Suche senden
Hochladen
No sql but even less security
•
5 gefällt mir
•
1,520 views
I
iammutex
Folgen
NoSQL, But Even Less Security
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 37
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
深入了解Redis
深入了解Redis
iammutex
Making the case for write-optimized database algorithms / Mark Callaghan (Fac...
Making the case for write-optimized database algorithms / Mark Callaghan (Fac...
Ontico
Redis深入浅出
Redis深入浅出
iammutex
Scylla Summit 2018: In-Memory Scylla - When Fast Storage is Not Fast Enough
Scylla Summit 2018: In-Memory Scylla - When Fast Storage is Not Fast Enough
ScyllaDB
Exploiting Your File System to Build Robust & Efficient Workflows
Exploiting Your File System to Build Robust & Efficient Workflows
jasonajohnson
Алексей Лесовский "Тюнинг Linux для баз данных. "
Алексей Лесовский "Тюнинг Linux для баз данных. "
Tanya Denisyuk
High Performance Weibo QCon Beijing 2011
High Performance Weibo QCon Beijing 2011
Tim Y
Setting up mongodb sharded cluster in 30 minutes
Setting up mongodb sharded cluster in 30 minutes
Sudheer Kondla
Empfohlen
深入了解Redis
深入了解Redis
iammutex
Making the case for write-optimized database algorithms / Mark Callaghan (Fac...
Making the case for write-optimized database algorithms / Mark Callaghan (Fac...
Ontico
Redis深入浅出
Redis深入浅出
iammutex
Scylla Summit 2018: In-Memory Scylla - When Fast Storage is Not Fast Enough
Scylla Summit 2018: In-Memory Scylla - When Fast Storage is Not Fast Enough
ScyllaDB
Exploiting Your File System to Build Robust & Efficient Workflows
Exploiting Your File System to Build Robust & Efficient Workflows
jasonajohnson
Алексей Лесовский "Тюнинг Linux для баз данных. "
Алексей Лесовский "Тюнинг Linux для баз данных. "
Tanya Denisyuk
High Performance Weibo QCon Beijing 2011
High Performance Weibo QCon Beijing 2011
Tim Y
Setting up mongodb sharded cluster in 30 minutes
Setting up mongodb sharded cluster in 30 minutes
Sudheer Kondla
Tarantool: как сэкономить миллион долларов на базе данных на высоконагруженно...
Tarantool: как сэкономить миллион долларов на базе данных на высоконагруженно...
Ontico
Introduction to Redis
Introduction to Redis
Arnab Mitra
Understanding and tuning WiredTiger, the new high performance database engine...
Understanding and tuning WiredTiger, the new high performance database engine...
Ontico
微博cache设计谈
微博cache设计谈
Tim Y
Development to Production with Sharded MongoDB Clusters
Development to Production with Sharded MongoDB Clusters
Severalnines
MyRocks introduction and production deployment
MyRocks introduction and production deployment
Yoshinori Matsunobu
Performance analysis with_ceph
Performance analysis with_ceph
Alex Lau
Ужимай и властвуй алгоритмы компрессии в базах данных / Петр Зайцев (Percona)
Ужимай и властвуй алгоритмы компрессии в базах данных / Петр Зайцев (Percona)
Ontico
Scaling MongoDB in the cloud with Microsoft Azure
Scaling MongoDB in the cloud with Microsoft Azure
Ivan Fioravanti
SUSE Storage: Sizing and Performance (Ceph)
SUSE Storage: Sizing and Performance (Ceph)
Lars Marowsky-Brée
Build an affordable Cloud Stroage
Build an affordable Cloud Stroage
Alex Lau
Ceph Day Beijing - Our journey to high performance large scale Ceph cluster a...
Ceph Day Beijing - Our journey to high performance large scale Ceph cluster a...
