SlideShare a Scribd company logo

Rooted 2011 nosql security

Jose Palanco
Jose Palanco

NoSQL Security presented on Rooted 2011

Technology
1 of 40
Download to read offline
NoSQL Security José Ramón Palanco miércoles 16 de marzo de 2011
Agenda ✦ NoSQL Introduction ✦ NoSQL vs RDBMS ✦ NoSQL Arquitecture ✦ NoSQL Implementations ✦ Attack vectors ✦ Injections ✦ Key Bruteforce ✦ HTTP Protocol Based Attacks in listeners ✦ Cassandra security y Thrift security ✦ Denial of Service (connection pollution, evil queries) miércoles 16 de marzo de 2011
NOSQL Introduction miércoles 16 de marzo de 2011
¿What is NoSQL? ✦ In general, don’t need table scheme and don’t uses “join” ✦ NoSQL solutions don’t imeplement one or more ACID properties miércoles 16 de marzo de 2011
CAP Theorem ✦ Properties: consistency, availability and partitions ✦ At least need 2 of them ✦ To scale partition is needed ✦ In general is preferer availability over consistency miércoles 16 de marzo de 2011
NoSQL Arquitecture RDBMS NoSQL Client Client HTTP Server HTTP Server SQL REST, JSON, XML, ... Connector BBDD Connector BBDD ODBC, ADO, JDBC Binary, HTTP, ... miércoles 16 de marzo de 2011
NoSQL vs RDBMS ✦ RDBMS show poor performance and scalability in application which make a heavy use of data ✦ Cloud Computing (SaaS) ✦ Social Networks (SN) ✦ To make complex queries is not possible perform them with something diferent than RDBMS miércoles 16 de marzo de 2011
Enviroments ✦ In lot of enviroments is need to distribute writes in clusters, MapReduce, .. ✦ Facebook needs store 135 billions of messages each month ✦ Twitter stores 7 TB diary miércoles 16 de marzo de 2011
Disadvantages NoSQL ✦ OLTP ✦ SQL ✦ Ad-Hoc queries ✦ Complex relations miércoles 16 de marzo de 2011
NoSQL Arquitectures ✦ Document store ✦ Graph ✦ Key-value store ✦ Multivalue ✦ Objets ✦ Tabular miércoles 16 de marzo de 2011
Key-value store ✦ CouchDB: ✦ MongoDB ✦ Terrastore ✦ ThruDB ✦ OrientDB ✦ RavenDB miércoles 16 de marzo de 2011
Graph ✦ Neo4J ✦ Sones ✦ InfoGrid ✦ HypergraphDB ✦ AllegroGraph ✦ BigData miércoles 16 de marzo de 2011
Key-value ✦ Redis ✦ Riak ✦ Tokio Cabinet ✦ MemcacheDB ✦ Membase ✦ Azure miércoles 16 de marzo de 2011
Multivalue ✦ U2 ✦ OpenInsight ✦ OpenQM miércoles 16 de marzo de 2011
Objets ✦ db4o ✦ Objetivity ✦ Versant ✦ NEO miércoles 16 de marzo de 2011
MongoDB ✦ Protocol: Binary (BSON) ✦ API: several languages ✦ Query: JavaScript/JSON ✦ Language: C++ miércoles 16 de marzo de 2011
• Schema-Free (JSON) Features CouchDB • Document Oriented, Not Relational • Highly Concurrent ✦ Protocol: REST • RESTful HTTP API ✦ API: JSON • JavaScript-Powered ✦ Map/Reduce Query: MapReduce (JS) ✦ • Language: Erlang N-Master Replication • Robust Storage miércoles 16 de marzo de 2011
{"couchdb":"Welcome","version":"0.11.0"} $ telnet 172.16.163.129 5984 Trying 172.16.163.129... Connected to 172.16.163.129. Escape character is '^]'. GET /rooted/ HTTP/1.1 Host: localhost HTTP/1.1 200 OK Server: CouchDB/0.11.0 (Erlang OTP/R14B) Date: Sat, 19 Feb 2011 05:20:28 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 188 Cache-Control: must-revalidate {"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq": 0,"compact_running":false,"disk_size": 4182,"instance_start_time":"1298092462502662","disk_format_version":5} miércoles 16 de marzo de 2011
{"couchdb":"Welcome","version":"0.11.0"} $ telnet 172.16.163.129 5984 Trying 172.16.163.129... Connected to 172.16.163.129. Escape character is '^]'. GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1 Host: localhost HTTP/1.1 200 OK Server: CouchDB/0.11.0 (Erlang OTP/R14B) Etag: "1-2512702fff02fe841adecde4a22c62b5" Date: Sat, 19 Feb 2011 05:20:47 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 155 Cache-Control: must-revalidate {"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a2 2c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999} Connection closed by foreign host. miércoles 16 de marzo de 2011
Redis ✦ Protocol: Plain Telnet ✦ API: Several Languages ✦ Query: Commands ✦ Language: C/C++ miércoles 16 de marzo de 2011
Cassandra ✦ Protocol: Binary (Thrift) ✦ API: Thrift ✦ Query: Column/ranges ✦ Languages: Java miércoles 16 de marzo de 2011
Cassandra ✦ Column (tuple/triplet) ✦ Supercolumn (composed by columns) ✦ Column Family (contains supercolumns) ✦ Keyspace (stores column families) miércoles 16 de marzo de 2011
