SlideShare a Scribd company logo
1 of 49
NoSQL, no security?
Will Urbanski
Vulnerability Management, Dell SecureWorks
What we will cover today

§ Why look at NoSQL security?


§ Relational Database attack vectors


§ NoSQL attack vectors


§ Securing NoSQL deployments


2        10/27/12
Why look at
    NoSQL security?




3        10/27/12
NoSQL is popular

•  Scalability

•  Redundancy

•  Flexibility

•  Rapid development / deployment

•  Cost




4                10/27/12
“Redis is designed to be accessed by trusted clients inside trusted
environments. This means that usually it is not a good idea to expose
the Redis instance directly to the internet or, in general, to an
environment where untrusted clients can directly access the Redis TCP
port or UNIX socket.” [redis.io]




5           10/27/12
“The most effective way to reduce risk for MongoDB deployments is to
run your entire MongoDB deployment, including all MongoDB
components in a trusted environment” [mongodb.org]




6           10/27/12
“When you start out fresh, CouchDB allows any request to be made by
anyone. [..] it should be obvious that putting a default installation into
the wild is adventurous. Any rogue client could come along and delete
a database.” [guide.couchdb.org]




7            10/27/12
8   Confidential   10/27/12
9   Confidential   10/27/12
Relational Databases (RDBMS)

•  Relative Feature Parity


•  Integrated Security Features

     –  Authorization

     –  Authentication

     –  Confidentiality




10               10/27/12
RDBMS Attack Surfaces

•  Software vulnerabilities        •  Injection Attacks


•  Credential brute forcing        •  Privilege escalation
     –  Offline storage
     –  Authentication protocols

•  Authorization weaknesses        •  Insecure configurations
     –  MITM
     –  Replay attacks




11              10/27/12
Does NoSQL mean “No Security”?




12     10/27/12
Injection




13          10/27/12
Injection Attacks

•  Database diversity is increasing
        ›    Command-based queries
        ›    CQL
        ›    JSON
        ›    BSON
        ›    Javascript
        ›    Custom query languages

•  Injection attack surface is increasing
     –  Query injection
     –  Schema injection
     –  Javascript injection

•  Attack complexity is increasing




14                10/27/12
Collections

     Tables         Collections




15       10/27/12
Schema Injection

•  Allows an attacker to insert arbitrary key/value pairs into a document
     –  Attacker can also change the data type of a key

•  Feasible when an application iterates POST values to create
   documents




16              10/27/12
Schema Injection

•  Schema injection can also be utilized to override existing fields.
     –  JSON object (replacement occurs in code)
     –  Query (replacement occurs on DB)

•  Last key takes precedence over previous fields.




17             10/27/12
Schema Injection

•  If non user-specified attributes are included before POST is iterated,
   the client can inject or modify protected attributes.




•  Think ‘HTTP Parameter Pollution’




18           10/27/12
Schema Injection Mitigation

•  RDBs mitigate this through the use of strongly typed tables.

•  Key enforcement
     –  Whitelist POST data values that can be added to the document
        ›  ‘email’, ‘firstName’, ‘lastName’ should always be set via POST.

     –  Blacklist application-managed keys
        ›  ‘is_admin’ can never be set via POST.

•  Replace or concatenate
     –  When using native JSON objects, add application-managed keys after
        adding user inputs.
     –  When using strings, always concatenate application-managed keys.




19              10/27/12
Query Injection

•  There are safe and unsafe ways to build JSON queries.

•  The good news is…
     –  Most languages that have implemented JSON-like dictionaries as native
        objects implement them safely.
     –  dict = {‘email’: email ,’password’: password}

•  The bad news is…
     –  Strings still exist and can be abused to inject into queries on poorly written
        applications.
     –  dict= “{‘email’:’%s’,’password’:’%s’}” % (email,
        password)

•  Language-specific constructs can also be abused
     –  PHP’s superglobals
     –  String to JSON conversion


20              10/27/12
PHP’s Superglobals

•  PHP automatically converts superglobal values to multidimensional
   arrays
     –  $_POST – for working with HTTP POST data
     –  $_GET – for working with HTTP GET data

•  This is very handy when working with web forms
     –  <input type=“text” name=“person[name]” value=“”>
     –  Can be referenced via $_POST[‘person’][‘name’]

