NOSQL INJECTION IN APPS

Vietnam

WWW.DESIGNVELOPER.COM

1.INTRODUCTION

WWW.DESIGNVELOPER.COM

Hello!I am Son Leo At Designveloper for > 2

yearso Work with Meteor for > a

year

You can find me at:@sonlexqt

Required: familiarity with

WWW.DESIGNVELOPER.COM

Don’t get me wrong !

is NOT INSECURE

WWW.DESIGNVELOPER.COM

SQL InjectionQueries use STRINGs as the control mechanism.

WWW.DESIGNVELOPER.COM

Exploits of a Mom

// queryINSERT INTO Students VALUES ( '$Name' )// inputRobert'); DROP TABLE Students; --// resultINSERT INTO Students VALUES ( 'Robert' ); DROP TABLE Students; --' )

source: https://xkcd.com/327

WWW.DESIGNVELOPER.COM

SQL Injection - One more example// querySELECT * FROM users WHERE username='peter’AND (password= ('$PWD'))// input' OR '1'='1’// resultSELECT * FROM users WHERE username='peter' AND (password='' OR '1'='1')

WWW.DESIGNVELOPER.COM

NoSQL InjectionQueries use OBJECTs as the control mechanism.

WWW.DESIGNVELOPER.COM

2.DEMO TIME

Meteor-shop web application

WWW.DESIGNVELOPER.COM

Let’s play a role of a hacker !With NoSQL Injection skill.

WWW.DESIGNVELOPER.COM

3.SOLUTIONS

WWW.DESIGNVELOPER.COM

“MAKE

ASSERTIONS ON USER

INPUT DATA

WWW.DESIGNVELOPER.COM

CHECK to the rescuehttps://atmospherejs.com/meteor/check

Check whether a value matches a

pattern$ meteor add check

check(slug, String);

ERROR: Expected String, got Object

WWW.DESIGNVELOPER.COM

CHECK-CHECKERhttps://atmospherejs.com/east5th/check-checker Scan the code to detect methods / publish

functions which haven’t checked for its input data.

$ meteor add east5th:check-checker

WWW.DESIGNVELOPER.COM

Thanks!Any questions?

o meteor-shop demo application https://github.com/sonlexqt/meteor-shop

WWW.DESIGNVELOPER.COM