Cassandra <Keyspace Name="BloggyAppy"> <!-- CF definitions --> <ColumnFamily CompareWith="BytesType" Name="Authors"/> <ColumnFamily CompareWith="BytesType" Name="BlogEntries"/> <ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/> <ColumnFamily CompareWith="TimeUUIDType" Name="Comments" CompareSubcolumnsWith="BytesType" ColumnType="Super"/> </Keyspace> storage-conf.xml miércoles 16 de marzo de 2011
Attack vectors miércoles 16 de marzo de 2011
Introduction ✦ Several database concepts ✦ Several implementations ✦ So attack vectors are very specifics and depends on each implementation miércoles 16 de marzo de 2011
HTTP Based Attacks ✦ ¿Who uses HTTP? ✦ CouchDB ✦ HBASE ✦ Riak ✦ ¿How to locate vulnerabilities? ✦ fuzzing: hzzp miércoles 16 de marzo de 2011
Listeners explotation ✦ As they work on $ telnet server.com 80 HTTP, it’s Trying X.X.X.X... possible use cache Connected to server.com. proxies Escape character is '^]' misconfigured to GET /_all_dbs get access Host: 192.168.2.18 miércoles 16 de marzo de 2011
JSON Injection In the same way that the SQL is escaped, when working with CouchDB or MongoDB, we should do the same db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } ) db.foo.find( { $or : [ { a : 1 } , { b : 2 }, { c : /.*/ } ] } ) miércoles 16 de marzo de 2011
Array Injection <? $collection->find(array( MongoDB + PHP "username" => $_GET ['username'], "passwd" => $_GET ✦ In PHP it is possible that a variable is an array ['passwd'] by adding brackets )); ?> ✦ If admin passwd ‘Not Equal’ anything, you can access /login.php?username=admin&passwd[$ne]=1 ✦ Besides that of $ne, we can inject: <? ✦ $or, $exists, $nin, $in, $lt, ... (logics) $collection->find(array( "username" => "admin", "passwd" => array("$ne" => 1) ✦ &var[‘$regex’]=/privileged/i (regex) )); ?> miércoles 16 de marzo de 2011
View Injection ✦ CouchDB uses SpiderMonkey as scripting engine ✦ The views are loaded as js $ ldd /usr/lib/couchdb/bin/couchjs libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000) libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000) ... miércoles 16 de marzo de 2011
View Injection ✦ There are predefined views and temporary ✦ To make MapReduce ✦ Get arbitrary data, change values to alter the execution flow miércoles 16 de marzo de 2011
REST INJECTION <? $dbname = $_GET["db"]; $doc_id = $_GET["d_id"]; $resp = $couch->send("GET", "/" . $dbname ."/" . $doc_id); ?> ✦ Cross Database: ✦ /?db=_all_dbs ✦ /?db=myusers miércoles 16 de marzo de 2011
CouchDB info ✦ http://172.16.163.129:5984/_config ✦ http://172.16.163.129:5984/_all_dbs ✦ http://172.16.163.129:5984/_stats ✦ http://172.16.163.129:5984/_utils miércoles 16 de marzo de 2011
CouchDB cmd exec. miércoles 16 de marzo de 2011
GQL Injection ✦ You can reach GQL injection, but in a very controlled environment ✦ There is no negation operator "!" ✦ The set of GQL commands is very limited miércoles 16 de marzo de 2011
Key Bruteforce ✦ As there are no schemes, we do not have to find out them ✦ The IDs are large, but not generated at random: e479f720ff9a05fb2f441fef97000c87 e479f720ff9a05fb2f441fef97000b61 miércoles 16 de marzo de 2011
Cassandra Security <? ... $columnParent = new cassandra_ColumnParent(); $columnParent->super_column = NULL; if(isset($_GET[‘CF’])) $columnParent->column_family = $_GET[‘CF’].“_myfam”; $sliceRange = new cassandra_SliceRange(); ✦ If we change the $sliceRange->start = ""; $sliceRange->finish = ""; name of a family, we $predicate = new cassandra_SlicePredicate(); list() = $predicate->column_names; can get items from $predicate->slice_range = $sliceRange; $consistency_level = cassandra_ConsistencyLevel::ONE; other family $keyUserId = 1; $result = $client->get_slice($keyspace, $keyUserId, $columnParent, $predicate, $consistency_level); print_r($result); ... ?> miércoles 16 de marzo de 2011
Denial of Service ✦ Connection polution ✦ Couchdb-> implementación interface = restfull ✦ With GQL, it is possible to perform a DoS creating queries which make an intensive use of CPU and will be disconnected or be billed for that extra CPU miércoles 16 de marzo de 2011
Questions miércoles 16 de marzo de 2011
Questions miércoles 16 de marzo de 2011