•  PHP also uses arrays to represent MongoDB documents
     –  $user = array(
           ‘email' => ‘will@localhost',
           ‘password' => ‘mmmfrenchtoast',
           ‘date_created' => ‘2012-06-15’
        );




21             10/27/12
PHP’s Superglobals

•  Adversaries can weaponize superglobals by inserting MongoDB
   comparison operations in HTTP GET or POST keys
      –  forgot_password.php?
         email=will@localhost&security_question[$ne]=1

      –  Array (
            “email” => “will@localhost”,
            “security_question” => array(“$ne” => 1)
         );

•  Kudos to Bryan Sullivan @ Adobe for identifying and reporting this
     http://blogs.adobe.com/asset/files/2011/04/NoSQL-But-Even-Less-Security.pdf




22                      10/27/12
Javascript Injection (SSJI)

•  Native Javascript support
     –  Supports Map/Reduce functionality
     –  Compensates for a lack of native SQL functions
        ›  Batch processing of collections
        ›  Aggregation

•  Persistent or passed via client

•  MongoDB and CouchDB application architectures
     –  db.eval()
     –  $where
     –  Temporary views




23              10/27/12
Mitigating Injection Attacks

•  Use safe string / JSON operations
     –  Escape input
     –  Avoid string concatenation when building queries
     –  Use native JSON-like objects when available

•  Be careful when utilizing GET and POST variables
     –  Check for use of $operators
     –  Validate strings do not contain JSON

•  Validate document schemas before writing to the database

•  Identify and sanitize Javascript in application inputs
     –  Check for server-side Javascript injection on IPS/WAF, if applicable

•  Ensure your defense in depth strategy is looking for these attacks



24              10/27/12
Authentication




25         10/27/12
Authentication

•  Authentication issues:

     –  Weak authentication methods

     –  Weak password storage methods

     –  Password bruteforcing opportunities

•  RDBMS

     –  Rich authentication support

     –  Account credentials are hashed when stored offline




26              10/27/12
Local-only security model

•  “When you start out fresh, CouchDB allows any request to be made
   by anyone. [..] Everybody has privileges to do anything.
   Neat.” [guide.couchdb.org]

•  “If there are no admin users, one may access the database from the
   localhost interface without authenticating.” [mongodb.org]

•  Limited security by default
     •  Localhost only
     •  Rapid development
     •  Ease of use

•  Growing pains
     •  Authentication methods don’t always effectively scale beyond localhost




27               10/27/12
Weak authentication methods

1.  HTTP/RESTful authentication

2.  Non-HTTP/RESTful authentication




28      10/27/12
HTTP/RESTful authentication

•  HTTP BASIC, DIGEST or Cookie-based auth

•  May require a reverse proxy server

     –  Vulnerable to replay and MITM attacks

     –  Insecure if SSL/TLS/encryption is not implemented or compromised




29             10/27/12
Non-HTTP/RESTful solutions

•  Ideally would use a challenge-response authentication protocol

•  Should be resistant to replay attacks

•  Clear-text passwords should be avoided




30           10/27/12
Weak password storage methods

•  Passwords should never be stored in the clear
     –  Redis, CouchDB (some cases)

•  Passwords should be hashed or encrypted
     –  Preferably with a secure hashing algorithm

     –  MongoDB
        ›  MD5(username + “:mongo:” + password)

     –  CouchDB
        ›  Salt is a randomly generated 128-bit UUID
        ›  PW = “-hashed-” + SHA1(password + salt) + “,” + salt

•  Access to password storage should be limited




31              10/27/12
Password bruteforcing

•  Online password bruteforcing
     –  Redis’ AUTH commands are not rate limited or restricted in any way
     –  An attacker could repeatedly issue the AUTH command until the correct
        password was identified




32             10/27/12
Authentication

•  Authentication schemes vary widely depending on the NoSQL
   database being used

•  Native authentication schemes are relatively weak
     –  Replay attacks
     –  Password bruteforcing
     –  Information leakage


•  Pluggable authentication is generally not supported




33             10/27/12
Authorization




34         10/27/12
Authorization

•  Specifies access rights to
   resources and operations within
   the database

•  SQL’s Data Control Language
   (DCL)
     –  GRANT, REVOKE




35           10/27/12
NoSQL Authorization

•  Architecture dependent

•  Per-database, not per-collection

•  Generally course-grained




36           10/27/12
Each architecture is different

•  No corollary for SQL’s DCL

•  Common authorization features:

