NoSQL - No Security? - The BSides Edition
-
Upload
gavin-holt -
Category
Documents
-
view
546 -
download
1
description
Transcript of NoSQL - No Security? - The BSides Edition
![Page 1: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/1.jpg)
NoSQL – No Security?A way to lose even more stuffGavin Holt (@GavinHolt)
![Page 2: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/2.jpg)
What we will cover today What is Big Data? What is NoSQL? Why NoSQL Security is an issue NoSQL Vulnerabilities Securing NoSQL Installations
![Page 3: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/3.jpg)
What is Big Data?Datasets that are so large or complex that they are difficult to process using traditional database processing applications
![Page 4: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/4.jpg)
2.5 quintillion bytes(1 followed by 18 zeros)
Data being generated every day (IBM)
![Page 5: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/5.jpg)
2.5 Petabytes(1048576 Gigabytes)
The total size of Walmarts transaction database (
The Economist)
![Page 6: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/6.jpg)
40 Terabytes per secondData generated by
experiments on the LHC at CERN
(The Economist)
![Page 7: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/7.jpg)
72 Hours per MinuteVideo uploaded to YouTube
(Google Inc.)
![Page 8: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/8.jpg)
That is a lot of data!Try running any of them in
MS Access
![Page 9: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/9.jpg)
What is NoSQL?“Not Only SQL”
![Page 10: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/10.jpg)
Umbrella TermType of System – Not a
Product
![Page 11: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/11.jpg)
Not the Traditional Relational Model
![Page 12: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/12.jpg)
Generally don’t use tables
![Page 13: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/13.jpg)
Optimised for appends and retrieves
Do very little other than record storage
![Page 14: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/14.jpg)
Highly Scalable & Very QuickThis is all about speed and
size
![Page 15: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/15.jpg)
Why use NoSQL?Why the Big Data/NoSQL Hype?
![Page 16: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/16.jpg)
Eventual ConsistencyDelays in writing across nodes slow down your
application
![Page 17: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/17.jpg)
User Updates Social Network
Click icon to add picture
Social Network uses a load balancer
![Page 18: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/18.jpg)
Writes don’t propagate immediately
Click icon to add picture
Data is now inconsistent
![Page 19: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/19.jpg)
Reading Stale Data
Click icon to add picture
Users now being served old data from nodes that haven’t been updated
![Page 20: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/20.jpg)
A more serious example
Click icon to add picture
Data needs to be propagated quickly – NoSQL allows for thatDiagram from Adobe Security Labs
![Page 21: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/21.jpg)
NoSQL VulnerabilitiesHow do these compare to traditional databases?
21
![Page 22: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/22.jpg)
The DeveloperBy Laziness or Ignorance
![Page 23: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/23.jpg)
Little to no Authentication“Trusted Environments”
![Page 24: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/24.jpg)
NoSQL Injection
![Page 25: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/25.jpg)
Helpful isn’t always usefulFlattening associative
arrays
![Page 26: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/26.jpg)
MongoDB Example http://example.com/login.php?username=admin&passwd=mysuperpassword
26
![Page 27: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/27.jpg)
MongoDB Example http://example.com/login.php?username=admin&passwd[$ne]=1
![Page 28: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/28.jpg)
MongoDB Example http://example.com/login.php?username=admin&passwd[$ne]=1
![Page 29: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/29.jpg)
MongoDB ExampleMYSQL NOSQL
![Page 30: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/30.jpg)
MongoDB ExampleMYSQL NOSQL
![Page 31: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/31.jpg)
Server Side Javascript Injection
![Page 32: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/32.jpg)
Server Side Javascript Injection
![Page 33: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/33.jpg)
Server Side Javascript Injection
![Page 34: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/34.jpg)
Server Side Javascript Injection
![Page 35: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/35.jpg)
Server Side Javascript Injection
![Page 36: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/36.jpg)
Server Side Javascript Injection
![Page 37: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/37.jpg)
Example of an Attack
![Page 38: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/38.jpg)
CSFR can be used to bypass firewalls
Click icon to add picture
Diagram from Adobe Security Labs
![Page 39: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/39.jpg)
POST is all an Attacker needs Inserting Data
Inserting Script Data
Execute any REST command from inside the firewall
![Page 40: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/40.jpg)
Securing NoSQLOne does not simply secure NoSQL </meme>
![Page 41: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/41.jpg)
Sanitize InputsDon’t trust users (or other
systems!)
![Page 42: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/42.jpg)
Be in control of your query building
Don’t simply concatenate user input
![Page 43: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/43.jpg)
Check how your solution worksRead the manual
![Page 44: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/44.jpg)
All other SQL Best PracticeThese aren’t different
attack vectors – just new
![Page 45: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/45.jpg)
Questions?Twitter: @GavinHoltLinkedIn: http://uk.linkedin.com/in/gavinholt/Email: [email protected] all day – Grab me for a chat.
![Page 46: NoSQL - No Security? - The BSides Edition](https://reader033.fdocuments.net/reader033/viewer/2022061200/5471e580b4af9fae0a8b4d46/html5/thumbnails/46.jpg)
NoSQL – No Security?A way to lose even more stuffGavin Holt (@GavinHolt)