Recommended

Balisage - EXPath Packaging
Balisage - EXPath PackagingBalisage - EXPath Packaging
Balisage - EXPath PackagingFlorent Georges
 
Balisage - EXPath - A practical introduction
Balisage - EXPath - A practical introductionBalisage - EXPath - A practical introduction
Balisage - EXPath - A practical introductionFlorent Georges
 
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQLNoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQLDATAVERSITY
 
Stardog talk-dc-march-17
Stardog talk-dc-march-17Stardog talk-dc-march-17
Stardog talk-dc-march-17Clark & Parsia LLC
 
Nosql
NosqlNosql
Nosqlmentallog
 
Froscon2011: How i learned to use sql and then learned not to use it
Froscon2011: How i learned to use sql and then learned not to use itFroscon2011: How i learned to use sql and then learned not to use it
Froscon2011: How i learned to use sql and then learned not to use itHenrik Ingo
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessNick Barkas
 
Thu 1100 duncan_john_color
Thu 1100 duncan_john_colorThu 1100 duncan_john_color
Thu 1100 duncan_john_colorDATAVERSITY
 

Recommended

Balisage - EXPath Packaging
Balisage - EXPath PackagingBalisage - EXPath Packaging
Balisage - EXPath PackagingFlorent Georges
 
Balisage - EXPath - A practical introduction
Balisage - EXPath - A practical introductionBalisage - EXPath - A practical introduction
Balisage - EXPath - A practical introductionFlorent Georges
 
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQLNoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQL
NoSQL Now! Webinar Series: Migrating Security Policies from SQL to NoSQLDATAVERSITY
 
Stardog talk-dc-march-17
Stardog talk-dc-march-17Stardog talk-dc-march-17
Stardog talk-dc-march-17Clark & Parsia LLC
 
