NoSQL Databases
For decades RDBMS ( Relational Database Management Systems ) have been the only option available for managing databases. To add , manage data , there was this user-friendly query language - SQL ( Structured Query Language ) .
RDBMS use tables to store data. So , there is a pre-defined schema for it. And , as the name itself declares , it's ' Relational '. This is , in a way , helpful as it helps in managing data easily. But , on the other hand , it provides ample oppurtunities for the hackers to alter queries and get access into the database . This affect was felt globally and SQL injection was one of the strongest attacks and almost every huge website used RDBMS for its database management. Morover , the SQL databases are less scalable. Web services that have to deal with huge amount of data traffic everyday , found it difficult to last with the existing databases.
This issue gained enough momentum to give birth to a new family of databases - called the ' NoSQL ' databases .
NoSQL stands for ' Not only SQL ' . These databases do not use a schema , which makes it clear that , there will be no common templates unlike RDBMS and no generic attacks.
Eg :
The Relational databases have ' information_schema ' . This is a schema that stores all the information regarding the databases , tables , columns , the data types etc. This is common for al the relational databases. So , if an attacker gets access into the information_schema , he has everything !
The idea of SQL injection is totally turned down , as these databases don't use SQL to retrive or manage data. That would mean that it is secure from one of the biggest attacks around ! Sounds good ?
Result ?
The leading companies accross the globe , that deal with huge data everyday, have shifted to NoSQL databases.
Reasons :
> There is no SQL , so no SQL injection.
> Highly scalabe
> Fault - tolerant ( Easily recovers from faults in the system , on itself )
> Not many vulnerabilities have been known.
> Secure from exploitations.
Types :
* Key - Value Based :
> These databases use a unique key as pointer to every data set stored in the database . JSON ( Java Script Object Notation ) is generally used to manipulate data.
> There are no tables.
> Sorting is done based on the alphabetical order.
> MapReduce fuction :
Map() - maps the data from the database with the help of the unique key.
Reduce() - aggregates the data into a unit.
Eg : Dynamo ,Voldemart , Riak etc
* Document - Based :
> Similar to Key-Value based.
> There are indexes to access the stored data.
> Generally use Java Scripts to manage data.
Eg : SimpleDB , CouchDB etc
* Columnar :
> Store data in a similar key--‐value fashion, except the key is a combination of column, row, and/or timestamp, which points to one or multiple columns (Column Family). The column family used here is like a table commonly found in a relational database.
Eg : HBase , BigTable , Cassandra etc.
* Graph-based :
> Store data in a flexible graph model that scales across multiple machines
> Suitable for data with relations that are best represented as a graph (elements interconnected with an undetermined number of relations between them), such as social relations, public transport links, road maps or network topologies.
Eg : Neo4j
Now , let's move on to the most important part :
These databases do not use SQL. So , is it completely secure ? Ain't there any ways to exploit it at all ?
Vulnerabilities :
> Cassandra :
Uses TDE ( transparent Data Encryption ) before it writes the data from memory into a permanent drive. But , the encryption certificate is stored locally and is not encrypted.
Client-Node communication isn’t encrypted.
client_encryption_options in cassandra.yaml file permits to switch on the SSL.
By default the inter--‐node communication is not encrypted either
AllowAllAuthenticator , PasswordAuthenticator stored in system_auth.credentials are default functions.
> MongoDB :
* No encryption at all.
* read, readWrite, dbAdmin, userAdmin, clusterAdmin, readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, and dbaAdminAnyDatabase.
$where ( just like the where clause in SQL ) is available for JS injection.
What’s the game ?
* JSON injection :
> JSON is used to manipulate data.
> Input sanitization is limited.
> DB Handlers can be used to inject via JSON queries.
* Key-bruteforce :
> Big Hash Table is used for encryption.
> Hashing is lite. Bruteforcing is possible.
* Connection Pollution :
> ( CouchDB as example )
* The database uses RESTful interface.
* Uses Java Script.
* Cross - Database / Pool Access
* The Database Handler is universal . This means , the access into the database , moreover , uses the same methods.
Eg : NoSQL.connect ( http://couchDB/_restart )
* Javascript injection
> We just need to know the syntax, data model, and underlying programming language of the target database
eg :
db.myCollection.find( { $where: "this.credits < this.debits" } );
db.myCollection.find( { $where: function() { return obj.credits - obj.debits < 0; } } );
Exploit :
db.myCollection.find( { $where: function() { return obj.credits - obj.debits < $userInput; } } );
[ This may expose a vulnerability where an attacker could overwrite the $userInput variable with arbitrary code, such as ]
$userInput = "0; var date=new Date(); do{curDate = new Date();} while(curDate-date<10000)"
If sanitization check fails to screen the $userInput value, now upon concatenation the third statement becomes the following form that could trigger a DOS attack and cause the MongoDB instance to execute at 100% CPU usage for 10 second!
db.myCollection.find( { $where: function() { return obj.credits - obj.debits < 0;var date=new Date(); do{curDate = new Date();}while(curDate-date<10000); } } );
function() {
var search_year = input_value; return this.publicationYear == search_year ||
this.filmingYear == search_year || this.recordingYear == search_year; }
$query = 'function() {var search_year = \'' . $_GET['year'] . '\';' . 'return this.publicationYear == search_year || ' . ' this.filmingYear == search_year || ' . ' this.recordingYear == search_year;}';
$cursor = $collection->find(array('$where' => $query));
As of now there are no exploitation frameworks for NoSQL databases. But , researches are on.
And , in some time , OWASP is expectedly releasing some frameworks on NoSQL exploitation.
More exploits on the way !