preventing SQL Injection Attacks  Table of Content  NoSQL VS SQL  NoSQL Injection  strategies SQL injection resulted from weak coding techniques  Preventing SQL Injection Attacks  Reviewing Code for SQL Injection  Countermeasures of SQL Injection Preventing NoSQL Injection Attacks  Reviewing Code for NoSQL Injection Countermeasures of NoSQL Injection
NoSQL Injection  NoSQL VS SQL  NoSQL Injection  Preventing Injection Attacks
NoSQL Injection SQL VS NoSQL
NoSQL Injection SQL VS NoSQL
NoSQL Injection SQL VS NoSQL
NoSQL Injection SQL VS NoSQL
NoSQL Injection SQL VS NoSQL
NoSQL Injection Special case: PHP/MongoDB • MongoDB expects input in JSON array format find({'username‘:'Alizadeh'}) $collection->find(array('username'=>'Alizadeh’))
NoSQL Injection Special case: PHP/MongoDB find({'username':{’$ne‘ :'Alizadeh‘} })  But PHP will automatically create associative arrays from query string input with square brackets page.php? params[foo]= 'Alizadeh’ $params== array(‘foo’ => 'Alizadeh’ ) • MongoDB also use associative arrays for query criteria
NoSQL Injection • if you expect String : just validate “Is it String?” $db=$dbname; $m = new MongoClient(); // connect $db = $m->seminar; $collection=$db->user; $username= (string) $_GET['username']; $query=array('username'=>$username); $result=$collection->find($query); foreach ($result as $doc) { echo "UserName=".$doc['username']; }
NoSQL Injection

More Related Content

PDF
Sql Injection and XSS
byMike Crabb
 
PPTX
Selenium Conference 2014 -- Bangalore
byPrasanna Kanagasabai
 
PDF
Web Application Security II - SQL Injection
byMd Syed Ahamad
 
PPTX
Sql injection attack
byRaghav Bisht
 
PDF
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
PDF
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
PDF
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
PPTX
Sql Injection at Hashemite University
byYusuf Amro
 
Sql Injection and XSS
byMike Crabb
 
Selenium Conference 2014 -- Bangalore
byPrasanna Kanagasabai
 
Web Application Security II - SQL Injection
byMd Syed Ahamad
 
Sql injection attack
byRaghav Bisht
 
Development Security Framework based on Owasp Esapi for JSF2.0
byRakesh Kachhadiya
 
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...
byEdureka!
 
XSS And SQL Injection Vulnerabilities
byMindfire Solutions
 
Sql Injection at Hashemite University
byYusuf Amro
 

Similar to Session11-NoSQL InjectionPHP Injection

PDF
NoSQL, no security?
bywurbanski
 
PDF
Evolution Of Web Security
byChris Shiflett
 
PDF
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
PDF
Http and security
byNikola Milosevic
 
PDF
NoSql Injection
byNSConclave
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
ODP
a
bySandeep Kumar
 
PDF
SQLAS: Tool To Detect And Prevent Attacks In Php Web Applications
byClaraZara1
 
PDF
Sqlas tool to detect and prevent attacks in php web applications
byijsptm
 
PPT
Protecting Your Web Site From SQL Injection & XSS
byskyhawk133
 
PPTX
Secure Programming In Php
byAkash Mahajan
 
PDF
NoSQL - No Security?
byGavin Holt
 
ODP
Security In PHP Applications
byAditya Mooley
 
PPTX
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
PDF
Security in PHP Applications: An absolute must!
byMark Niebergall
 
PDF
Devoid Web Application From SQL Injection Attack
byIJRESJOURNAL
 
PDF
Web Security Threats and Solutions
byIvo Andreev
 
PDF
Noinject
byJustin Swanhart
 
PPTX
Interpolique
byDan Kaminsky
 
PDF
Sql
byIJASCSE
 
NoSQL, no security?
bywurbanski
 
Evolution Of Web Security
byChris Shiflett
 
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
Http and security
byNikola Milosevic
 
NoSql Injection
byNSConclave
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
byIvan Ortega
 