Nosql
NosqlNosql
Nosqlmentallog
 
Froscon2011: How i learned to use sql and then learned not to use it
Froscon2011: How i learned to use sql and then learned not to use itFroscon2011: How i learned to use sql and then learned not to use it
Froscon2011: How i learned to use sql and then learned not to use itHenrik Ingo
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessNick Barkas
 
Thu 1100 duncan_john_color
Thu 1100 duncan_john_colorThu 1100 duncan_john_color
Thu 1100 duncan_john_colorDATAVERSITY
 
An Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisAn Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisJosé Manuel Ciges Regueiro
 
Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Dobrica Pavlinušić
 
NoSql Databases
NoSql DatabasesNoSql Databases
NoSql DatabasesNimat Khattak
 
A rubyist's naive comparison of some database systems and toolkits
A rubyist's naive comparison of some database systems and toolkitsA rubyist's naive comparison of some database systems and toolkits
A rubyist's naive comparison of some database systems and toolkitsBelighted
 
An Introduction to Big Data, NoSQL and MongoDB
An Introduction to Big Data, NoSQL and MongoDBAn Introduction to Big Data, NoSQL and MongoDB
An Introduction to Big Data, NoSQL and MongoDBWilliam LaForest
 
Introduction to MongoDB (from Austin Code Camp)
Introduction to MongoDB (from Austin Code Camp)Introduction to MongoDB (from Austin Code Camp)
Introduction to MongoDB (from Austin Code Camp)Chris Edwards
 
Mongodb open data day 2014
Mongodb open data day 2014Mongodb open data day 2014
Mongodb open data day 2014David Green
 
Linked Data voor developers - PiLOD congres 25 juni
Linked Data voor developers - PiLOD congres 25 juniLinked Data voor developers - PiLOD congres 25 juni
Linked Data voor developers - PiLOD congres 25 juniDimitri van Hees
 
GraphQL is actually rest
GraphQL is actually restGraphQL is actually rest
GraphQL is actually restJakub Riedl
 
GR8Conf 2011: Neo4j Plugin
GR8Conf 2011: Neo4j PluginGR8Conf 2011: Neo4j Plugin
GR8Conf 2011: Neo4j PluginGR8Conf
 
Grails and Neo4j
Grails and Neo4jGrails and Neo4j
Grails and Neo4jdarthvader42
 
Scaling with mongo db (with notes)
Scaling with mongo db (with notes)Scaling with mongo db (with notes)
Scaling with mongo db (with notes)emiltamas
 
VTi Knowledge Database: a LinkedData project
VTi Knowledge Database: a LinkedData projectVTi Knowledge Database: a LinkedData project
VTi Knowledge Database: a LinkedData projectTom Klaasen
 
Kubernetes: The Very Hard Way
Kubernetes: The Very Hard WayKubernetes: The Very Hard Way
Kubernetes: The Very Hard WayRob Boll
 
NOSQL Databases for the .NET Developer
NOSQL Databases for the .NET DeveloperNOSQL Databases for the .NET Developer
NOSQL Databases for the .NET DeveloperJesus Rodriguez
 
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Pôle Systematic Paris-Region
 
Big Data Israel Meetup : Couchbase and Big Data
Big Data Israel Meetup : Couchbase and Big DataBig Data Israel Meetup : Couchbase and Big Data
Big Data Israel Meetup : Couchbase and Big DataTugdual Grall
 
eZ Publish nextgen
eZ Publish nextgeneZ Publish nextgen
eZ Publish nextgenJérôme Vieilledent
 
Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3Dobrica Pavlinušić
 
When NOT to use MongoDB
When NOT to use MongoDBWhen NOT to use MongoDB
When NOT to use MongoDBMike Michaud
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

More Related Content

Similar to Rooted 2011 nosql security

An Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisAn Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisJosé Manuel Ciges Regueiro
 
Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Dobrica Pavlinušić
 
A rubyist's naive comparison of some database systems and toolkits
A rubyist's naive comparison of some database systems and toolkitsA rubyist's naive comparison of some database systems and toolkits
A rubyist's naive comparison of some database systems and toolkitsBelighted
 
