Download - No sql but even less security
![Page 1: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/1.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
NoSQL, But Even Less SecurityBryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team
![Page 2: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/2.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda
Eventual ConsistencyREST APIs and CSRFNoSQL InjectionSSJS Injection
![Page 3: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/3.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
NoSQL databases
![Page 4: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/4.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Eric Brewer’s CAP Theorem
Choose any two:
Availability
Consistency Partition Tolerance
![Page 5: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/5.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Eventual consistency in social networking
![Page 6: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/6.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Writes don’t propagate immediately
![Page 7: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/7.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Reading stale data
![Page 8: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/8.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Reading stale data – a more serious case
![Page 9: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/9.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda
Eventual ConsistencyREST APIs and CSRFNoSQL InjectionSSJS Injection
![Page 10: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/10.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Authentication is unsupported or discouraged
From the MongoDB documentation
“One valid way to run the Mongo database is in a trusted environment, with no security and authentication”
This “is the default option and is recommended”
From the Cassandra Wiki
“The default AllowAllAuthenticator approach is essentially pass-through”
From CouchDB: The Definitive Guide
The “Admin Party”: Everyone can do everything by default
Riak
No authentication or authorization support
![Page 11: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/11.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Port scanning
If an attacker finds an open port, he’s already won…
Database Default Port
MongoDB 270172801727080
CouchDB 5984
Hbase 9000
Cassandra 9160
Neo4j 7474
Riak 8098
![Page 12: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/12.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Port Scanning Demo
![Page 13: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/13.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Port scanning
If an attacker finds an open port, he’s already won…
Database Default Port
MongoDB 270172801727080
CouchDB 5984
Hbase 9000
Cassandra 9160
Neo4j 7474
Riak 8098
![Page 14: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/14.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
REST document API examples (CouchDB)
Retrieve a documentGET /mydb/doc_id HTTP/1.0
Create a documentPOST /mydb/ HTTP/1.0{"album" : "Brothers","artist" : "Black Keys"
}
Update a documentPUT /mydb/doc_id HTTP/1.0{"album" : "Brothers","artist" : "The Black Keys"
}
Delete a documentDELETE /mydb/doc_id?rev=12345 HTTP/1.0
![Page 15: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/15.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Cross-Site Request Forgery (CSRF) firewall bypass
![Page 16: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/16.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
REST document API examples (CouchDB)
Retrieve a documentGET /mydb/doc_id HTTP/1.0
Create a documentPOST /mydb/ HTTP/1.0{"album" : "Brothers","artist" : "Black Keys"
}
Update a documentPUT /mydb/doc_id HTTP/1.0{"album" : "Brothers","artist" : "The Black Keys"
}
Delete a documentDELETE /mydb/doc_id?rev=12345 HTTP/1.0
![Page 17: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/17.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Traditional GET-based CSRF
<img src="http://nosql:5984/_all_dbs"/>
Easy to make a potential victim request this URL
But it doesn’t do the attacker any good
He needs to get the data back out to himself
![Page 18: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/18.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
RIA GET-based CSRF
<script>
var xhr = new XMLHttpRequest();
xhr.open('get', 'http://nosql:5984/_all_dbs');
xhr.send();
</script>
Just as easy to make a potential victim request this URL
Same-origin policy won’t allow this (usually)
Same issue for PUT and DELETE
![Page 19: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/19.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
POST-based CSRF
<form method=post action='http://nosql:5984/db'>
<input type='hidden' name='{"data"}' value='' />
</form>
<script>
// auto-submit the form
</script>
Ok by the same-origin policy!
![Page 20: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/20.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
REST-CSRF Demo
![Page 21: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/21.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
POST is all an attacker needs
Insert arbitrary data
Insert arbitrary script data
Execute any REST command frominside the firewall
![Page 22: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/22.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda
Eventual ConsistencyREST APIs and CSRFNoSQL InjectionSSJS Injection
![Page 23: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/23.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Most developers believe they don’t have to worry about things like this
“…with MongoDB we are not building queries from strings, so traditional SQL injection attacks are not a problem.”
-MongoDB Developer FAQ
They’re mostly correct
NoSQL injection
![Page 24: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/24.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
MongoDB and PHP
MongoDB expects input in JSON array format
find( { 'artist' : 'The Black Keys' } )
In PHP, you do this with associative arrays
$collection->find(array('artist' => 'The Black Keys'));
This makes injection attacks difficult
Like parameterized queries for SQL
![Page 25: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/25.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
MongoDB and PHP
You also use associative arrays for query criteria
find( { 'album_year' : { '$gte' : 2011} } )
find( { 'artist' : { '$ne' : 'Lady Gaga' } } )
But PHP will automatically create associative arrays from querystring inputs with square brackets
page.php?param[foo]=bar
param == array('foo' => 'bar');
![Page 26: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/26.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
NoSQL Injection Demo
![Page 27: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/27.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
The $where clause lets you specify script to filter results
find( { '$where' : 'function() { return artist == "Weezer"; }}' )
find ( '$where' : 'function() { var len = artist.length;for (int i=2; i<len; i++) {if (len % I == 0) return false;
}return true; }')
$where queries
![Page 28: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/28.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
NoSQL Injection Demo #2
![Page 29: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/29.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda
Eventual ConsistencyREST APIs and CSRFNoSQL InjectionSSJS Injection
![Page 30: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/30.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Browser wars have given us incredibly fast and powerful JS engines
Used for a lot more than just browsers
Like NoSQL database engines…
Browser war fallout
V8 WebKitNitro
SpiderMonkeyRhino
![Page 31: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/31.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Server-side JavaScript injection vs. XSS
Client-side JavaScript injection(aka XSS) is #2 on OWASP Top Ten
Use it to steal authentication cookies
Impersonate victim
Create inline phishing sites
Self-replicating webworms ie Samy
It’s really bad.
But server-side is much worse.
![Page 32: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/32.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Server-Side Javascript Injection (SSJI)
![Page 33: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/33.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
SSJI red flags
$where clauses
Built with user input
Injected from querystring manipulation
eval() clauses
Map/Reduce
Stored views/design docs
More CSRF possibilities here
![Page 34: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/34.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Wrapping Up
![Page 35: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/35.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Conclusions
1. Always use authentication/authorization. Firewalls alone are not sufficient
Sometimes you may have to write your own auth code
This is unfortunate but better than the alternative
2. Be extremely careful with server-side script. Validate, validate, validate
Escape input too
![Page 36: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/36.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Read my blog: http://blogs.adobe.com/assetEmail me: brsulliv
![Page 37: No sql but even less security](https://reader031.vdocuments.mx/reader031/viewer/2022013118/555a3ceed8b42ae1398b4bee/html5/thumbnails/37.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.