• No results found

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team"

Copied!
37
0
0

Loading.... (view fulltext now)

Download now ( 37 Page )

Full text

(1)

NoSQL, But Even Less Security

(2)

Agenda

Eventual Consistency

REST APIs and CSRF

NoSQL Injection

(3)
(4)

Eric Brewer’s CAP Theorem

Choose any two:

Availability

Consistency

Partition

Tolerance

(5)
(6)
(7)
(8)
(9)

Agenda

Eventual Consistency

REST APIs and CSRF

NoSQL Injection

SSJS Injection

(10)

Authentication is unsupported or discouraged

From the MongoDB documentation

“One valid way to run the Mongo database is in a trusted environment,

with no security and authentication”

This “is the default option and is recommended”

From the Cassandra Wiki

“The default AllowAllAuthenticator approach is essentially pass-through”

From CouchDB: The Definitive Guide

The “Admin Party”: Everyone can do everything by default

Riak

(11)

Port scanning

If an attacker finds an open port, he’s already won…

Database

Default Port

MongoDB

27017

28017

27080

CouchDB

5984

Hbase

9000

Cassandra

9160

Neo4j

7474

Riak

8098

(12)
(13)

Port scanning

If an attacker finds an open port, he’s already won…

Database

Default Port

MongoDB

27017

28017

27080

CouchDB

5984

Hbase

9000

Cassandra

9160

Neo4j

7474

Riak

8098

(14)

REST document API examples (CouchDB)

Retrieve a document

GET /mydb/doc_id HTTP/1.0

Create a document

POST /mydb/ HTTP/1.0

{

"album" : "Brothers",

"artist" : "Black Keys"

}

Update a document

PUT /mydb/doc_id HTTP/1.0

{

"album" : "Brothers",

"artist" : "The Black Keys"

}

Delete a document

DELETE /mydb/doc_id?

rev=12345 HTTP/1.0

(15)
(16)

REST document API examples (CouchDB)

Retrieve a document

GET /mydb/doc_id HTTP/1.0

Create a document

POST /mydb/ HTTP/1.0

{

"album" : "Brothers",

"artist" : "Black Keys"

}

Update a document

PUT /mydb/doc_id HTTP/1.0

{

"album" : "Brothers",

"artist" : "The Black Keys"

}

Delete a document

DELETE /mydb/doc_id?

rev=12345 HTTP/1.0

(17)

Traditional GET-based CSRF

<img src="http://nosql:5984/_all_dbs"/>

Easy to make a potential victim request this URL

But it doesn’t do the attacker any good

(18)

RIA GET-based CSRF

<script>

var xhr = new XMLHttpRequest();

xhr.open('get', 'http://nosql:5984/_all_dbs');

xhr.send();

</script>

Just as easy to make a potential victim request this URL

Same-origin policy won’t allow this (usually)

(19)

POST-based CSRF

<form method=post action='http://nosql:5984/db'>

<input type='hidden' name='{"data"}' value='' />

</form>

<script>

// auto-submit the form

</script>

(20)
(21)

POST is all an attacker needs

Insert arbitrary data

Insert arbitrary script data

Execute any REST command from

inside the firewall

(22)

Agenda

Eventual Consistency

REST APIs and CSRF

NoSQL Injection

(23)

Most developers believe they don’t have to worry

about things like this

“…with MongoDB we are not building queries from

strings, so traditional SQL injection attacks are not a

problem.”

-MongoDB Developer FAQ

They’re

mostly

correct

(24)

MongoDB and PHP

MongoDB expects input in JSON array format

find( { 'artist' : 'The Black Keys' } )

In PHP, you do this with associative arrays

$collection->find(array('artist' => 'The Black Keys'));

This makes injection attacks difficult

Like parameterized queries for SQL

(25)

MongoDB and PHP

You also use associative arrays for query criteria

find( { 'album_year' : { '$gte' : 2011} } )

find( { 'artist' : { '$ne' : 'Lady Gaga' } } )

But PHP will automatically create associative arrays

from querystring inputs with square brackets

page.php?param[foo]=bar

(26)
(27)

The $where clause lets you specify script to filter results

find( { '$where' : 'function() { return artist == "Weezer"; }}' )

find ( '$where' : 'function() {

var len = artist.length;

for (int i=2; i<len; i++) {

if (len % I == 0) return false;

}

return true; }')

(28)
(29)

Agenda

Eventual Consistency

REST APIs and CSRF

NoSQL Injection

(30)

Browser wars have given us incredibly fast and powerful JS engines

Used for a lot more than just browsers

Like NoSQL database engines…

Browser war fallout

V8

WebKit

Nitro

SpiderMonkey

Rhino

(31)

Server-side JavaScript injection vs. XSS

Client-side JavaScript injection

(aka XSS) is #2 on OWASP Top Ten

Use it to steal authentication cookies

Impersonate victim

Create inline phishing sites

Self-replicating webworms ie Samy

(32)
(33)

SSJI red flags

$where clauses

Built with user input

Injected from querystring manipulation

eval() clauses

Map/Reduce

(34)
(35)

Conclusions

1.

Always use authentication/authorization.

Firewalls alone are not sufficient

Sometimes you may have to write your own auth code

This is unfortunate but better than the alternative

2.

Be extremely careful with server-side script.

Validate, validate, validate

Escape input too

(36)

Read my blog: http://blogs.adobe.com/asset

Email me: brsulliv

(37)

References

Download now ( PDF - 37 Page - 0.95 MB )

Related documents

TEXAS COURT OF CRIMINAL APPEALS CASE NO. WR-83, IN RE STATE OF TEXAS EX REL. ABELINO REYNA Relator. Trial Cause No.

Clendennen’s arrest, into perspective, a review of the docket sheets in the other infamous Waco case- the Branch Davidian case- reveals that a “gag order” was not entered

STRUCTURAL FAILURES OF EARTH DAMS IN NIGERIA: A CASE STUDY OF CHAM DAM IN GOMBE STATE

The study investigates the reasons for failure of earth dams in Nigeria with emphasis on dams owned by the River Basin Development Authorities of the Federal Ministry of

Gridlock, innovation and resilience in global health governance.

Type of governance innovation HIV/AIDS Ebola AMR General/Other Creation of new institutions and governance arrangements New institutions and partnerships : UNAIDS, GFATM, Unitaid PDPs

Present a New Middleware to Control and Management Database Distributed Environment

Also, we studied the performance of CMDBMS in horizontal, vertical and complete scalabilities in the distributed environment and, we compared this performance with

Shift work and cardiovascular events: a reanalysis of a systematic review

a) We are going to measure the duration of exposure in years if associated with cardiovascular events. An article which states the years of work service and

Corporate governance and the theory of the firm: a re-assessment of shareholder primacy in the light of limited liability and the position of creditors

Corporate governance and the theory of the firm: a re-assessment of shareholder primacy in the light of limited liability and the position of creditors..

LocalAnesthetics:Uses andtoxicities

Further peak concentrations from the neck infusion were reached much earlier (5.8 hours) than those from the lower-extremity infusion (12.8 hours). Studies have shown that

IN THE COURT OF APPEALS OF OHIO SECOND APPELLATE DISTRICT MONTGOMERY COUNTY : : : : : : : : : :... O P I N I O N

Henley, acting pro se, appeals a decision of the Montgomery County Court of Common Pleas, Criminal Division, overruling his “notice of plain error,” in which he argued that the