Danielle Womboldt
Hadoop Meetup Jan 2019 - Mounting Remote Stores in HDFS
Hadoop Meetup Jan 2019 - Mounting Remote Stores in HDFS
Erik Krogen
Webinar Back to Basics 3 - Introduzione ai Replica Set
Webinar Back to Basics 3 - Introduzione ai Replica Set
MongoDB
Ceph - High Performance Without High Costs
Ceph - High Performance Without High Costs
Jonathan Long
Scaling Cassandra for Big Data
Scaling Cassandra for Big Data
DataStax Academy
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Ontico
MyRocks Deep Dive
MyRocks Deep Dive
Yoshinori Matsunobu
Glauber Costa on OSv as NoSQL platform
Glauber Costa on OSv as NoSQL platform
Don Marti
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
Gaurav "GP" Pal
MongoDB 在盛大大数据量下的应用
MongoDB 在盛大大数据量下的应用
iammutex
NoSQL误用和常见陷阱分析
NoSQL误用和常见陷阱分析
iammutex
Weitere ähnliche Inhalte
Was ist angesagt?
Tarantool: как сэкономить миллион долларов на базе данных на высоконагруженно...
Tarantool: как сэкономить миллион долларов на базе данных на высоконагруженно...
Ontico
Introduction to Redis
Introduction to Redis
Arnab Mitra
Understanding and tuning WiredTiger, the new high performance database engine...
Understanding and tuning WiredTiger, the new high performance database engine...
Ontico
微博cache设计谈
微博cache设计谈
Tim Y
Development to Production with Sharded MongoDB Clusters
Development to Production with Sharded MongoDB Clusters
Severalnines
MyRocks introduction and production deployment
MyRocks introduction and production deployment
Yoshinori Matsunobu
Performance analysis with_ceph
Performance analysis with_ceph
Alex Lau
Ужимай и властвуй алгоритмы компрессии в базах данных / Петр Зайцев (Percona)
Ужимай и властвуй алгоритмы компрессии в базах данных / Петр Зайцев (Percona)
Ontico
Scaling MongoDB in the cloud with Microsoft Azure
Scaling MongoDB in the cloud with Microsoft Azure
Ivan Fioravanti
SUSE Storage: Sizing and Performance (Ceph)
SUSE Storage: Sizing and Performance (Ceph)
Lars Marowsky-Brée
Build an affordable Cloud Stroage
Build an affordable Cloud Stroage
Alex Lau
Ceph Day Beijing - Our journey to high performance large scale Ceph cluster a...
Ceph Day Beijing - Our journey to high performance large scale Ceph cluster a...
Danielle Womboldt
Hadoop Meetup Jan 2019 - Mounting Remote Stores in HDFS
Hadoop Meetup Jan 2019 - Mounting Remote Stores in HDFS
Erik Krogen
Webinar Back to Basics 3 - Introduzione ai Replica Set
Webinar Back to Basics 3 - Introduzione ai Replica Set
MongoDB
Ceph - High Performance Without High Costs
Ceph - High Performance Without High Costs
Jonathan Long
Scaling Cassandra for Big Data
Scaling Cassandra for Big Data
DataStax Academy
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Ontico
MyRocks Deep Dive
MyRocks Deep Dive
Yoshinori Matsunobu
Glauber Costa on OSv as NoSQL platform
Glauber Costa on OSv as NoSQL platform
Don Marti
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
Gaurav "GP" Pal
Was ist angesagt?
(20)
Tarantool: как сэкономить миллион долларов на базе данных на высоконагруженно...
Tarantool: как сэкономить миллион долларов на базе данных на высоконагруженно...
Introduction to Redis
Introduction to Redis
Understanding and tuning WiredTiger, the new high performance database engine...
Understanding and tuning WiredTiger, the new high performance database engine...
微博cache设计谈
微博cache设计谈
Development to Production with Sharded MongoDB Clusters
Development to Production with Sharded MongoDB Clusters
MyRocks introduction and production deployment
MyRocks introduction and production deployment
Performance analysis with_ceph
Performance analysis with_ceph
Ужимай и властвуй алгоритмы компрессии в базах данных / Петр Зайцев (Percona)
Ужимай и властвуй алгоритмы компрессии в базах данных / Петр Зайцев (Percona)
Scaling MongoDB in the cloud with Microsoft Azure
Scaling MongoDB in the cloud with Microsoft Azure
SUSE Storage: Sizing and Performance (Ceph)
SUSE Storage: Sizing and Performance (Ceph)
Build an affordable Cloud Stroage
Build an affordable Cloud Stroage
Ceph Day Beijing - Our journey to high performance large scale Ceph cluster a...