     –  ADMIN role

     –  Differentiation between Read and
        Write

     –  Authorization not required until
        enabled




37              10/27/12
Inventive Solutions

•  Validation Functions

•  Role-based Access Control
     –  User roles
     –  Security groups

•  Command Renaming
     –  Authorization through obscurity




38              10/27/12
Confidentiality




39          10/27/12
Confidentiality

•  Protect data at rest and in transit

•  Confidentiality in transit
     –  SSL/TLS
     –  Mutually verifiable (key exchange)

•  Confidentiality at rest
     –  Integrated cryptographic functionality
     –  Ability to encrypt data in the database
     –  Easy access to hashing functions




40              10/27/12
NoSQL Confidentiality

•  In transit
     –  Some SSL support

     –  HTTP/REST-based solutions generally recommend use of HTTPS reverse
        proxies

     –  Non-REST based solutions recommend the use of stunnel, VPNs, or a
        transport-layer encryption technology

•  At rest

•  Third party applications exist to provide advanced authorization and
   confidentiality functionality to existing databases




41              10/27/12
Securing NoSQL




42        10/27/12
Securing NoSQL

•  Trusted operating environment
     –  Scoping
     –  Identifying ingress and egress

•  Compliance Issues
     –  PCI

•  Compensating Controls
     –  Architecture limitations




43               10/27/12
#1 Understand your solution

•  No two NoSQL solutions are the
   same
     –  Read the manual!

•  Understand the environment
     –  Define “trusted environment”
     –  Understand ingress/egress

•  Architecture
     –  Software
     –  Capabilities
     –  Controls

•  Defense in Depth




44               10/27/12
#2 Beware architecture creep

•  Additional architecture may be
   required

•  Increased TCO, deployment
   times

•  Identify these needs during
   development




45           10/27/12
#3 Always Validate

•  The NoSQL injection attack surface is diverse
     –  Schema, query, and javascript injection attacks affect architectures
        differently.

•  Understand how these attacks can affect your application and NoSQL
   environment

•  Continue to validate for traditional (SQLi, XSS) and non-traditional
   injection (NoSQLi, SSJI) attacks.




46              10/27/12
#4 Work with Vendors

•  Dynamic projects; quick release cycles

•  If your NoSQL solution doesn't support the features you need, ask for
   them.

•  Several of the shortcomings we have discussed today are “on the
   roadmap”




47           10/27/12
Thank you!

     I value your
     feedback




                      Twitter: @willurbanski


48         10/27/12
Picture Credits

•    14 – Red Bull
•    15 – Flickr.com / ActiveGuy98
•    22 – Flickr.com / John Kannenberg
•    22 – Flickr.com / Angelberries
•    34 – mysecuritysign.com
•    54 – Flickr.com / James Pullen




49             10/27/12

More Related Content

What's hot

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB ImplementationMongoDB
 
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Lucidworks
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseMongoDB
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of BreachesKarthik Bhat
 
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBMUnderstanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBMLucidworks
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?OWASP
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
WebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewWebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewJames Bayer
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Andy Kucharski
 
RedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedis Labs
 
Caching in Windows Azure
Caching in Windows AzureCaching in Windows Azure
Caching in Windows AzureIdo Flatow
 
High Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDIHigh Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDIPayara
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?smalltown
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiazznate
 

What's hot (20)

aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Securing Your MongoDB Implementation
Securing Your MongoDB ImplementationSecuring Your MongoDB Implementation
Securing Your MongoDB Implementation
 
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
Rackspace: Email's Solution for Indexing 50K Documents per Second: Presented ...
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
Beyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB databaseBeyond the Basics 4: How to secure your MongoDB database
Beyond the Basics 4: How to secure your MongoDB database
 
Software Development in the Age of Breaches
Software Development in the Age of BreachesSoftware Development in the Age of Breaches
Software Development in the Age of Breaches
 
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBMUnderstanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
Understanding the Solr Security Framekwork: Presented by Anshum Gupta, IBM
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?[Wroclaw #7] Why So Serial?
[Wroclaw #7] Why So Serial?
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
WebLogic Scripting Tool Overview
WebLogic Scripting Tool OverviewWebLogic Scripting Tool Overview
WebLogic Scripting Tool Overview
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
 
Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...Drupal commerce performance profiling and tunning using loadstorm experiments...
Drupal commerce performance profiling and tunning using loadstorm experiments...
 
RedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis codeRedisConf18 - Writing modular & encapsulated Redis code
RedisConf18 - Writing modular & encapsulated Redis code
 
Caching in Windows Azure
Caching in Windows AzureCaching in Windows Azure
Caching in Windows Azure
 
High Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDIHigh Performance Java EE with JCache and CDI
High Performance Java EE with JCache and CDI
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
 
Hardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoia
 

Viewers also liked

My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14Mark Fletcher, ENP
 
Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content  Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content Pajama Program
 
Dell SecureWorks Sale Meeting Presentation
Dell SecureWorks Sale Meeting PresentationDell SecureWorks Sale Meeting Presentation
Dell SecureWorks Sale Meeting PresentationErwin Carrow
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Kyle Lai
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayDataWorks Summit
 
Network Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next LevelNetwork Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next LevelSkybox Security
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Kevin Minder
 
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Hortonworks
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningDell EMC World
 
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached Dell EMC World
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: OverviewCloudera, Inc.
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxVinay Shukla
 
An Introduction to Accumulo
An Introduction to AccumuloAn Introduction to Accumulo
An Introduction to AccumuloDonald Miner
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistMatthew Rosenquist
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview Hortonworks
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityMastel Indonesia
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 

Viewers also liked (19)

My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14My presentation to iCERT in Orlando Florida 10/26/14
My presentation to iCERT in Orlando Florida 10/26/14
 
Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content  Analytics That Drive The Value Of Content
Analytics That Drive The Value Of Content
 
Dell SecureWorks Sale Meeting Presentation
Dell SecureWorks Sale Meeting PresentationDell SecureWorks Sale Meeting Presentation
Dell SecureWorks Sale Meeting Presentation
 
Presentacion BD NoSQL
Presentacion  BD NoSQLPresentacion  BD NoSQL
Presentacion BD NoSQL
 
Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016Pactera - Cloud, Application, Cyber Security Trend 2016
Pactera - Cloud, Application, Cyber Security Trend 2016
 
Hadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox GatewayHadoop REST API Security with Apache Knox Gateway
Hadoop REST API Security with Apache Knox Gateway
 
Network Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next LevelNetwork Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next Level
 
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
Securing Hadoop's REST APIs with Apache Knox Gateway Hadoop Summit June 6th, ...
 
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
Discover Enterprise Security Features in Hortonworks Data Platform 2.1: Apach...
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response Planning
 
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
MT 68 Hunting for the Threat: When You Don’t Know If You’ve Been Breached
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
An Introduction to Accumulo
An Introduction to AccumuloAn Introduction to Accumulo
An Introduction to Accumulo
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew Rosenquist
 
Hdp security overview
Hdp security overview Hdp security overview
Hdp security overview
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 

Similar to NoSQL, no security?

MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldDave Stokes
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions Ivo Andreev
 
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon Web Services
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesMariaDB plc
 
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag JambhekarC* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag JambhekarDataStax Academy
 
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...Trivadis
 
Non-Relational Databases at ACCU2011
Non-Relational Databases at ACCU2011Non-Relational Databases at ACCU2011
Non-Relational Databases at ACCU2011Gavin Heavyside
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Azure reference architectures
Azure reference architecturesAzure reference architectures
Azure reference architecturesMasashi Narumoto
 
NonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedNonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedFrans Jongma
 
Dropping ACID: Wrapping Your Mind Around NoSQL Databases
Dropping ACID: Wrapping Your Mind Around NoSQL DatabasesDropping ACID: Wrapping Your Mind Around NoSQL Databases
Dropping ACID: Wrapping Your Mind Around NoSQL DatabasesKyle Banerjee
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityChris Bell
 

Similar to NoSQL, no security? (20)

MySQL Security in a Cloudy World
MySQL Security in a Cloudy WorldMySQL Security in a Cloudy World
MySQL Security in a Cloudy World
 
mongodb_DS.pptx
mongodb_DS.pptxmongodb_DS.pptx
mongodb_DS.pptx
 
Web Security Threats and Solutions
Web Security Threats and Solutions Web Security Threats and Solutions
Web Security Threats and Solutions
 
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
Amazon RDS for Microsoft SQL: Performance, Security, Best Practices (DAT303) ...
 
a
aa
a
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag JambhekarC* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
C* Summit 2013: Cassandra at eBay Scale by Feng Qu and Anurag Jambhekar
 
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
TechEvent 2019: Oracle to PostgreSQL - a Travel Guide from Practice; Roland S...
 
