Making Mongo Cry: NoSQL for Penetration Testers

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
DB Relay An Introduction. INSPIRATION Database access is WAY TOO HARD The crux.
Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.
Filtering and Security By Mohammad Shanehsaz June 2004.
Client Connectivity Pertemuan 5 Matakuliah: T0413 Tahun: 2009.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Introduction The concept of “SQL Injection”
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
Project Implementation for COSC 5050 Distributed Database Applications Lab1.
MongoDB Sharding and its Threats
Web server and web browser It’s a take and give policy in between client and server through HTTP(Hyper Text Transport Protocol) Server takes a request.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Databases with PHP A quick introduction. Y’all know SQL and Databases  You put data in  You get data out  You can do processing on it very easily 
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
MEAN Stack c0nrad. Overview Day 1: – MEAN Stack – NodeJS Mini Cat Fact Spammer – MongoDB Cat Profiles – Express Catbook API (Facebook for cats) Day 2:
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Microsoft Azure Introduction ISYS 512. Microsoft Azure Microsoft Azure is a cloud.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Approaches to Application Security – DSM
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
GMOD Chado: to a Model-View-Controller (MVC) architecture? Valentin GUIGNON ID, DAP, BIOS CIRAD Montpellier.
Security+ All-In-One Edition Chapter 14 – and Instant Messaging Brian E. Brzezicki.
Security Testing Case Study 360logica Software Testing Services.
Web Scripting [PHP] CIS166AE Wednesdays 6:00pm – 9:50pm Rob Loy.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Cisco ASA 5505 Joseph Cicero Northeast Wisconsin Technical College.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
1 © Netskills Quality Internet Training, University of Newcastle HTML Forms © Netskills, Quality Internet Training, University of Newcastle Netskills is.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Building Secure Web Applications With ASP.Net MVC.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
CSE 3330 Database Concepts MongoDB. Big Data Surge in “big data” Larger datasets frequently need to be stored in dbs Traditional relational db were not.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
Web Technologies Lecture 8 Server side web. Client Side vs. Server Side Web Client-side code executes on the end-user's computer, usually within a web.
Chris (I’m not a ghost) Woods. What went right (with Mongo) Application design Application development and system migration Application debugging MongoDB.
What is MySQL? MySQL is a relational database management system (RDBMS) based on SQL (Structured Query Language). First released in January, Many.
Features Of SQL Server 2000: 1. Internet Integration: SQL Server 2000 works with other products to form a stable and secure data store for internet and.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
KERBEROS SYSTEM Kumar Madugula.
Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.
In the Name Of Almighty Allah. Java Application Connection To Mysql Created by Hasibullah (Sahibzada) Kabul Computer Science Faculty Afghanistan.
CS422 Principles of Database Systems Introduction to NoSQL Chengyu Sun California State University, Los Angeles.
WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
HTML III (Forms) Robin Burke ECT 270. Outline Where we are in this class Web applications HTML Forms Break Forms lab.
Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.
SQL Injection By Wenonah Abadilla.
Database and Cloud Security
Module 1: SQL Server Overview
CS320 Web and Internet Programming SQL and MySQL
Introduction to SQL Server 2000 Security
7 Reasons Why Laravel is Prominent in 2017
Twitter & NoSQL Integration with MVC4 Web API
Security.
Defense in Depth Web Server Custom HTTP Handler Input Validation
PHP: Security issues FdSc Module 109 Server side scripting and
Lecture 2 - SQL Injection
Introduction of Week 11 Return assignment 9-1 Collect assignment 10-1
Security.
CS5220 Advanced Topics in Web Programming Introduction to MongoDB
HACKIN G CITRIX.
APACHE WEB SERVER.
Presentation transcript:

Making Mongo Cry: NoSQL for Penetration Testers Russell Butturini tcstool@gmail.com @tcstoolhax0r

DISCLAIMER This presentation contains jokes from the movie Blazing Saddles. The presenter takes no responsibility if you haven’t seen one of the greatest films ever made and find none of his jokes funny.

Let’s talk about Mongo…But not this Mongo…

THIS Mongo

However they’re kind of the same… Big Powerful Blindly trust input Do anything they’re told Don’t understand encryption

Frequent releases with lots of big changes 49% of LinkedIn member profiles mentioning NoSQL technologies reference MongoDB1. Frequent releases with lots of big changes “Generally, changes in the release series (e.g. 2.2 to 2.4) mark the introduction of new features that may break backwards compatibility” 2. 10Gen is oblivious to security issues: “…We were on with…the MongoDB guys talking about the security of the platform, and…it was really clear that they just didn’t care, because their customers weren’t asking for it.” -Rich Mogull, Security Weekly episode 3453. 1-http://www.mongodb.com/press/mongodb-certification-now-available-developers-and-dbas 2-http://docs.mongodb.org/manual/release-notes/ 3-http://pauldotcom.com/wiki/index.php/Episode345