Ceph Day Beijing - Our journey to high performance large scale Ceph cluster a...
Hadoop Meetup Jan 2019 - Mounting Remote Stores in HDFS
Hadoop Meetup Jan 2019 - Mounting Remote Stores in HDFS
Webinar Back to Basics 3 - Introduzione ai Replica Set
Webinar Back to Basics 3 - Introduzione ai Replica Set
Ceph - High Performance Without High Costs
Ceph - High Performance Without High Costs
Scaling Cassandra for Big Data
Scaling Cassandra for Big Data
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
Frontera распределенный робот для обхода веба в больших объемах / Александр С...
MyRocks Deep Dive
MyRocks Deep Dive
Glauber Costa on OSv as NoSQL platform
Glauber Costa on OSv as NoSQL platform
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
DevOps for ETL processing at scale with MongoDB, Solr, AWS and Chef
Andere mochten auch
MongoDB 在盛大大数据量下的应用
MongoDB 在盛大大数据量下的应用
iammutex
NoSQL误用和常见陷阱分析
NoSQL误用和常见陷阱分析
iammutex
Webinar - Approaching 1 billion documents with MongoDB
Webinar - Approaching 1 billion documents with MongoDB
Boxed Ice
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Jeremy Zawodny
Midas - on-the-fly schema migration tool for MongoDB.
Midas - on-the-fly schema migration tool for MongoDB.
Dhaval Dalal
Lessons Learned Migrating 2+ Billion Documents at Craigslist
Lessons Learned Migrating 2+ Billion Documents at Craigslist
Jeremy Zawodny
Andere mochten auch
(6)
MongoDB 在盛大大数据量下的应用
MongoDB 在盛大大数据量下的应用
NoSQL误用和常见陷阱分析
NoSQL误用和常见陷阱分析
Webinar - Approaching 1 billion documents with MongoDB
Webinar - Approaching 1 billion documents with MongoDB
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Living with SQL and NoSQL at craigslist, a Pragmatic Approach
Midas - on-the-fly schema migration tool for MongoDB.
Midas - on-the-fly schema migration tool for MongoDB.
Lessons Learned Migrating 2+ Billion Documents at Craigslist
Lessons Learned Migrating 2+ Billion Documents at Craigslist
Ähnlich wie No sql but even less security
Defending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
NoSQL - No Security?
NoSQL - No Security?
Gavin Holt
Devoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best Practices
Eric Bottard
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
Dinis Cruz
Introduction to REST and Jersey
Introduction to REST and Jersey
Chris Winters
node.js: Javascript's in your backend
node.js: Javascript's in your backend
David Padbury
Cloud Best Practices
Cloud Best Practices
Eric Bottard
Automated infrastructure is on the menu
Automated infrastructure is on the menu
jtimberman
Battle of NoSQL stars: Amazon's SDB vs MongoDB vs CouchDB vs RavenDB
Battle of NoSQL stars: Amazon's SDB vs MongoDB vs CouchDB vs RavenDB
Jesse Wolgamott
GeekAustin DevOps
GeekAustin DevOps
Matt Ray
Directories for the REST of Us: REST to LDAP in OpenDJ 2.6
Directories for the REST of Us: REST to LDAP in OpenDJ 2.6
ForgeRock
Microservices and Friends
Microservices and Friends
Yun Zhi Lin
Getting started with entity framework revised 9 09
Getting started with entity framework revised 9 09
manisoft84
Open Innovation means Open Source
Open Innovation means Open Source
Bertrand Delacretaz
Ibm_interconnect_restapi_workshop
Ibm_interconnect_restapi_workshop
Shubhra Kar
RESTful Data Services with the ADO.NET Data Services Framework
RESTful Data Services with the ADO.NET Data Services Framework
goodfriday
Seattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js Workshop
Jimmy Guerrero
Open Innovation means Open Source
Open Innovation means Open Source
Bertrand Delacretaz
Pres Db2 native rest json and z/OS connect
Pres Db2 native rest json and z/OS connect
Cécile Benhamou
Evolving Archetecture
Evolving Archetecture
leo lapworth
Ähnlich wie No sql but even less security
(20)
Defending Against Application DoS attacks
Defending Against Application DoS attacks
NoSQL - No Security?
