Attacking MongoDB. Firstov Mihail

Similar documents
NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

MongoDB. Or how I learned to stop worrying and love the database. Mathias Stearn. N*SQL Berlin October 22th, gen

Cyber Security Challenge Australia 2014

External Network & Web Application Assessment. For The XXX Group LLC October 2012

SQL Injection January 23, 2013

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Exploi'ng NoSQL Like Never Before HITB AMS 2014

.NET User Group Bern

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Login with Amazon. Getting Started Guide for Websites. Version 1.0

Web Application Security

Project 2: Web Security Pitfalls

Still Aren't Doing. Frank Kim

Offensive Security. Advanced Web Attacks and Exploitation. Mati Aharoni Devon Kearns. v. 1.0

The Top Web Application Attacks: Are you vulnerable?

Thick Client Application Security

Webapps Vulnerability Report

NoSQL replacement for SQLite (for Beatstream) Antti-Jussi Kovalainen Seminar OHJ-1860: NoSQL databases

Ruby on Rails Secure Coding Recommendations

NO SQL! NO INJECTION?

Vulnerability Assessment and Penetration Testing

1. Building Testing Environment

(WAPT) Web Application Penetration Testing

Hack Proof Your Webapps

SERVER-SIDE JAVASCRIPT INJECTION ATTACKING AND DEFENDING NOSQL AND NODE.JS BRYAN SULLIVAN SENIOR SECURITY RESEARCHER, ADOBE SYSTEMS

Secure Coding. Code development practice Mitigates basic vulnerabilities. Made by security experts, for non-security experts

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Auditing the Security of an SAP HANA Implementation

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

SECURING APACHE : THE BASICS - III

Advanced Web Security, Lab

A Tale of the Weaknesses of Current Client-Side XSS Filtering

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

Check list for web developers

Application Design and Development

Chapter 1 Web Application (In)security 1

Web Application Security Considerations

No SQL! no injection? A talk on the state of NoSQL security

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

MongoDB Security Guide Release 3.0.6

A Tale of the Weaknesses of Current Client-side XSS Filtering

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

CS 558 Internet Systems and Technologies

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Avaya Inventory Management System

Cloud Powered Mobile Apps with Azure

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

WebCruiser Web Vulnerability Scanner User Guide

MONGODB - THE NOSQL DATABASE

opalang - Rapid & Secure Web Development

Intrusion detection for web applications

Security Products Development. Leon Juranic

REDCap General Security Overview

Security Testing with Selenium

Web Application Attacks And WAF Evasion

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

NoSQL web apps. w/ MongoDB, Node.js, AngularJS. Dr. Gerd Jungbluth, NoSQL UG Cologne,

NOSQL INTRODUCTION WITH MONGODB AND RUBY GEOFF

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

MongoDB Developer and Administrator Certification Course Agenda

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011

MongoDB Security Guide

ACKNOWLEDGMENT. I would like to thank Allah for giving me the patience to work hard and overcome all the

Web Application Guidelines

Hack Yourself First. Troy troyhunt.com

Introduction to Computer Security

2013 Ruby on Rails Exploits. CS 558 Allan Wirth

FortiWeb 5.0, Web Application Firewall Course #251

Application note: Connecting the to a Database

Attack and Penetration Testing 101

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

SQL Injection Attack Lab Using Collabtive

5 Simple Steps to Secure Database Development

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Using Foundstone CookieDigger to Analyze Web Session Management

WordPress Security Scan Configuration

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

IP Application Security Manager and. VMware vcloud Air

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

What is Web Security? Motivation

Brad Dayley. NoSQL with MongoDB

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

SQL Injection Attack Lab

Manipulating Microsoft SQL Server Using SQL Injection

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

CSCC09F Programming on the Web. Mongo DB

RED HAT SOFTWARE COLLECTIONS BRIDGING DEVELOPMENT AGILITY AND PRODUCTION STABILITY

Penetration Testing with Kali Linux

Secure Coding in Node.js

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Transcription:

Attacking MongoDB Firstov Mihail

What is it? MongoDB is an open source document-oriented database system. Features : 1. Ad hoc queries. 2. Indexing 3. Replication 4. Load balancing 5. File storage 6. Aggregation 7. Server-side JavaScript execution 8. Capped collections

Inside mongo source code./mongod Server in C++./mongo official client in C++ and JS There are a lot of drivers for different program languages: C C++ Java Javascript.NET (C# F#, PowerShell, etc) Node.js Perl PHP Python Ruby Scala

Who use mongodb List of some big companies that use mongodb: 1. SAP 2. SourceForge (hosting for open source projects) 3. The New York Times 4. GitHub (social coding project) 5. Foursquare 6. Yandex

WTF is RESTful? A RESTful web service (also called a RESTful web API) is a web service implemented using HTTP and the principles of REST. It is a collection of resources, with four defined aspects

How I can discover it? Default port is «28017». If server was started without rest, you can see this:

How I can discover it?

