NoSQL Injection - Fun with Objects and Arrays

Conference Day - 22. Mai
Kraichgau (1. OG)

In the last decade many new challenges, such as big data, changed the way we build applications. The generation of emerging NoSQL databases provides a solution for these challenges. But does it provide security? Regarding injection, there exists a prevalent opinion: “We are not building queries from strings, so we do not have to worry about injection vulnerabilities! “

This presentation gives an overview of NoSQL injection attacks and therefore takes a look at some of the most widespread NoSQL databases - MongoDB, Redis, CouchDB and Memcached. Considered along with typical application layers and drivers, the semantics of the query languages can be examined. Starting from known vulnerabilities, new attack vectors for the mentioned databases are introduced. With the full technology stack in mind, payloads for different kind of requests can be crafted, that allow the altering of parameter’s object structure. As a result, the semantics of query parameters are changed and therefore unintended behavior of the database can be achieved. The presented attacks will be accompanied by multiple practical demonstrations. In the end, an approach for NoSQL injection mitigation is briefly outlined.

Patrick Spiegel

SAP SE, Deutschland

Patrick Spiegel hat seien Master in Informatik am KIT in Kooperation mit dem SAP Innovation Center absolviert. Seitdem ist er im Bereich Cloud Security zuständig für Identity Management und Application Security.