a
bySandeep Kumar
 
SQLAS: Tool To Detect And Prevent Attacks In Php Web Applications
byClaraZara1
 
Sqlas tool to detect and prevent attacks in php web applications
byijsptm
 
Protecting Your Web Site From SQL Injection & XSS
byskyhawk133
 
Secure Programming In Php
byAkash Mahajan
 
NoSQL - No Security?
byGavin Holt
 
Security In PHP Applications
byAditya Mooley
 
OWASP Top 10 - Day 1 - A1 injection attacks
byMohamed Talaat
 
Security in PHP Applications: An absolute must!
byMark Niebergall
 
Devoid Web Application From SQL Injection Attack
byIJRESJOURNAL
 
Web Security Threats and Solutions
byIvo Andreev
 
Noinject
byJustin Swanhart
 
Interpolique
byDan Kaminsky
 
Sql
byIJASCSE
 

More from zakieh alizadeh

PDF
Session10-PHP Misconfiguration
byzakieh alizadeh
 
PDF
Session9-File Upload Security
byzakieh alizadeh
 
PDF
S8-Session Managment
byzakieh alizadeh
 
PDF
Session7-XSS & CSRF
byzakieh alizadeh
 
PDF
Session6-Protecct Sensetive Data
byzakieh alizadeh
 
PDF
S5-Authorization
byzakieh alizadeh
 
PDF
Session4-Authentication
byzakieh alizadeh
 
PDF
Session3 data-validation-sql injection
byzakieh alizadeh
 
PDF
Session2-Application Threat Modeling
byzakieh alizadeh
 
PDF
Session1-Introduce Http-HTTP Security headers
byzakieh alizadeh
 
PDF
yii framework
byzakieh alizadeh
 
PDF
Web security Contents
byzakieh alizadeh
 
PDF
Validating and Sanitizing User Data
byzakieh alizadeh
 
PPSX
Session3 data-validation
byzakieh alizadeh
 
PDF
Introduce Yii
byzakieh alizadeh
 
Session10-PHP Misconfiguration
byzakieh alizadeh
 
Session9-File Upload Security
byzakieh alizadeh
 
S8-Session Managment
byzakieh alizadeh
 
Session7-XSS & CSRF
byzakieh alizadeh
 
Session6-Protecct Sensetive Data
byzakieh alizadeh
 
S5-Authorization
byzakieh alizadeh
 
Session4-Authentication
byzakieh alizadeh
 
Session3 data-validation-sql injection
byzakieh alizadeh
 
Session2-Application Threat Modeling
byzakieh alizadeh
 
Session1-Introduce Http-HTTP Security headers
byzakieh alizadeh
 
yii framework
byzakieh alizadeh
 
Web security Contents
byzakieh alizadeh
 
Validating and Sanitizing User Data
byzakieh alizadeh
 
Session3 data-validation
byzakieh alizadeh
 
Introduce Yii
byzakieh alizadeh
 

Recently uploaded

PDF
Track Phone Location Free by Number (2026)_ What’s Real, What’s a Scam, and t...
byRachel Green
 
PDF
software architecture for busy developers
byMuhammadAwaisQaisran
 
PDF
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PDF
Track Phone Location on iPhone (2026)_ What Actually Works, What’s a Scam, an...
byOlive Dimitrescu
 
PDF
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
PDF
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
PPTX
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
PDF
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
PPTX
Device Repair and Maintenance Management
byAxisTechnolabs
 
PDF
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
Project Tracking in Software Project Management
bySahanaBarveen1
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PPTX
2025 S/4HANA Cloud Release Upgrade Overview.pptx
byssuser835a7b
 
PDF
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
PDF
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
PPTX
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
PDF
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
PPTX
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
PDF
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
Track Phone Location Free by Number (2026)_ What’s Real, What’s a Scam, and t...
byRachel Green
 
software architecture for busy developers
byMuhammadAwaisQaisran
 
Build a Scalable On-Demand Courier Service App
byV3CUBE TECHNOLABS
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
Track Phone Location on iPhone (2026)_ What Actually Works, What’s a Scam, an...
byOlive Dimitrescu
 
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
Image and video processing: From Mars to Hollywood with a stop at the hospita...
byHarinath Palavalli
 
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
Taxi App UIUX Design for Seamless Ride Booking
byV3CUBE TECHNOLABS
 
Device Repair and Maintenance Management
byAxisTechnolabs
 
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
Project Tracking in Software Project Management
bySahanaBarveen1
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
2025 S/4HANA Cloud Release Upgrade Overview.pptx
byssuser835a7b
 
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
Massage Booking App Development Company
byV3CUBE TECHNOLABS
 
HR Software for Construction: Smarter Workforce & Payroll Management
byhelixtahr
 
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
SAP S4 HANA Conversion and Migration .pptx
bysabeenakouser
 
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 

Session11-NoSQL InjectionPHP Injection

  • 1.
    Web Application Security(PHP) Zakieh Alizadeh zakiehalizadeh@gmail.com APA Laboratory – Ferdowsi University of Mashhad
  • 2.
  • 3.
    NoSQL Injection  Scenarios:  Preventing SQL Injection Attacks  Table of Content  NoSQL VS SQL  NoSQL Injection  strategies SQL injection resulted from weak coding techniques  Preventing SQL Injection Attacks  Reviewing Code for SQL Injection  Countermeasures of SQL Injection Preventing NoSQL Injection Attacks  Reviewing Code for NoSQL Injection Countermeasures of NoSQL Injection
  • 4.
    NoSQL Injection  NoSQLVS SQL  NoSQL Injection  Preventing Injection Attacks
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
    NoSQL Injection Special case:PHP/MongoDB • MongoDB expects input in JSON array format find({'username‘:'Alizadeh'}) $collection->find(array('username'=>'Alizadeh’))
  • 11.
    NoSQL Injection Special case:PHP/MongoDB find({'username':{’$ne‘ :'Alizadeh‘} })  But PHP will automatically create associative arrays from query string input with square brackets page.php? params[foo]= 'Alizadeh’ $params== array(‘foo’ => 'Alizadeh’ ) • MongoDB also use associative arrays for query criteria
  • 12.
    NoSQL Injection • ifyou expect String : just validate “Is it String?” $db=$dbname; $m = new MongoClient(); // connect $db = $m->seminar; $collection=$db->user; $username= (string) $_GET['username']; $query=array('username'=>$username); $result=$collection->find($query); foreach ($result as $doc) { echo "UserName=".$doc['username']; }
  • 13.