Exploiting NoSQL Like Never Before presented at HackInTheBox 2014

by Francis Alexander,

URL : http://haxpo.nl/wp-content/uploads/2014/01/D1T3-Exploiting-NoSQL-Like-Never-Before.pdf

Summary : With the rise of NoSQL databases,more and more corporates as well as end users have started moving on to NoSQL,However is it safe.Does NoSQL mean we will not have to worry about Injection attacks. Yes We Do. This paper concentrates on exploiting NoSQL DB’s especially with its reach towards Mongodb,Couchdb and Redis and automating it using the NoSQL Exploitation Framework. It focuses on:
Why NoSQL hasn’t solved the problem yet
Why the DB administrator should worry as the default security could cost you your job
How an attacker with just an IP could take down the server and perform a resource exhaustion attack
Various exploitation techniques such as timing based attacks similar to blind SQL injection with no feedback from the application
Discussion on why NoSQL encryption techniques have failed and why they aren’t secure
Various vulnerabilities in 3rd party apps such as mongoose
How an attacker could leverage the various API’s within NoSQL for JSON-Injection
In conjunction with this talk, the NoSQL Exploitation Framework will be released which focuses on enumerating servers with support for Mongo, CouchDB, Redis, Cassandra and for the first time, H-Base. Dictionary attacks on Servers, DoS attacks, MITM attacks for the various DB’s, SHODAN search, a scanning and fuzzing module plus various exploitation attacks will be demoed.