An Introduction to Big Data, NoSQL and MongoDB
An Introduction to Big Data, NoSQL and MongoDBAn Introduction to Big Data, NoSQL and MongoDB
An Introduction to Big Data, NoSQL and MongoDBWilliam LaForest
 
Introduction to MongoDB (from Austin Code Camp)
Introduction to MongoDB (from Austin Code Camp)Introduction to MongoDB (from Austin Code Camp)
Introduction to MongoDB (from Austin Code Camp)Chris Edwards
 
Mongodb open data day 2014
Mongodb open data day 2014Mongodb open data day 2014
Mongodb open data day 2014David Green
 
Linked Data voor developers - PiLOD congres 25 juni
Linked Data voor developers - PiLOD congres 25 juniLinked Data voor developers - PiLOD congres 25 juni
Linked Data voor developers - PiLOD congres 25 juniDimitri van Hees
 
GraphQL is actually rest
GraphQL is actually restGraphQL is actually rest
GraphQL is actually restJakub Riedl
 
GR8Conf 2011: Neo4j Plugin
GR8Conf 2011: Neo4j PluginGR8Conf 2011: Neo4j Plugin
GR8Conf 2011: Neo4j PluginGR8Conf
 
Scaling with mongo db (with notes)
Scaling with mongo db (with notes)Scaling with mongo db (with notes)
Scaling with mongo db (with notes)emiltamas
 
VTi Knowledge Database: a LinkedData project
VTi Knowledge Database: a LinkedData projectVTi Knowledge Database: a LinkedData project
VTi Knowledge Database: a LinkedData projectTom Klaasen
 
Kubernetes: The Very Hard Way
Kubernetes: The Very Hard WayKubernetes: The Very Hard Way
Kubernetes: The Very Hard WayRob Boll
 
NOSQL Databases for the .NET Developer
NOSQL Databases for the .NET DeveloperNOSQL Databases for the .NET Developer
NOSQL Databases for the .NET DeveloperJesus Rodriguez
 
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Pôle Systematic Paris-Region
 
Big Data Israel Meetup : Couchbase and Big Data
Big Data Israel Meetup : Couchbase and Big DataBig Data Israel Meetup : Couchbase and Big Data
Big Data Israel Meetup : Couchbase and Big DataTugdual Grall
 
Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3Dobrica Pavlinušić
 
When NOT to use MongoDB
When NOT to use MongoDBWhen NOT to use MongoDB
When NOT to use MongoDBMike Michaud
 

Similar to Rooted 2011 nosql security (20)

An Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs AnalysisAn Open Source NoSQL solution for Internet Access Logs Analysis
An Open Source NoSQL solution for Internet Access Logs Analysis
 
Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?Post-relational databases: What's wrong with web development?
Post-relational databases: What's wrong with web development?
 
NoSql Databases
NoSql DatabasesNoSql Databases
NoSql Databases
 
A rubyist's naive comparison of some database systems and toolkits
A rubyist's naive comparison of some database systems and toolkitsA rubyist's naive comparison of some database systems and toolkits
A rubyist's naive comparison of some database systems and toolkits
 
An Introduction to Big Data, NoSQL and MongoDB
An Introduction to Big Data, NoSQL and MongoDBAn Introduction to Big Data, NoSQL and MongoDB
An Introduction to Big Data, NoSQL and MongoDB
 
Introduction to MongoDB (from Austin Code Camp)
Introduction to MongoDB (from Austin Code Camp)Introduction to MongoDB (from Austin Code Camp)
Introduction to MongoDB (from Austin Code Camp)
 
Mongodb open data day 2014
Mongodb open data day 2014Mongodb open data day 2014
Mongodb open data day 2014
 
Linked Data voor developers - PiLOD congres 25 juni
Linked Data voor developers - PiLOD congres 25 juniLinked Data voor developers - PiLOD congres 25 juni
Linked Data voor developers - PiLOD congres 25 juni
 
GraphQL is actually rest
GraphQL is actually restGraphQL is actually rest
GraphQL is actually rest
 
