This talk was given at DEF CON 2010 by Kuon Ding and Wayne Huang
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
NOSQL == NO SQL INJECTIONS?
This is a short talk on NoSQL technologies and their impacts on traditional injection threats such as SQL injection. This talk surveys existing NoSQL technologies, and then demos proof-of-concept threats found with CouchDB. We then discuss impacts of NoSQL technologies to existing security technologies such as blackbox scanning, static analysis, and web application firewalls.
7. Types of NoSQL
What’s challenging for security
researchers:
NoSQL is resembled by its
diversity
Within the same family of
NoSQL, implementations (of the
client library) differ widely
29. Connection Pollution
Using CouchDB as example
RESTful
Cross- Database/ Pool Access
CouchDB’s Global and DB Handler
Easier: Handlers are all RESTful
Ex:
NoSQL.connect(http://couchDB/_restart”)
30.
31.
32.
33. Connection Pollution
Using CouchDB as example
RESTful
Cross- Database/ Pool Access
CouchDB’s Global and DB Handler
Harder: Even when an injection vector exist, crossing DB
is difficult
Traditional SQL: ConnectSQL injectionJump DB or table
Ex:
NoSQL.connect(“http://”.$Pool.”/DC18/”)
NoSQL.connect(“http://POOL/”.$Database)
34. Document-Based Issues:
JSON Injection (CouchDB)
DATA Manipulation!!
DRY Don’t Repeat Yourself -- leverage
existing JSON implementations
If we really need to implement our own
JSON parser
Troublemaker is the String type
• Try to use the Collection type such as
hash and map
When handing tainted strings, must
escapeJSON() / unescapeJSON()
35. Document-based Issue:
View Injection (CouchDB)
Application Manipulation!!
CouchDB is scriptable--use SpiderMonkey
as the scripting engine
These javascripts are called “Views”
Predefined Views and Temporary Views
Views are to do map reduce
Retrieve arbitrary data, modify return
values to manipulate control flow, etc
36.
37.
38. Key-Value Based Problem
Key bruteforcing
It’s schema-free No schema guessing required
How to speedup attacks?
Depends on the implementation of client library &
architecture
CHALLENGE Can we make context-sensitive
attack?
http://IP/app/action?key=1aD33rSq
Ex:
$value = NoSQL.Get($key)
39. Key-Value Based Security
Key bruteforcing Prevention
(application-level)
How data is modeled
Key Size
Key Space
Unpredictable key generation
algorithm
Challenge-based (eg. Captchas)
40.
41. NoSQL vs. WAS
1. For traditional scanning, how to
handle unknown error messages?
2. For blind injections,
If xQL exist, how to perform logic
-based blind injections?
Time-based differential attacks? Based
on statistical analysis?
42. NoSQL vs. WAS
3. Different types of attack payload
Languages (data and programming)
JSON injections (data)
View injections (programming)
Schema-less
Attack surface is redefined
Data is modeled not by SQL but by the
application
Much more sensitive to the entry point
4. Different attack concepts(ex bruteforcing key?)
43. NoSQL vs. WAS / pentesting
Selecting the payload requires understanding of
the underlying DB
How to blindly identify URLs involving NoSQL?
The SQL support will be a subset of
SQL-92/95
Features (ex: Unions) that will impact
parallelization will be removed
44. NoSQL vs. SCA
1. Checks by data flow, less problems
2. Diversity is a big problem
Unsupported Client Library
3. In general, a lot easier than WAS
45. NoSQL vs. WAF
1. Key bruteforcing is not injection attack
Block by access threshold
2. URL integrity check (ex: add token)
Transparency to the backend
Ex:
http://IP/app/action?key=1aD33rSq[HMAC($key)]
3. Definition of attack payloads
What is a data (ex JSON) injection?
What is a view (ex javascript) injection?
46. Conclusion
Threat analysis must be conducted under a
NoSQL mindset
Modeling of data is done by the application
logic and not the SQL statements or DB
schema
Threat very sensitive to entry point
Threat types are different
Key bruteforcing
Impacts existing security technologies
47. Comments please!!
We are considering implementing
static and blackbox scanners for
NoSQL technologies
Please give us some comments!