Non-Relational Databases at ACCU2011
Non-Relational Databases at ACCU2011Non-Relational Databases at ACCU2011
Non-Relational Databases at ACCU2011
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Azure reference architectures
Azure reference architecturesAzure reference architectures
Azure reference architectures
 
Revision
RevisionRevision
Revision
 
NonStop SQL/MX DBS Explained
NonStop SQL/MX DBS ExplainedNonStop SQL/MX DBS Explained
NonStop SQL/MX DBS Explained
 
Ruby on-rails-security
Ruby on-rails-securityRuby on-rails-security
Ruby on-rails-security
 
Dropping ACID: Wrapping Your Mind Around NoSQL Databases
Dropping ACID: Wrapping Your Mind Around NoSQL DatabasesDropping ACID: Wrapping Your Mind Around NoSQL Databases
Dropping ACID: Wrapping Your Mind Around NoSQL Databases
 
Redis meetup
Redis meetupRedis meetup
Redis meetup
 
CDC to the Max!
CDC to the Max!CDC to the Max!
CDC to the Max!
 
The Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server SecurityThe Spy Who Loathed Me - An Intro to SQL Server Security
The Spy Who Loathed Me - An Intro to SQL Server Security
 

Recently uploaded

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Recently uploaded (20)

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

NoSQL, no security?

