nosql, no sql injections?

Kuon Ding, Wayne Huang DEF CON 2010

Agenda  What is NoSQL？  Types of NoSQL  Who uses NoSQL?  NoSQL Architecture  Security Issues  Prevention and Detection !?

What is NoSQL？ ╳ No SQL technologies do not support SQL

╳ No SQL technologies are not vulnerable to threats such as SQL injection

What is NoSQL？

 One of the most commonly accepted definitions--Not only a SQL

What is NoSQL？  The storage itself is a “none-relational DBMS”  Semi-structured  Schema-less

Types of NoSQL 1. Key-value based 2. Column-based 3. Document-based 4. Graph-based 5. Object-based 6. …

Types of NoSQL What’s challenging for security

researchers:   NoSQL is resembled by its

diversity   Within the same family of

NoSQL, implementations (of the client library) differ widely

Why NoSQL 1.  Performance

2.  Scalability

Who’d use NoSQL? (What’s the impact?) 1.  Cloud computing

 Saas vendors

2.  SNS providers 3.  Portal websites  Use a mixture of databases

NoSQL Architecture Web Application Web Services

Client Library

Data Storage


Client Library

Data Storage

a

The Client Library   No Standards such as ODBC,

JDBC, ADO, PDO   How is it implemented?   What interfaces does it

support?  Query interface?

Why a SQL-like interface?

  Easier for developers   SQL statements can be

reused during migration from RDBMS to NoSQL


Client Library

Data Storage

a

NoSQL Architecture

Client Library

NoSQL Architecture

Client Library

Old

vec

tors

N

ew v

ecto

rs

SQL ODBC JDBC ADO PDO

key-value QL-like None-QL

impl impl impl impl impl impl impl impl impl impl

column QL-like None-QL

impl impl impl impl impl impl impl impl impl impl impl

document QL-like None-QL


NoSQL Architecture

Client Library

Old

vec

tors

N

ew v

ecto

rs








graph QL-like None-QL


NoSQL Architecture

Client Library

Old

vec

tors

N

ew v

ecto

rs










object QL-like None-QL


A Blessing? In the past:  Notion of RDBMS matured  Notion of SQL matured  SQL implementation standards

matured̶ODBC, JDBC, etc

NoSQL Architecture

Client Library

Old

vec

tors

N

ew v

ecto

rs










object QL-like None-QL


NoSQL Vulnerabilities

1.  Connection Pollution 2.  JSON Injection 3.  View Injection 4.  Key Bruteforcing

Connection Pollution Using CouchDB as example

  RESTful   Cross- Database/ Pool Access

  CouchDB’s Global and DB Handler

  Easier: Handlers are all RESTful

Ex:

  NoSQL.connect(http://couchDB/_restart”)

Connection Pollution Using CouchDB as example

  RESTful   Cross- Database/ Pool Access

  CouchDB’s Global and DB Handler

  Harder: Even when an injection vector exist, crossing DB is difficult   Traditional SQL: ConnectSQL injectionJump DB or table

Ex:

  NoSQL.connect(“http://”.$Pool.”/DC18/”)   NoSQL.connect(“http://POOL/”.$Database)

Document-Based Issues: JSON Injection (CouchDB)

DATA Manipulation!!  DRY（Don’t Repeat Yourself）-- leverage

existing JSON implementations  If we really need to implement our own

JSON parser…  Troublemaker is the String type

•  Try to use the Collection type such as hash and map

 When handing tainted strings, must escapeJSON() / unescapeJSON()

Application Manipulation!!  CouchDB is scriptable--use SpiderMonkey

as the scripting engine  These javascripts are called “Views”

 Predefined Views and Temporary Views  Views are to do map reduce  Retrieve arbitrary data, modify return

values to manipulate control flow, etc

Document-based Issue: View Injection (CouchDB)

Key-Value Based Problem Key bruteforcing

  It’s schema-free No schema guessing required   How to speedup attacks?

  Depends on the implementation of client library & architecture

 CHALLENGE：Can we make context-sensitive attack?

http://IP/app/action?key=1aD33rSq

Ex:

  $value = NoSQL.Get($key)

Key-Value Based Security

Key bruteforcing Prevention (application-level)  How data is modeled  Key Size  Key Space  Unpredictable key generation

algorithm  Challenge-based (eg. Captchas)

NoSQL vs. WAS 1. For traditional scanning, how to

handle unknown error messages? 2. For blind injections,   If xQL exist, how to perform logic

-based blind injections?  Time-based differential attacks? Based

on statistical analysis?

NoSQL vs. WAS 3.  Different types of attack payload

 Languages (data and programming)   JSON injections (data)   View injections (programming)

 Schema-less  Attack surface is redefined  Data is modeled not by SQL but by the

application  Much more sensitive to the entry point

4.  Different attack concepts(ex bruteforcing key?)

NoSQL vs. WAS / pentesting

Selecting the payload requires understanding of the underlying DB

How to blindly identify URLs involving NoSQL?

  The SQL support will be a subset of SQL-92/95

  Features (ex: Unions) that will impact parallelization will be removed

NoSQL vs. SCA 1. Checks by data flow, less problems 2. Diversity is a big problem  Unsupported Client Library

3.  In general, a lot easier than WAS

NoSQL vs. WAF 1.  Key bruteforcing is not injection attack

  Block by access threshold

2.  URL integrity check (ex: add token)   Transparency to the backend

Ex:

http://IP/app/action?key=1aD33rSq[HMAC($key)] 3.  Definition of attack payloads

  What is a data (ex JSON) injection?

  What is a view (ex javascript) injection?

Conclusion   Threat analysis must be conducted under a

NoSQL mindset   Modeling of data is done by the application

logic and not the SQL statements or DB schema   Threat very sensitive to entry point

 Threat types are different   Key bruteforcing

  Impacts existing security technologies

Comments please!! We are considering implementing

static and blackbox scanners for NoSQL technologies

Please give us some comments!

nosql, no sql injections?

Technology