GR8Conf 2011: Neo4j Plugin
GR8Conf 2011: Neo4j PluginGR8Conf 2011: Neo4j Plugin
GR8Conf 2011: Neo4j Plugin
 
Grails and Neo4j
Grails and Neo4jGrails and Neo4j
Grails and Neo4j
 
Scaling with mongo db (with notes)
Scaling with mongo db (with notes)Scaling with mongo db (with notes)
Scaling with mongo db (with notes)
 
VTi Knowledge Database: a LinkedData project
VTi Knowledge Database: a LinkedData projectVTi Knowledge Database: a LinkedData project
VTi Knowledge Database: a LinkedData project
 
Kubernetes: The Very Hard Way
Kubernetes: The Very Hard WayKubernetes: The Very Hard Way
Kubernetes: The Very Hard Way
 
NOSQL Databases for the .NET Developer
NOSQL Databases for the .NET DeveloperNOSQL Databases for the .NET Developer
NOSQL Databases for the .NET Developer
 
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
Building a high-performance, scalable ML & NLP platform with Python, Sheer El...
 
Big Data Israel Meetup : Couchbase and Big Data
Big Data Israel Meetup : Couchbase and Big DataBig Data Israel Meetup : Couchbase and Big Data
Big Data Israel Meetup : Couchbase and Big Data
 
eZ Publish nextgen
eZ Publish nextgeneZ Publish nextgen
eZ Publish nextgen
 
Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3Post-relational databases: What's wrong with web development? v3
Post-relational databases: What's wrong with web development? v3
 
When NOT to use MongoDB
When NOT to use MongoDBWhen NOT to use MongoDB
When NOT to use MongoDB
 