  • 1. NoSQL, no security? Will Urbanski Vulnerability Management, Dell SecureWorks
  • 2. What we will cover today § Why look at NoSQL security? § Relational Database attack vectors § NoSQL attack vectors § Securing NoSQL deployments 2 10/27/12
  • 3. Why look at NoSQL security? 3 10/27/12
  • 4. NoSQL is popular •  Scalability •  Redundancy •  Flexibility •  Rapid development / deployment •  Cost 4 10/27/12
  • 5. “Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket.” [redis.io] 5 10/27/12
  • 6. “The most effective way to reduce risk for MongoDB deployments is to run your entire MongoDB deployment, including all MongoDB components in a trusted environment” [mongodb.org] 6 10/27/12
  • 7. “When you start out fresh, CouchDB allows any request to be made by anyone. [..] it should be obvious that putting a default installation into the wild is adventurous. Any rogue client could come along and delete a database.” [guide.couchdb.org] 7 10/27/12
  • 8. 8 Confidential 10/27/12
  • 9. 9 Confidential 10/27/12
  • 10. Relational Databases (RDBMS) •  Relative Feature Parity •  Integrated Security Features –  Authorization –  Authentication –  Confidentiality 10 10/27/12
  • 11. RDBMS Attack Surfaces •  Software vulnerabilities •  Injection Attacks •  Credential brute forcing •  Privilege escalation –  Offline storage –  Authentication protocols •  Authorization weaknesses •  Insecure configurations –  MITM –  Replay attacks 11 10/27/12
  • 12. Does NoSQL mean “No Security”? 12 10/27/12
  • 13. Injection 13 10/27/12
  • 14. Injection Attacks •  Database diversity is increasing ›  Command-based queries ›  CQL ›  JSON ›  BSON ›  Javascript ›  Custom query languages •  Injection attack surface is increasing –  Query injection –  Schema injection –  Javascript injection •  Attack complexity is increasing 14 10/27/12
  • 15. Collections Tables Collections 15 10/27/12
  • 16. Schema Injection •  Allows an attacker to insert arbitrary key/value pairs into a document –  Attacker can also change the data type of a key •  Feasible when an application iterates POST values to create documents 16 10/27/12
  • 17. Schema Injection •  Schema injection can also be utilized to override existing fields. –  JSON object (replacement occurs in code) –  Query (replacement occurs on DB) •  Last key takes precedence over previous fields. 17 10/27/12
  • 18. Schema Injection •  If non user-specified attributes are included before POST is iterated, the client can inject or modify protected attributes. •  Think ‘HTTP Parameter Pollution’ 18 10/27/12
  • 19. Schema Injection Mitigation •  RDBs mitigate this through the use of strongly typed tables. •  Key enforcement –  Whitelist POST data values that can be added to the document ›  ‘email’, ‘firstName’, ‘lastName’ should always be set via POST. –  Blacklist application-managed keys ›  ‘is_admin’ can never be set via POST. •  Replace or concatenate –  When using native JSON objects, add application-managed keys after adding user inputs. –  When using strings, always concatenate application-managed keys. 19 10/27/12
  • 20. Query Injection •  There are safe and unsafe ways to build JSON queries. •  The good news is… –  Most languages that have implemented JSON-like dictionaries as native objects implement them safely. –  dict = {‘email’: email ,’password’: password} •  The bad news is… –  Strings still exist and can be abused to inject into queries on poorly written applications. –  dict= “{‘email’:’%s’,’password’:’%s’}” % (email, password) •  Language-specific constructs can also be abused –  PHP’s superglobals –  String to JSON conversion 20 10/27/12
  • 21. PHP’s Superglobals •  PHP automatically converts superglobal values to multidimensional arrays –  $_POST – for working with HTTP POST data –  $_GET – for working with HTTP GET data •  This is very handy when working with web forms –  <input type=“text” name=“person[name]” value=“”> –  Can be referenced via $_POST[‘person’][‘name’] •  PHP also uses arrays to represent MongoDB documents –  $user = array( ‘email' => ‘will@localhost', ‘password' => ‘mmmfrenchtoast', ‘date_created' => ‘2012-06-15’ ); 21 10/27/12
  • 22. PHP’s Superglobals •  Adversaries can weaponize superglobals by inserting MongoDB comparison operations in HTTP GET or POST keys –  forgot_password.php? email=will@localhost&security_question[$ne]=1 –  Array ( “email” => “will@localhost”, “security_question” => array(“$ne” => 1) ); •  Kudos to Bryan Sullivan @ Adobe for identifying and reporting this http://blogs.adobe.com/asset/files/2011/04/NoSQL-But-Even-Less-Security.pdf 22 10/27/12
  • 23. Javascript Injection (SSJI) •  Native Javascript support –  Supports Map/Reduce functionality –  Compensates for a lack of native SQL functions ›  Batch processing of collections ›  Aggregation •  Persistent or passed via client •  MongoDB and CouchDB application architectures –  db.eval() –  $where –  Temporary views 23 10/27/12
  • 24. Mitigating Injection Attacks •  Use safe string / JSON operations –  Escape input –  Avoid string concatenation when building queries –  Use native JSON-like objects when available •  Be careful when utilizing GET and POST variables –  Check for use of $operators –  Validate strings do not contain JSON •  Validate document schemas before writing to the database •  Identify and sanitize Javascript in application inputs –  Check for server-side Javascript injection on IPS/WAF, if applicable •  Ensure your defense in depth strategy is looking for these attacks 24 10/27/12
  • 25. Authentication 25 10/27/12
  • 26. Authentication •  Authentication issues: –  Weak authentication methods –  Weak password storage methods –  Password bruteforcing opportunities •  RDBMS –  Rich authentication support –  Account credentials are hashed when stored offline 26 10/27/12