NoSQL - No Security?
Devoxx France 2013 Cloud Best Practices
Devoxx France 2013 Cloud Best Practices
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
Introduction to REST and Jersey
Introduction to REST and Jersey
node.js: Javascript's in your backend
node.js: Javascript's in your backend
Cloud Best Practices
Cloud Best Practices
Automated infrastructure is on the menu
Automated infrastructure is on the menu
Battle of NoSQL stars: Amazon's SDB vs MongoDB vs CouchDB vs RavenDB
Battle of NoSQL stars: Amazon's SDB vs MongoDB vs CouchDB vs RavenDB
GeekAustin DevOps
GeekAustin DevOps
Directories for the REST of Us: REST to LDAP in OpenDJ 2.6
Directories for the REST of Us: REST to LDAP in OpenDJ 2.6
Microservices and Friends
Microservices and Friends
Getting started with entity framework revised 9 09
Getting started with entity framework revised 9 09
Open Innovation means Open Source
Open Innovation means Open Source
Ibm_interconnect_restapi_workshop
Ibm_interconnect_restapi_workshop
RESTful Data Services with the ADO.NET Data Services Framework
RESTful Data Services with the ADO.NET Data Services Framework
Seattle StrongLoop Node.js Workshop
Seattle StrongLoop Node.js Workshop
Open Innovation means Open Source
Open Innovation means Open Source
Pres Db2 native rest json and z/OS connect
Pres Db2 native rest json and z/OS connect
Evolving Archetecture
Evolving Archetecture
Mehr von iammutex
Scaling Instagram
Scaling Instagram
iammutex
8 minute MongoDB tutorial slide
8 minute MongoDB tutorial slide
iammutex
skip list
skip list
iammutex
Thoughts on Transaction and Consistency Models
Thoughts on Transaction and Consistency Models
iammutex
Rethink db&tokudb调研测试报告
Rethink db&tokudb调研测试报告
iammutex
redis 适用场景与实现
redis 适用场景与实现
iammutex
Introduction to couchdb
Introduction to couchdb
iammutex
What every data programmer needs to know about disks
What every data programmer needs to know about disks
iammutex
Ooredis
Ooredis
iammutex
Ooredis
Ooredis
iammutex
redis运维之道
redis运维之道
iammutex
Realtime hadoopsigmod2011
Realtime hadoopsigmod2011
iammutex
[译]No sql生态系统
[译]No sql生态系统
iammutex
Couchdb + Membase = Couchbase
Couchdb + Membase = Couchbase
iammutex
Redis cluster
Redis cluster
iammutex
Redis cluster
Redis cluster
iammutex
Hadoop introduction berlin buzzwords 2011
Hadoop introduction berlin buzzwords 2011
iammutex
Couchdb and me
Couchdb and me
iammutex
10 Key MongoDB Performance Indicators
10 Key MongoDB Performance Indicators
iammutex
MongoDB开发应用实践
MongoDB开发应用实践
iammutex
Mehr von iammutex
(20)
Scaling Instagram
Scaling Instagram
8 minute MongoDB tutorial slide
8 minute MongoDB tutorial slide
skip list
skip list
Thoughts on Transaction and Consistency Models
Thoughts on Transaction and Consistency Models
Rethink db&tokudb调研测试报告
Rethink db&tokudb调研测试报告
redis 适用场景与实现
redis 适用场景与实现
Introduction to couchdb
Introduction to couchdb
What every data programmer needs to know about disks
What every data programmer needs to know about disks
Ooredis
Ooredis
Ooredis
Ooredis
redis运维之道
redis运维之道
Realtime hadoopsigmod2011
Realtime hadoopsigmod2011
[译]No sql生态系统
[译]No sql生态系统
Couchdb + Membase = Couchbase
Couchdb + Membase = Couchbase
Redis cluster
Redis cluster
Redis cluster
Redis cluster
Hadoop introduction berlin buzzwords 2011
Hadoop introduction berlin buzzwords 2011
Couchdb and me
Couchdb and me
10 Key MongoDB Performance Indicators
10 Key MongoDB Performance Indicators
MongoDB开发应用实践
MongoDB开发应用实践
Kürzlich hochgeladen
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Safe Software
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
RankYa
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Kürzlich hochgeladen
(20)
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
No sql but even less security
1.
