nosql, no sql injections?
DESCRIPTION
This talk was given at DEF CON 2010 by Kuon Ding and Wayne Huang https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang NOSQL == NO SQL INJECTIONS? This is a short talk on NoSQL technologies and their impacts on traditional injection threats such as SQL injection. This talk surveys existing NoSQL technologies, and then demos proof-of-concept threats found with CouchDB. We then discuss impacts of NoSQL technologies to existing security technologies such as blackbox scanning, static analysis, and web application firewalls.TRANSCRIPT
Kuon Ding, Wayne Huang DEF CON 2010
Agenda What is NoSQL? Types of NoSQL Who uses NoSQL? NoSQL Architecture Security Issues Prevention and Detection !?
What is NoSQL? ╳ No SQL technologies do not support SQL
╳ No SQL technologies are not vulnerable to threats such as SQL injection
What is NoSQL?
One of the most commonly accepted definitions--Not only a SQL
What is NoSQL? The storage itself is a “none-relational DBMS” Semi-structured Schema-less
Types of NoSQL 1. Key-value based 2. Column-based 3. Document-based 4. Graph-based 5. Object-based 6. …
Types of NoSQL What’s challenging for security
researchers: NoSQL is resembled by its
diversity Within the same family of
NoSQL, implementations (of the client library) differ widely
Why NoSQL 1. Performance
2. Scalability
Who’d use NoSQL? (What’s the impact?) 1. Cloud computing
Saas vendors
2. SNS providers 3. Portal websites Use a mixture of databases
NoSQL Architecture Web Application Web Services
Client Library
Data Storage
NoSQL Architecture Web Application Web Services
Client Library
Data Storage
a
The Client Library No Standards such as ODBC,
JDBC, ADO, PDO How is it implemented? What interfaces does it
support? Query interface?
Why a SQL-like interface?
Easier for developers SQL statements can be
reused during migration from RDBMS to NoSQL
NoSQL Architecture Web Application Web Services
Client Library
Data Storage
a
NoSQL Architecture
Client Library
NoSQL Architecture
Client Library
Old
vec
tors
N
ew v
ecto
rs
SQL ODBC JDBC ADO PDO
key-value QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
column QL-like None-QL
impl impl impl impl impl impl impl impl impl impl impl
document QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
NoSQL Architecture
Client Library
Old
vec
tors
N
ew v
ecto
rs
SQL ODBC JDBC ADO PDO
key-value QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
column QL-like None-QL
impl impl impl impl impl impl impl impl impl impl impl
document QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
graph QL-like None-QL
impl impl impl impl impl impl impl impl impl impl impl
NoSQL Architecture
Client Library
Old
vec
tors
N
ew v
ecto
rs
SQL ODBC JDBC ADO PDO
key-value QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
column QL-like None-QL
impl impl impl impl impl impl impl impl impl impl impl
document QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
graph QL-like None-QL
impl impl impl impl impl impl impl impl impl impl impl
object QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
A Blessing? In the past: Notion of RDBMS matured Notion of SQL matured SQL implementation standards
matured̶ODBC, JDBC, etc
NoSQL Architecture
Client Library
Old
vec
tors
N
ew v
ecto
rs
SQL ODBC JDBC ADO PDO
key-value QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
column QL-like None-QL
impl impl impl impl impl impl impl impl impl impl impl
document QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
graph QL-like None-QL
impl impl impl impl impl impl impl impl impl impl impl
object QL-like None-QL
impl impl impl impl impl impl impl impl impl impl
NoSQL Vulnerabilities
1. Connection Pollution 2. JSON Injection 3. View Injection 4. Key Bruteforcing
Connection Pollution Using CouchDB as example
RESTful Cross- Database/ Pool Access
CouchDB’s Global and DB Handler
Easier: Handlers are all RESTful
Ex:
NoSQL.connect(http://couchDB/_restart”)
Connection Pollution Using CouchDB as example
RESTful Cross- Database/ Pool Access
CouchDB’s Global and DB Handler
Harder: Even when an injection vector exist, crossing DB is difficult Traditional SQL: ConnectSQL injectionJump DB or table
Ex:
NoSQL.connect(“http://”.$Pool.”/DC18/”) NoSQL.connect(“http://POOL/”.$Database)
Document-Based Issues: JSON Injection (CouchDB)
DATA Manipulation!! DRY(Don’t Repeat Yourself)-- leverage
existing JSON implementations If we really need to implement our own
JSON parser… Troublemaker is the String type
• Try to use the Collection type such as hash and map
When handing tainted strings, must escapeJSON() / unescapeJSON()
Application Manipulation!! CouchDB is scriptable--use SpiderMonkey
as the scripting engine These javascripts are called “Views”
Predefined Views and Temporary Views Views are to do map reduce Retrieve arbitrary data, modify return
values to manipulate control flow, etc
Document-based Issue: View Injection (CouchDB)
Key-Value Based Problem Key bruteforcing
It’s schema-free No schema guessing required How to speedup attacks?
Depends on the implementation of client library & architecture
CHALLENGE:Can we make context-sensitive attack?
http://IP/app/action?key=1aD33rSq
Ex:
$value = NoSQL.Get($key)
Key-Value Based Security
Key bruteforcing Prevention (application-level) How data is modeled Key Size Key Space Unpredictable key generation
algorithm Challenge-based (eg. Captchas)
NoSQL vs. WAS 1. For traditional scanning, how to
handle unknown error messages? 2. For blind injections, If xQL exist, how to perform logic
-based blind injections? Time-based differential attacks? Based
on statistical analysis?
NoSQL vs. WAS 3. Different types of attack payload
Languages (data and programming) JSON injections (data) View injections (programming)
Schema-less Attack surface is redefined Data is modeled not by SQL but by the
application Much more sensitive to the entry point
4. Different attack concepts(ex bruteforcing key?)
NoSQL vs. WAS / pentesting
Selecting the payload requires understanding of the underlying DB
How to blindly identify URLs involving NoSQL?
The SQL support will be a subset of SQL-92/95
Features (ex: Unions) that will impact parallelization will be removed
NoSQL vs. SCA 1. Checks by data flow, less problems 2. Diversity is a big problem Unsupported Client Library
3. In general, a lot easier than WAS
NoSQL vs. WAF 1. Key bruteforcing is not injection attack
Block by access threshold
2. URL integrity check (ex: add token) Transparency to the backend
Ex:
http://IP/app/action?key=1aD33rSq[HMAC($key)] 3. Definition of attack payloads
What is a data (ex JSON) injection?
What is a view (ex javascript) injection?
Conclusion Threat analysis must be conducted under a
NoSQL mindset Modeling of data is done by the application
logic and not the SQL statements or DB schema Threat very sensitive to entry point
Threat types are different Key bruteforcing
Impacts existing security technologies
Comments please!! We are considering implementing
static and blackbox scanners for NoSQL technologies
Please give us some comments!