Recently uploaded

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Rooted 2011 nosql security

  • 1. NoSQL Security José Ramón Palanco miércoles 16 de marzo de 2011
  • 2. Agenda ✦ NoSQL Introduction ✦ NoSQL vs RDBMS ✦ NoSQL Arquitecture ✦ NoSQL Implementations ✦ Attack vectors ✦ Injections ✦ Key Bruteforce ✦ HTTP Protocol Based Attacks in listeners ✦ Cassandra security y Thrift security ✦ Denial of Service (connection pollution, evil queries) miércoles 16 de marzo de 2011
  • 3. NOSQL Introduction miércoles 16 de marzo de 2011
  • 4. ¿What is NoSQL? ✦ In general, don’t need table scheme and don’t uses “join” ✦ NoSQL solutions don’t imeplement one or more ACID properties miércoles 16 de marzo de 2011
  • 5. CAP Theorem ✦ Properties: consistency, availability and partitions ✦ At least need 2 of them ✦ To scale partition is needed ✦ In general is preferer availability over consistency miércoles 16 de marzo de 2011
  • 6. NoSQL Arquitecture RDBMS NoSQL Client Client HTTP Server HTTP Server SQL REST, JSON, XML, ... Connector BBDD Connector BBDD ODBC, ADO, JDBC Binary, HTTP, ... miércoles 16 de marzo de 2011
  • 7. NoSQL vs RDBMS ✦ RDBMS show poor performance and scalability in application which make a heavy use of data ✦ Cloud Computing (SaaS) ✦ Social Networks (SN) ✦ To make complex queries is not possible perform them with something diferent than RDBMS miércoles 16 de marzo de 2011
  • 8. Enviroments ✦ In lot of enviroments is need to distribute writes in clusters, MapReduce, .. ✦ Facebook needs store 135 billions of messages each month ✦ Twitter stores 7 TB diary miércoles 16 de marzo de 2011
  • 9. Disadvantages NoSQL ✦ OLTP ✦ SQL ✦ Ad-Hoc queries ✦ Complex relations miércoles 16 de marzo de 2011
  • 10. NoSQL Arquitectures ✦ Document store ✦ Graph ✦ Key-value store ✦ Multivalue ✦ Objets ✦ Tabular miércoles 16 de marzo de 2011
  • 11. Key-value store ✦ CouchDB: ✦ MongoDB ✦ Terrastore ✦ ThruDB ✦ OrientDB ✦ RavenDB miércoles 16 de marzo de 2011
  • 12. Graph ✦ Neo4J ✦ Sones ✦ InfoGrid ✦ HypergraphDB ✦ AllegroGraph ✦ BigData miércoles 16 de marzo de 2011
  • 13. Key-value ✦ Redis ✦ Riak ✦ Tokio Cabinet ✦ MemcacheDB ✦ Membase ✦ Azure miércoles 16 de marzo de 2011
  • 14. Multivalue ✦ U2 ✦ OpenInsight ✦ OpenQM miércoles 16 de marzo de 2011
  • 15. Objets ✦ db4o ✦ Objetivity ✦ Versant ✦ NEO miércoles 16 de marzo de 2011
  • 16. MongoDB ✦ Protocol: Binary (BSON) ✦ API: several languages ✦ Query: JavaScript/JSON ✦ Language: C++ miércoles 16 de marzo de 2011
  • 17. Schema-Free (JSON) Features CouchDB • Document Oriented, Not Relational • Highly Concurrent ✦ Protocol: REST • RESTful HTTP API ✦ API: JSON • JavaScript-Powered ✦ Map/Reduce Query: MapReduce (JS) ✦ • Language: Erlang N-Master Replication • Robust Storage miércoles 16 de marzo de 2011
  • 18. {"couchdb":"Welcome","version":"0.11.0"} $ telnet 172.16.163.129 5984 Trying 172.16.163.129... Connected to 172.16.163.129. Escape character is '^]'. GET /rooted/ HTTP/1.1 Host: localhost HTTP/1.1 200 OK Server: CouchDB/0.11.0 (Erlang OTP/R14B) Date: Sat, 19 Feb 2011 05:20:28 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 188 Cache-Control: must-revalidate {"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq": 0,"compact_running":false,"disk_size": 4182,"instance_start_time":"1298092462502662","disk_format_version":5} miércoles 16 de marzo de 2011
  • 19. {"couchdb":"Welcome","version":"0.11.0"} $ telnet 172.16.163.129 5984 Trying 172.16.163.129... Connected to 172.16.163.129. Escape character is '^]'. GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1 Host: localhost HTTP/1.1 200 OK Server: CouchDB/0.11.0 (Erlang OTP/R14B) Etag: "1-2512702fff02fe841adecde4a22c62b5" Date: Sat, 19 Feb 2011 05:20:47 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 155 Cache-Control: must-revalidate {"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a2 2c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999} Connection closed by foreign host. miércoles 16 de marzo de 2011
  • 20. Redis ✦ Protocol: Plain Telnet ✦ API: Several Languages ✦ Query: Commands ✦ Language: C/C++ miércoles 16 de marzo de 2011
  • 21. Cassandra ✦ Protocol: Binary (Thrift) ✦ API: Thrift ✦ Query: Column/ranges ✦ Languages: Java miércoles 16 de marzo de 2011
  • 22. Cassandra ✦ Column (tuple/triplet) ✦ Supercolumn (composed by columns) ✦ Column Family (contains supercolumns) ✦ Keyspace (stores column families) miércoles 16 de marzo de 2011