NoSQL, But Even
Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team © 2011 Adobe Systems Incorporated. All Rights Reserved.
2.
Agenda
Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection © 2011 Adobe Systems Incorporated. All Rights Reserved.
3.
NoSQL databases © 2011
Adobe Systems Incorporated. All Rights Reserved.
4.
Eric Brewer’s CAP
Theorem Choose any two: Availability Partition Consistency Tolerance © 2011 Adobe Systems Incorporated. All Rights Reserved.
5.
Eventual consistency in
social networking © 2011 Adobe Systems Incorporated. All Rights Reserved.
6.
Writes don’t propagate
immediately © 2011 Adobe Systems Incorporated. All Rights Reserved.
7.
Reading stale data ©
2011 Adobe Systems Incorporated. All Rights Reserved.
8.
Reading stale data
– a more serious case © 2011 Adobe Systems Incorporated. All Rights Reserved.
9.
Agenda
Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection © 2011 Adobe Systems Incorporated. All Rights Reserved.
10.
Authentication is unsupported
or discouraged From the MongoDB documentation “One valid way to run the Mongo database is in a trusted environment, with no security and authentication” This “is the default option and is recommended” From the Cassandra Wiki “The default AllowAllAuthenticator approach is essentially pass-through” From CouchDB: The Definitive Guide The “Admin Party”: Everyone can do everything by default Riak No authentication or authorization support © 2011 Adobe Systems Incorporated. All Rights Reserved.
11.
Port scanning
If an attacker finds an open port, he’s already won… Database Default Port MongoDB 27017 28017 27080 CouchDB 5984 Hbase 9000 Cassandra 9160 Neo4j 7474 Riak 8098 © 2011 Adobe Systems Incorporated. All Rights Reserved.
12.
Port Scanning Demo ©
2011 Adobe Systems Incorporated. All Rights Reserved.
13.
Port scanning
If an attacker finds an open port, he’s already won… Database Default Port MongoDB 27017 28017 27080 CouchDB 5984 Hbase 9000 Cassandra 9160 Neo4j 7474 Riak 8098 © 2011 Adobe Systems Incorporated. All Rights Reserved.
14.
REST document API
examples (CouchDB) Retrieve a document Update a document GET /mydb/doc_id HTTP/1.0 PUT /mydb/doc_id HTTP/1.0 { "album" : "Brothers", "artist" : "The Black Keys" } Create a document Delete a document POST /mydb/ HTTP/1.0 DELETE /mydb/doc_id? { rev=12345 HTTP/1.0 "album" : "Brothers", "artist" : "Black Keys" } © 2011 Adobe Systems Incorporated. All Rights Reserved.
15.
Cross-Site Request Forgery
(CSRF) firewall bypass © 2011 Adobe Systems Incorporated. All Rights Reserved.
16.
REST document API
examples (CouchDB) Retrieve a document Update a document GET /mydb/doc_id HTTP/1.0 PUT /mydb/doc_id HTTP/1.0 { "album" : "Brothers", "artist" : "The Black Keys" } Create a document Delete a document POST /mydb/ HTTP/1.0 DELETE /mydb/doc_id? { rev=12345 HTTP/1.0 "album" : "Brothers", "artist" : "Black Keys" } © 2011 Adobe Systems Incorporated. All Rights Reserved.
17.
Traditional GET-based CSRF
<img src="http://nosql:5984/_all_dbs"/> Easy to make a potential victim request this URL But it doesn’t do the attacker any good He needs to get the data back out to himself © 2011 Adobe Systems Incorporated. All Rights Reserved.
18.
RIA GET-based CSRF
<script> var xhr = new XMLHttpRequest(); xhr.open('get', 'http://nosql:5984/_all_dbs'); xhr.send(); </script> Just as easy to make a potential victim request this URL Same-origin policy won’t allow this (usually) Same issue for PUT and DELETE © 2011 Adobe Systems Incorporated. All Rights Reserved.
