nosql - no security? - the bsides edition
DESCRIPTION
TRANSCRIPT
NoSQL – No Security?A way to lose even more stuffGavin Holt (@GavinHolt)
What we will cover today What is Big Data? What is NoSQL? Why NoSQL Security is an issue NoSQL Vulnerabilities Securing NoSQL Installations
What is Big Data?Datasets that are so large or complex that they are difficult to process using traditional database processing applications
2.5 quintillion bytes(1 followed by 18 zeros)
Data being generated every day (IBM)
2.5 Petabytes(1048576 Gigabytes)
The total size of Walmarts transaction database (
The Economist)
40 Terabytes per secondData generated by
experiments on the LHC at CERN
(The Economist)
72 Hours per MinuteVideo uploaded to YouTube
(Google Inc.)
That is a lot of data!Try running any of them in
MS Access
What is NoSQL?“Not Only SQL”
Umbrella TermType of System – Not a
Product
Not the Traditional Relational Model
Generally don’t use tables
Optimised for appends and retrieves
Do very little other than record storage
Highly Scalable & Very QuickThis is all about speed and
size
Why use NoSQL?Why the Big Data/NoSQL Hype?
Eventual ConsistencyDelays in writing across nodes slow down your
application
User Updates Social Network
Click icon to add picture
Social Network uses a load balancer
Writes don’t propagate immediately
Click icon to add picture
Data is now inconsistent
Reading Stale Data
Click icon to add picture
Users now being served old data from nodes that haven’t been updated
A more serious example
Click icon to add picture
Data needs to be propagated quickly – NoSQL allows for thatDiagram from Adobe Security Labs
NoSQL VulnerabilitiesHow do these compare to traditional databases?
21
The DeveloperBy Laziness or Ignorance
Little to no Authentication“Trusted Environments”
NoSQL Injection
Helpful isn’t always usefulFlattening associative
arrays
MongoDB Example http://example.com/login.php?username=admin&passwd=mysuperpassword
26
MongoDB Example http://example.com/login.php?username=admin&passwd[$ne]=1
MongoDB Example http://example.com/login.php?username=admin&passwd[$ne]=1
MongoDB ExampleMYSQL NOSQL
MongoDB ExampleMYSQL NOSQL
Server Side Javascript Injection
Server Side Javascript Injection
Server Side Javascript Injection
Server Side Javascript Injection
Server Side Javascript Injection
Server Side Javascript Injection
Example of an Attack
CSFR can be used to bypass firewalls
Click icon to add picture
Diagram from Adobe Security Labs
POST is all an Attacker needs Inserting Data
Inserting Script Data
Execute any REST command from inside the firewall
Securing NoSQLOne does not simply secure NoSQL </meme>
Sanitize InputsDon’t trust users (or other
systems!)
Be in control of your query building
Don’t simply concatenate user input
Check how your solution worksRead the manual
All other SQL Best PracticeThese aren’t different
attack vectors – just new
Questions?Twitter: @GavinHoltLinkedIn: http://uk.linkedin.com/in/gavinholt/Email: [email protected] all day – Grab me for a chat.
NoSQL – No Security?A way to lose even more stuffGavin Holt (@GavinHolt)