  • 23. Cassandra <Keyspace Name="BloggyAppy"> <!-- CF definitions --> <ColumnFamily CompareWith="BytesType" Name="Authors"/> <ColumnFamily CompareWith="BytesType" Name="BlogEntries"/> <ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/> <ColumnFamily CompareWith="TimeUUIDType" Name="Comments" CompareSubcolumnsWith="BytesType" ColumnType="Super"/> </Keyspace> storage-conf.xml miércoles 16 de marzo de 2011
  • 24. Attack vectors miércoles 16 de marzo de 2011
  • 25. Introduction ✦ Several database concepts ✦ Several implementations ✦ So attack vectors are very specifics and depends on each implementation miércoles 16 de marzo de 2011
  • 26. HTTP Based Attacks ✦ ¿Who uses HTTP? ✦ CouchDB ✦ HBASE ✦ Riak ✦ ¿How to locate vulnerabilities? ✦ fuzzing: hzzp miércoles 16 de marzo de 2011
  • 27. Listeners explotation ✦ As they work on $ telnet server.com 80 HTTP, it’s Trying X.X.X.X... possible use cache Connected to server.com. proxies Escape character is '^]' misconfigured to GET /_all_dbs get access Host: 192.168.2.18 miércoles 16 de marzo de 2011
  • 28. JSON Injection In the same way that the SQL is escaped, when working with CouchDB or MongoDB, we should do the same db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } ) db.foo.find( { $or : [ { a : 1 } , { b : 2 }, { c : /.*/ } ] } ) miércoles 16 de marzo de 2011
  • 29. Array Injection <? $collection->find(array( MongoDB + PHP "username" => $_GET ['username'], "passwd" => $_GET ✦ In PHP it is possible that a variable is an array ['passwd'] by adding brackets )); ?> ✦ If admin passwd ‘Not Equal’ anything, you can access /login.php?username=admin&passwd[$ne]=1 ✦ Besides that of $ne, we can inject: <? ✦ $or, $exists, $nin, $in, $lt, ... (logics) $collection->find(array( "username" => "admin", "passwd" => array("$ne" => 1) ✦ &var[‘$regex’]=/privileged/i (regex) )); ?> miércoles 16 de marzo de 2011
  • 30. View Injection ✦ CouchDB uses SpiderMonkey as scripting engine ✦ The views are loaded as js $ ldd /usr/lib/couchdb/bin/couchjs libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000) libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000) ... miércoles 16 de marzo de 2011
  • 31. View Injection ✦ There are predefined views and temporary ✦ To make MapReduce ✦ Get arbitrary data, change values to alter the execution flow miércoles 16 de marzo de 2011
  • 32. REST INJECTION <? $dbname = $_GET["db"]; $doc_id = $_GET["d_id"]; $resp = $couch->send("GET", "/" . $dbname ."/" . $doc_id); ?> ✦ Cross Database: ✦ /?db=_all_dbs ✦ /?db=myusers miércoles 16 de marzo de 2011
  • 33. CouchDB info ✦ http://172.16.163.129:5984/_config ✦ http://172.16.163.129:5984/_all_dbs ✦ http://172.16.163.129:5984/_stats ✦ http://172.16.163.129:5984/_utils miércoles 16 de marzo de 2011
  • 34. CouchDB cmd exec. miércoles 16 de marzo de 2011
  • 35. GQL Injection ✦ You can reach GQL injection, but in a very controlled environment ✦ There is no negation operator "!" ✦ The set of GQL commands is very limited miércoles 16 de marzo de 2011
  • 36. Key Bruteforce ✦ As there are no schemes, we do not have to find out them ✦ The IDs are large, but not generated at random: e479f720ff9a05fb2f441fef97000c87 e479f720ff9a05fb2f441fef97000b61 miércoles 16 de marzo de 2011
  • 37. Cassandra Security <? ... $columnParent = new cassandra_ColumnParent(); $columnParent->super_column = NULL; if(isset($_GET[‘CF’])) $columnParent->column_family = $_GET[‘CF’].“_myfam”; $sliceRange = new cassandra_SliceRange(); ✦ If we change the $sliceRange->start = ""; $sliceRange->finish = ""; name of a family, we $predicate = new cassandra_SlicePredicate(); list() = $predicate->column_names; can get items from $predicate->slice_range = $sliceRange; $consistency_level = cassandra_ConsistencyLevel::ONE; other family $keyUserId = 1; $result = $client->get_slice($keyspace, $keyUserId, $columnParent, $predicate, $consistency_level); print_r($result); ... ?> miércoles 16 de marzo de 2011
  • 38. Denial of Service ✦ Connection polution ✦ Couchdb-> implementación interface = restfull ✦ With GQL, it is possible to perform a DoS creating queries which make an intensive use of CPU and will be disconnected or be billed for that extra CPU miércoles 16 de marzo de 2011
  • 39. Questions miércoles 16 de marzo de 2011
  • 40. Questions miércoles 16 de marzo de 2011