NoSQL, But Even Less Security - Adobe...
Transcript of NoSQL, But Even Less Security - Adobe...
![Page 1: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/1.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
NoSQL, But Even Less SecurityBryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team
![Page 2: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/2.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda
Eventual ConsistencyREST APIs and CSRFNoSQL InjectionSSJS Injection
![Page 3: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/3.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
NoSQL databases
![Page 4: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/4.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Eric Brewer’s CAP Theorem
Choose any two:
Availability
Consistency Partition Tolerance
![Page 5: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/5.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Eventual consistency in social networking
![Page 6: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/6.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Writes don’t propagate immediately
![Page 7: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/7.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Reading stale data
![Page 8: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/8.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Reading stale data – a more serious case
![Page 9: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/9.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda
Eventual ConsistencyREST APIs and CSRFNoSQL InjectionSSJS Injection
![Page 10: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/10.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Authentication is unsupported or discouraged
From the MongoDB documentation
“One valid way to run the Mongo database is in a trusted environment, with no security and authentication”
This “is the default option and is recommended”
From the Cassandra Wiki
“The default AllowAllAuthenticator approach is essentially pass-through”
From CouchDB: The Definitive Guide
The “Admin Party”: Everyone can do everything by default
Riak
No authentication or authorization support
![Page 11: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/11.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Port scanning
If an attacker finds an open port, he’s already won…
Database Default Port
MongoDB 270172801727080
CouchDB 5984
Hbase 9000
Cassandra 9160
Neo4j 7474
Riak 8098
![Page 12: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/12.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Port Scanning Demo
![Page 13: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/13.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Port scanning
If an attacker finds an open port, he’s already won…
Database Default Port
MongoDB 270172801727080
CouchDB 5984
Hbase 9000
Cassandra 9160
Neo4j 7474
Riak 8098
![Page 14: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/14.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
REST document API examples (CouchDB)
Retrieve a documentGET /mydb/doc_id HTTP/1.0
Create a documentPOST /mydb/ HTTP/1.0{"album" : "Brothers","artist" : "Black Keys"
}
Update a documentPUT /mydb/doc_id HTTP/1.0{"album" : "Brothers","artist" : "The Black Keys"
}
Delete a documentDELETE /mydb/doc_id?rev=12345 HTTP/1.0
![Page 15: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/15.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Cross-Site Request Forgery (CSRF) firewall bypass
![Page 16: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/16.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
REST document API examples (CouchDB)
Retrieve a documentGET /mydb/doc_id HTTP/1.0
Create a documentPOST /mydb/ HTTP/1.0{"album" : "Brothers","artist" : "Black Keys"
}
Update a documentPUT /mydb/doc_id HTTP/1.0{"album" : "Brothers","artist" : "The Black Keys"
}
Delete a documentDELETE /mydb/doc_id?rev=12345 HTTP/1.0
![Page 17: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/17.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Traditional GET-based CSRF
<img src="http://nosql:5984/_all_dbs"/>
Easy to make a potential victim request this URL
But it doesn’t do the attacker any good
He needs to get the data back out to himself
![Page 18: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/18.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
RIA GET-based CSRF
<script>
var xhr = new XMLHttpRequest();
xhr.open('get', 'http://nosql:5984/_all_dbs');
xhr.send();
</script>
Just as easy to make a potential victim request this URL
Same-origin policy won’t allow this (usually)
Same issue for PUT and DELETE
![Page 19: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/19.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
POST-based CSRF
<form method=post action='http://nosql:5984/db'>
<input type='hidden' name='{"data"}' value='' />
</form>
<script>
// auto-submit the form
</script>
Ok by the same-origin policy!
![Page 20: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/20.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
REST-CSRF Demo
![Page 21: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/21.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
POST is all an attacker needs
Insert arbitrary data
Insert arbitrary script data
Execute any REST command frominside the firewall
![Page 22: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/22.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda
Eventual ConsistencyREST APIs and CSRFNoSQL InjectionSSJS Injection
![Page 23: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/23.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Most developers believe they don’t have to worry about things like this
“…with MongoDB we are not building queries from strings, so traditional SQL injection attacks are not a problem.”
-MongoDB Developer FAQ
They’re mostly correct
NoSQL injection
![Page 24: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/24.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
MongoDB and PHP
MongoDB expects input in JSON array format
find( { 'artist' : 'The Black Keys' } )
In PHP, you do this with associative arrays
$collection->find(array('artist' => 'The Black Keys'));
This makes injection attacks difficult
Like parameterized queries for SQL
![Page 25: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/25.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
MongoDB and PHP
You also use associative arrays for query criteria
find( { 'album_year' : { '$gte' : 2011} } )
find( { 'artist' : { '$ne' : 'Lady Gaga' } } )
But PHP will automatically create associative arrays from querystring inputs with square brackets
page.php?param[foo]=bar
param == array('foo' => 'bar');
![Page 26: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/26.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
NoSQL Injection Demo
![Page 27: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/27.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
The $where clause lets you specify script to filter results
find( { '$where' : 'function() { return artist == "Weezer"; }}' )
find ( '$where' : 'function() { var len = artist.length;for (int i=2; i<len; i++) {if (len % I == 0) return false;
}return true; }')
$where queries
![Page 28: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/28.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
NoSQL Injection Demo #2
![Page 29: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/29.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Agenda
Eventual ConsistencyREST APIs and CSRFNoSQL InjectionSSJS Injection
![Page 30: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/30.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Browser wars have given us incredibly fast and powerful JS engines
Used for a lot more than just browsers
Like NoSQL database engines…
Browser war fallout
V8 WebKitNitro
SpiderMonkeyRhino
![Page 31: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/31.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Server-side JavaScript injection vs. XSS
Client-side JavaScript injection(aka XSS) is #2 on OWASP Top Ten
Use it to steal authentication cookies
Impersonate victim
Create inline phishing sites
Self-replicating webworms ie Samy
It’s really bad.
But server-side is much worse.
![Page 32: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/32.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Server-Side Javascript Injection (SSJI)
![Page 33: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/33.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
SSJI red flags
$where clauses
Built with user input
Injected from querystring manipulation
eval() clauses
Map/Reduce
Stored views/design docs
More CSRF possibilities here
![Page 34: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/34.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Wrapping Up
![Page 35: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/35.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Conclusions
1. Always use authentication/authorization. Firewalls alone are not sufficient
Sometimes you may have to write your own auth code
This is unfortunate but better than the alternative
2. Be extremely careful with server-side script. Validate, validate, validate
Escape input too
![Page 36: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/36.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.
Read my blog: http://blogs.adobe.com/assetEmail me: brsulliv
![Page 37: NoSQL, But Even Less Security - Adobe Blogsblogs.adobe.com/security/files/2011/04/NoSQL-But-Even-Less-Security... · -MongoDB Developer FAQ. . They’re . mostly. correct. NoSQL injection.](https://reader034.fdocuments.us/reader034/viewer/2022050717/5e148f6fd76f60372c2c2d84/html5/thumbnails/37.jpg)
© 2011 Adobe Systems Incorporated. All Rights Reserved.