1 / 78

Exploiting NoSQL Like Never Before

Exploiting NoSQL Like Never Before. c0c0n2014. About Me. Independent Security Researcher Member @ OpenSecurity Currently Pursuing My Bachelors Degree Spoken @ a couple of Conferences. Agenda. More Emphasis Given on the Server-Client and Server Management Consoles

zachery-andrews
Download Presentation

Exploiting NoSQL Like Never Before

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exploiting NoSQL Like Never Before c0c0n2014

  2. About Me • Independent Security Researcher • Member @OpenSecurity • Currently Pursuing My Bachelors Degree • Spoken @ a couple of Conferences

  3. Agenda • More Emphasis Given on the Server-Client and Server Management Consoles • Pentesting Scenarios are given more importance. • We will not deal with Memory Related Bugs or issues. • Demos

  4. INTRO TO NOSQL

  5. Key Takeovers

  6. Mainly 4 types

  7. NoSQL Security

  8. Why Developers Need to Worry ?

  9. You Will Love this Part 

  10. ABUSING API CALLS

  11. MongoDB

  12. Mongo Trivia

  13. Mongo Architecture

  14. Mongo Client Mongo Client Mongo Client Mongo Server

  15. Attackers Perspective Mongo Client Mongo Client Mongo Client Sniffing,Enumeration,JSInjection,DOS Mongo Server

  16. JS Attack Surface

  17. Issues

  18. Some Useful Mongo Commands

  19. Useful Commands for us

  20. Saving JavaScript

  21. Post Exploitation Phase • Allows the attacker to write JavaScript functions and save them • Can use for further attacks when needed. • db.system.js.save( { _id : “c0c0n2014ams" , value : function (x, y){ return x + y; } } ); • db.loadServerScripts()

  22. Injecting JavaScript

  23. Reference to DB in Mongo • Mongo Functions get to refer the db object and its main functions • An attacker who finds an Injection point could abuse this. • Found in Versions 2.2 or less • Mongo Patched for versions above. Does JS Injection end here?

  24. Timing Based Checks • Application can be tested for time based attacks • Mongo Shell Supports most of JavaScript functions • function(){ return sleep(500);} would render the application response delayed by 5sec. • Module added to NoSQL framework while testing for JS Injection attacks

  25. THIS Pointer Reference • Although mongo blocks reference to the db has ended • Attacker could use this pointer to return objects and dumping as always

  26. What if THIS is Blocked? Version to Rescue • Version command by default binds to mongo instances defined functions • So if an admin blocks the “this” pointer • function(){return this} • Function(){return version} or function(){return version()) • Scenario useful when developer uses $where to evaluate js code. Blocked

  27. Mongo With PHP

  28. Vulnerable APP DEMO

  29. Resource Exhaustion

  30. CouchDB

  31. CouchDB Architecture

  32. Couch Architecture Backend CouchDB Couch FUTIL Interface Administrator

  33. CouchDBAttacker Perspective Backend CouchDB XSS,CSRF,Sniffing Administrator Couch FUTIL Interface

  34. Key Features

  35. Attack Surface

  36. Vulnerabilities

  37. Addressing Auth Cookie

  38. PHP on Couch Driver

  39. Vulnerable APP DEMO

  40. Redis

  41. Redis Architecture

  42. Key Features • Key Value storage engine. • Contains Redis Server and Client • Driven By a Config File • Documentation is Laugh in a Park • Redis supports five data structures: • strings, hashes, lists, sets and ordered sets.

More Related