  • 27. Local-only security model •  “When you start out fresh, CouchDB allows any request to be made by anyone. [..] Everybody has privileges to do anything. Neat.” [guide.couchdb.org] •  “If there are no admin users, one may access the database from the localhost interface without authenticating.” [mongodb.org] •  Limited security by default •  Localhost only •  Rapid development •  Ease of use •  Growing pains •  Authentication methods don’t always effectively scale beyond localhost 27 10/27/12
  • 28. Weak authentication methods 1.  HTTP/RESTful authentication 2.  Non-HTTP/RESTful authentication 28 10/27/12
  • 29. HTTP/RESTful authentication •  HTTP BASIC, DIGEST or Cookie-based auth •  May require a reverse proxy server –  Vulnerable to replay and MITM attacks –  Insecure if SSL/TLS/encryption is not implemented or compromised 29 10/27/12
  • 30. Non-HTTP/RESTful solutions •  Ideally would use a challenge-response authentication protocol •  Should be resistant to replay attacks •  Clear-text passwords should be avoided 30 10/27/12
  • 31. Weak password storage methods •  Passwords should never be stored in the clear –  Redis, CouchDB (some cases) •  Passwords should be hashed or encrypted –  Preferably with a secure hashing algorithm –  MongoDB ›  MD5(username + “:mongo:” + password) –  CouchDB ›  Salt is a randomly generated 128-bit UUID ›  PW = “-hashed-” + SHA1(password + salt) + “,” + salt •  Access to password storage should be limited 31 10/27/12
  • 32. Password bruteforcing •  Online password bruteforcing –  Redis’ AUTH commands are not rate limited or restricted in any way –  An attacker could repeatedly issue the AUTH command until the correct password was identified 32 10/27/12
  • 33. Authentication •  Authentication schemes vary widely depending on the NoSQL database being used •  Native authentication schemes are relatively weak –  Replay attacks –  Password bruteforcing –  Information leakage •  Pluggable authentication is generally not supported 33 10/27/12
  • 34. Authorization 34 10/27/12
  • 35. Authorization •  Specifies access rights to resources and operations within the database •  SQL’s Data Control Language (DCL) –  GRANT, REVOKE 35 10/27/12
  • 36. NoSQL Authorization •  Architecture dependent •  Per-database, not per-collection •  Generally course-grained 36 10/27/12
  • 37. Each architecture is different •  No corollary for SQL’s DCL •  Common authorization features: –  ADMIN role –  Differentiation between Read and Write –  Authorization not required until enabled 37 10/27/12
  • 38. Inventive Solutions •  Validation Functions •  Role-based Access Control –  User roles –  Security groups •  Command Renaming –  Authorization through obscurity 38 10/27/12
  • 39. Confidentiality 39 10/27/12
  • 40. Confidentiality •  Protect data at rest and in transit •  Confidentiality in transit –  SSL/TLS –  Mutually verifiable (key exchange) •  Confidentiality at rest –  Integrated cryptographic functionality –  Ability to encrypt data in the database –  Easy access to hashing functions 40 10/27/12
  • 41. NoSQL Confidentiality •  In transit –  Some SSL support –  HTTP/REST-based solutions generally recommend use of HTTPS reverse proxies –  Non-REST based solutions recommend the use of stunnel, VPNs, or a transport-layer encryption technology •  At rest •  Third party applications exist to provide advanced authorization and confidentiality functionality to existing databases 41 10/27/12
  • 42. Securing NoSQL 42 10/27/12
  • 43. Securing NoSQL •  Trusted operating environment –  Scoping –  Identifying ingress and egress •  Compliance Issues –  PCI •  Compensating Controls –  Architecture limitations 43 10/27/12
  • 44. #1 Understand your solution •  No two NoSQL solutions are the same –  Read the manual! •  Understand the environment –  Define “trusted environment” –  Understand ingress/egress •  Architecture –  Software –  Capabilities –  Controls •  Defense in Depth 44 10/27/12
  • 45. #2 Beware architecture creep •  Additional architecture may be required •  Increased TCO, deployment times •  Identify these needs during development 45 10/27/12
  • 46. #3 Always Validate •  The NoSQL injection attack surface is diverse –  Schema, query, and javascript injection attacks affect architectures differently. •  Understand how these attacks can affect your application and NoSQL environment •  Continue to validate for traditional (SQLi, XSS) and non-traditional injection (NoSQLi, SSJI) attacks. 46 10/27/12
  • 47. #4 Work with Vendors •  Dynamic projects; quick release cycles •  If your NoSQL solution doesn't support the features you need, ask for them. •  Several of the shortcomings we have discussed today are “on the roadmap” 47 10/27/12
  • 48. Thank you! I value your feedback Twitter: @willurbanski 48 10/27/12
  • 49. Picture Credits •  14 – Red Bull •  15 – Flickr.com / ActiveGuy98 •  22 – Flickr.com / John Kannenberg •  22 – Flickr.com / Angelberries •  34 – mysecuritysign.com •  54 – Flickr.com / James Pullen 49 10/27/12

Editor's Notes

  1. So what are the implications of Schema injection? Well for starters, there can be performance implications for the database. We can also do fun things like apply different data types to different keys in different rows. So our password in document #1 can be a string, while our password in document #2 could be an integer. Again, normally these constraints would be enforced by an application, but since they aren’t an attacker may be able to use this to their advantage, perhaps to bypass a login mechanism.To mitigate these attacks in a NoSQL environment we need to ensure that only valid keys are explicitly allowed into the database. Additional, unnecessary keys should be blocked or dropped. This is not an issue in the SQL world because the strongly typed table environment prevents any additional schemas from being added, and what benefit could you gain from creating extra, unused tables?And here’s the scary part, a lot of frameworks are already advocating or implementing code that simpy iterates over the post data. This is a Bad Idea™. From a penetration testers perspective, this is a gold mine.
  2. 10k passwords on a VM, in about 30 seconds.~ 1,000,000 passwords in a little under an hour