NoSQL, no SQL injections?

DEF CON 2010

Kuon Ding, Wayne Huang

Agenda
 What is NoSQL
 Types of NoSQL
 Who uses NoSQL?
 NoSQL Architecture
 Security Issues
 Prevention and Detection !?

What is NoSQL
 No SQL technologies do
not support SQL
 No SQL technologies are
not vulnerable to threats
such as SQL injection

What is NoSQL
 One of the most
commonly accepted
definitions--Not only
a SQL

What is NoSQL
 The storage itself is a
“none-relational
DBMS”
 Semi-structured
 Schema-less

Types of NoSQL
1. Key-value based
2. Column-based
3. Document-based
4. Graph-based
5. Object-based
6. …

Types of NoSQL
What’s challenging for security
researchers:
  NoSQL is resembled by its
diversity
  Within the same family of
NoSQL, implementations (of the
client library) differ widely

Why NoSQL
1.  Performance

2.  Scalability

Who’d use NoSQL?
(What’s the impact?)
1.  Cloud computing
 Saas vendors
2.  SNS providers
3.  Portal websites
 Use a mixture of databases

NoSQL Architecture
Web Application Web Services

Client Library

Data Storage

NoSQL Architecture
Web Application Web Services
a

Client Library

Data Storage

The Client Library
  No Standards such as ODBC,
JDBC, ADO, PDO
  H w is it implemented?
  What interfaces does it
support?
 Query interface?

Why a SQL-like interface?
  Easier for developers
  SQL statements can be
reused during migration
from RDBMS to NoSQL

NoSQL Architecture

Client Library

NoSQL Architecture

Old vectors
SQL ODBC JDBC ADO PDO
Client Library
QL-like impl impl impl implimpl
key-value

New vectors
None-QL impl impl impl impl impl
QL-like impl impl impl impl impl
column None-QL impl impl impl impl impl
impl
document None-QL impl impl impl impl impl

NoSQL Architecture
SQL

Old vectors
ODBC JDBC ADO PDO
Client Library
graph None-QL impl impl impl impl impl impl
QL-like impl impl impl impl
impl
key-value

New vectors
impl

NoSQL Architecture
SQL

Old vectors
ODBC JDBC ADO PDO
object Client Library
graph None-QL impl impl impl impl impl
impl
key-value None-QL impl impl impl impl

New vectors
impl
impl

A Blessing?
In the past:
 Notion of RDBMS matured
 Notion of SQL matured
 SQL implementation standards
matured ODBC, JDBC, etc

NoSQL Vulnerabilities
1.  Connection Pollution
2.  JSON Injection
3.  View Injection
4.  Key Bruteforcing

Connection Pollution
Using CouchDB as example
  RESTful
  Cross- Database/ Pool Access
  CouchDB’s Global and DB Handler

  Easier: Handlers are all RESTful
Ex:
  NoSQL.connect(http://couchDB/_restart”)

Connection Pollution
Using CouchDB as example
  RESTful
  Cross- Database/ Pool Access
  CouchDB’s Global and DB Handler

  Harder: Even when an injection vector exist, crossing DB
is difficult
  Traditional SQL: ConnectSQL injectionJump DB or table
Ex:
  NoSQL.connect(“http://”.$Pool.”/DC18/”)
  NoSQL.connect(“http://POOL/”.$Database)

Document-Based Issues:
JSON Injection (CouchDB)
DATA Manipulation!!
 DRY Don’t Repeat Yourself -- leverage
existing JSON implementations
 If we really need to implement our own
JSON parser
 Troublemaker is the String type
•  Try to use the Collection type such as
hash and map
 When handing tainted strings, must
escapeJSON() / unescapeJSON()

Document-based Issue:
View Injection (CouchDB)
Application Manipulation!!
 CouchDB is scriptable--use SpiderMonkey
as the scripting engine
 These javascripts are called “Views”

 Predefined Views and Temporary Views
 Views are to do map reduce
 Retrieve arbitrary data, modify return
values to manipulate control flow, etc

Key-Value Based Problem
Key bruteforcing
  It’s schema-free  No schema guessing required
  How to speedup attacks?
  Depends on the implementation of client library &
architecture
  CHALLENGE Can we make context-sensitive
attack?

http://IP/app/action?key=1aD33rSq
Ex:
  $value = NoSQL.Get($key)

Key-Value Based Security
Key bruteforcing Prevention
(application-level)
 How data is modeled
 Key Size
 Key Space
 Unpredictable key generation
algorithm
 Challenge-based (eg. Captchas)

NoSQL vs. WAS
1.  For traditional scanning, how to
handle unknown error messages?
2.  For blind injections,
 If xQL exist, how to perform logic
-based blind injections?
 Time-based differential attacks? Based
on statistical analysis?

NoSQL vs. WAS
3.  Different types of attack payload
 Languages (data and programming)
  JSON injections (data)
  View injections (programming)
 Schema-less
 Attack surface is redefined
 Data is modeled not by SQL but by the
application
 Much more sensitive to the entry point
4.  Different attack concepts(ex bruteforcing key?)

NoSQL vs. WAS / pentesting
Selecting the payload requires understanding of
the underlying DB
How to blindly identify URLs involving NoSQL?

  The SQL support will be a subset of
SQL-92/95
  Features (ex: Unions) that will impact
parallelization will be removed

NoSQL vs. SCA
1.  Checks by data flow, less problems
2.  Diversity is a big problem
 Unsupported Client Library
3.  In general, a lot easier than WAS

NoSQL vs. WAF
1.  Key bruteforcing is not injection attack
  Block by access threshold

2.  URL integrity check (ex: add token)
  Transparency to the backend
Ex:
http://IP/app/action?key=1aD33rSq[HMAC($key)]
3.  Definition of attack payloads
  What is a data (ex JSON) injection?
  What is a view (ex javascript) injection?

Conclusion
  Threat analysis must be conducted under a
NoSQL mindset
  Modeling of data is done by the application
logic and not the SQL statements or DB
schema
  Threat very sensitive to entry point
  Threat types are different
  Key bruteforcing
  Impacts existing security technologies

Comments please!!
We are considering implementing
static and blackbox scanners for
NoSQL technologies

Please give us some comments!

NoSQL, no SQL injections?

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a NoSQL, no SQL injections?

Similar a NoSQL, no SQL injections? (20)

Último

Último (20)

NoSQL, no SQL injections?