19.
POST-based CSRF
<form method=post action='http://nosql:5984/db'> <input type='hidden' name='{"data"}' value='' /> </form> <script> // auto-submit the form </script> Ok by the same-origin policy! © 2011 Adobe Systems Incorporated. All Rights Reserved.
20.
REST-CSRF Demo © 2011
Adobe Systems Incorporated. All Rights Reserved.
21.
POST is all
an attacker needs Insert arbitrary data Insert arbitrary script data Execute any REST command from inside the firewall © 2011 Adobe Systems Incorporated. All Rights Reserved.
22.
Agenda
Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection © 2011 Adobe Systems Incorporated. All Rights Reserved.
23.
NoSQL injection
Most developers believe they don’t have to worry about things like this “…with MongoDB we are not building queries from strings, so traditional SQL injection attacks are not a problem.” -MongoDB Developer FAQ They’re mostly correct © 2011 Adobe Systems Incorporated. All Rights Reserved.
24.
MongoDB and PHP
MongoDB expects input in JSON array format find( { 'artist' : 'The Black Keys' } ) In PHP, you do this with associative arrays $collection->find(array('artist' => 'The Black Keys')); This makes injection attacks difficult Like parameterized queries for SQL © 2011 Adobe Systems Incorporated. All Rights Reserved.
25.
MongoDB and PHP
You also use associative arrays for query criteria find( { 'album_year' : { '$gte' : 2011} } ) find( { 'artist' : { '$ne' : 'Lady Gaga' } } ) But PHP will automatically create associative arrays from querystring inputs with square brackets page.php?param[foo]=bar param == array('foo' => 'bar'); © 2011 Adobe Systems Incorporated. All Rights Reserved.
26.
NoSQL Injection Demo ©
2011 Adobe Systems Incorporated. All Rights Reserved.
27.
$where queries
The $where clause lets you specify script to filter results find( { '$where' : 'function() { return artist == "Weezer"; }}' ) find ( '$where' : 'function() { var len = artist.length; for (int i=2; i<len; i++) { if (len % I == 0) return false; } return true; }') © 2011 Adobe Systems Incorporated. All Rights Reserved.
28.
NoSQL Injection Demo
#2 © 2011 Adobe Systems Incorporated. All Rights Reserved.
29.
Agenda
Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection © 2011 Adobe Systems Incorporated. All Rights Reserved.
30.
Browser war fallout
Browser wars have given us incredibly fast and powerful JS engines V8 WebKit SpiderMonkey Nitro Rhino Used for a lot more than just browsers Like NoSQL database engines… © 2011 Adobe Systems Incorporated. All Rights Reserved.
31.
Server-side JavaScript injection
vs. XSS Client-side JavaScript injection (aka XSS) is #2 on OWASP Top Ten Use it to steal authentication cookies Impersonate victim Create inline phishing sites Self-replicating webworms ie Samy It’s really bad. But server-side is much worse. © 2011 Adobe Systems Incorporated. All Rights Reserved.
32.
Server-Side Javascript Injection
(SSJI) © 2011 Adobe Systems Incorporated. All Rights Reserved.
33.
SSJI red flags
$where clauses Built with user input Injected from querystring manipulation eval() clauses Map/Reduce Stored views/design docs More CSRF possibilities here © 2011 Adobe Systems Incorporated. All Rights Reserved.
34.
Wrapping Up © 2011
Adobe Systems Incorporated. All Rights Reserved.
35.
Conclusions 1.
Always use authentication/authorization. Firewalls alone are not sufficient Sometimes you may have to write your own auth code This is unfortunate but better than the alternative 2. Be extremely careful with server-side script. Validate, validate, validate Escape input too © 2011 Adobe Systems Incorporated. All Rights Reserved.
36.
Read my blog:
http://blogs.adobe.com/asset Email me: brsulliv © 2011 Adobe Systems Incorporated. All Rights Reserved.
37.
© 2011 Adobe
Systems Incorporated. All Rights Reserved.
Jetzt herunterladen