NoSQL Primer-Structure Traditional SQL Mongo NoSQL Databases Databases Tables Collections Columns/Types Documents NoSQL-Logical organizational units, no restrictions Rows/Records Key-Value pairs

NoSQL Primer-Data Traditional SQL: Mongo NoSQL: {“firstname” : “John”, “lastname” : “Doe”, “widgets” : 5} or {“firstname” : “John”, “lastname” : “Doe”, “widgets” : “five”} {“firstname” : “John”, “lastname”, : “Doe”, “widgets” : 5, “foo” : “bar”} firstName (char) lastName (varchar) widgets (int) John Doe 5 Mongo-Dynamic! If schema doesn’t exist, it will make it for you. If data is not the right format, the insert happens anyways. Mongo stores documents in JSON and represents them in BSON to add additional data types and add efficiencies in encoding/decoding across platforms.

NoSQL Primer-Queries Traditional SQL: SELECT email FROM users WHERE username = “joe”; Mongo NoSQL: db.users.find({“username” : “joe”}, {“email” : 1}) Mongo-Dynamic! If schema doesn’t exist, it will make it for you. If data is not the right format, the insert happens anyways. Mongo stores documents in JSON and represents them in BSON to add additional data types and add efficiencies in encoding/decoding across platforms.

The Good Built for performance Highly scalable Dynamic and flexible

The Bad No standards between NoSQL platforms (you have to choose the right DB for the right job) Security is weak and inconsistently applied

The Disturbing No authentication required by default Weak or plaintext password storage Cleartext network communication from client to server No data encryption “Use this only in trusted environments” (yeah right) Reliance on the clients/drivers for security/functionality

NoSQL=No Auth (at least by default) Shodan: 33,575 Mongo default management ports exposed to the Internet (Feb 2014, Project Un1c0rn has more!) How many have the default of no authentication on?

(Most of the others were offline, not authenticated) And… Total: 33,575 servers Unauthenticated: 18,979 (56.5%) (Most of the others were offline, not authenticated) RTFM: “The most effective way to reduce risk for MongoDB deployments is to run your entire MongoDB deployment, including all MongoDB components (i.e. mongod, mongos and application instances) in a trusted environment.”

At least 18,979 people believe the Internet is a trusted environment. Conclusion At least 18,979 people believe the Internet is a trusted environment.

Pen Testing Fun /etc/mongod.conf-DB config The best part: Disable ALL authentication (except for the web interface for some reason) by commenting out auth=true and kicking the service Run() acts as a shell (from wherever you launch the Mongo client from) Entering a command with no parameters shows the Javascript being executed in the shell system.users-Usernames and weak password hashes System.indexes-Key fields for speedy searching (probably important stuff) TCP 28017-Web management interface on by default (before 2.6) An optional REST API when enabled allows for querying databases through the web management

NoSQL = No Encryption Server/Client communications (including authentication) occur in PLAIN TEXT Passwords encrypted with MD5, but only use nonce over the wire (not at rest). Data encryption? You’re on your own. (More on this to come…)

NoSQL = No SQL Injection (not) Changing syntax != no vulnerabilities Traditional SQL Injection: ‘ OR 1=1 -- MongoDB $where query injection( <=2.2): a‘; return db.ddlkad.find(); var dummy=‘a MongoDB $where query injection(<=2.4): a‘; return this.adfjda != djakflkdkl; var dummy=‘a or a‘; return 1=1; var dummy=‘a a’; return true; var dummy = ‘a Mention SpiderMonkey to V8 JavaScript interpreter change.

Client Issues PHP-What you Supply: What PHP Sees: What MongoDB Sees: http://somesite.com/id[$ne]=something What PHP Sees: {“$ne”=>”something”} What MongoDB Sees: “Give me everything back that is not equal to ‘something’” Mention SpiderMonkey to V8 JavaScript interpreter change.

Credit where Credit is Due On 4/8/2014, MongoDB 2.6 was released: New authentication methods including certificates and external authentication sources. Web interface is disabled by default. Granular role based access control. Auditing of schema, replica sets, authentication/authorization, general operations. Encryption in transit over SSL. Encryption at rest provided by Gazzang at the database and field levels. Mention SpiderMonkey to V8 JavaScript interpreter change.

But… Still no authentication by default. The default distribution of MongoDB 2.6 does NOT contain support for SSL (recompile the whole thing locally or buy the enterprise version for 7,500 bucks). Gazzang encryption at rest isn’t free either. Password hashing is still using the same weak algorithm as previous versions. Mention SpiderMonkey to V8 JavaScript interpreter change.

NoSQLMap Project home page: www.nosqlmap.net Automate all this stuff we just talked about and more. Always looking for more help!!!

Final Thoughts NoSQL databases can be a great tool, but you have to understand what you get. Devs can (and will) make the same mistakes they’ve been making for years. The default settings will get left on. Good application layer security is key since the database platform doesn’t provide any.

Questions? NoSQLMap home page: www.nosqlmap.net Project mailbox: nosqlmap@gmail.com Me: @tcstoolhax0r, tcstool@gmail.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.