What kind of vulns are there? Execution of arbitrary code server JS Stored XSS in mongodb log Stored XSS in queries journal Cross Site Request Forgery Our SSJS code

Attack Hacker 1) Send <script> with our javascript code Site with mongodb driver support Admin s browser Hacker s Server MongoDB --REST

Attack Hacker 1) Send <script> with our javascript code Site with mongodb driver support Admin s browser 2) Inject our script in REST interface Hacker s Server MongoDB --REST

Attack Hacker 1) Send <script> with our javascript code Site with mongodb driver support Admin s browser 2) Inject our script in REST interface Hacker s Server MongoDB --REST 3) Exec our js-code in admin s browser

Attack Hacker 1) Send <script> with our javascript code Site with mongodb driver support 4) Send SSJS command to our script Admin s browser 2) Inject our script in REST interface Hacker s Server MongoDB --REST 3) Exec our js-code in admin s browser

Attack Hacker 1) Send <script> with our javascript code Site with mongodb driver support 4) Send SSJS command to our script Admin s browser 2) Inject our script in REST interface 5) Wait until admin s browser check our server for the new commands (via JSONP) Hacker s Server MongoDB --REST 3) Exec our js-code in admin s browser

Attack Hacker 1) Send <script> with our javascript code Site with mongodb driver support 4) Send SSJS command to our script Admin s browser 2) Inject our script in REST interface 6) Our command gets executed 5) Wait until admin s browser check our server for the new commands (via JSONP) Hacker s Server MongoDB --REST 3) Exec our js-code in admin s browser

Attack Hacker 1) Send <script> with our javascript code Site with mongodb driver support 4) Send SSJS command to our script 7) Send answer to our sniffer Admin s browser 2) Inject our script in REST interface 6) Our command gets executed 5) Wait until admin s browser check our server for the new commands (via JSONP) Hacker s Server MongoDB --REST 3) Exec our js-code in admin s browser

Attack Hacker 1) Send <script> with our javascript code Site with mongodb driver support 4) Send SSJS command to our script 8) Print result of executed command 7) Send answer to our sniffer Admin s browser 2) Inject our script in REST interface 6) Our command gets executed 5) Wait until admin s browser check our server for the new commands (via JSONP) Hacker s Server MongoDB --REST 3) Exec our js-code in admin s browser

Video

Where we can find it?

Stable CRASH There are a lot of concepts of DoS attacks:

Interesting features Ls, cat and other admin functions work only with mongodb console client. NativeHelper function helps you with system commands: You can get data in text/plain by reading db-files of mongodb with any text editor.

Network interaction Adding user: Decrypted salt: Source Code:

Network interaction Captured packets: All your data are belong to us:

Network interaction Algorithm for sniff and brute force password : Sniff some packets with mongodb data Get key, nonce, login from this packet Read string from dictionary key2 = md5(nonce + user + md5(user + ":mongo:" + passw)), where passw is string from dict Look for auth packet key == key2 print user:passwd found false true Exit Not found

Сетевое взаимодействие

Network interaction. MiTM attack 1. Authorization query mongodb admin Hacker

Network interaction. MiTM attack 1. Authorization query mongodb admin 2. Return special nonce using which rainbow tables were generated Hacker

Network interaction. MiTM attack 1. Authorization query mongodb admin 2. Return special nonce using which rainbow tables were generated Hacker 3. Client sends to us key and login

Network interaction. MiTM attack 1. Authorization query 4. Brute Force password using pregenerated rainbow tables for this nonce mongodb admin 2. Return special nonce using which rainbow tables were generated Hacker 3. Client sends to us key and login

Network interaction. MiTM attack 1. Authorization query 4. Brute Force password using pregenerated rainbow tables for this nonce mongodb admin 2. Return special nonce using which rainbow tables were generated 5. Successfully login Hacker 3. Client sends to us key and login

WTF is BSON? What is it? Data types: BSON is a computer data interchange format used mainly as a data storage and network transfer format in the MongoDB database. The name "BSON" is based on the term JSON and stands for "Binary JSON". Example? string int double DateTime byte[] bool null BsonObject BsonObject[]

Overwriting variables Some table with 2 documents: Our query to database: Injecting BSON document, and overwriting isadmin value: Testing:

Reading memory Exploit: Length In action:

Reading memory In action:

Features of some programming languages Ruby on Rails nodejs PHP

Features of some programming languages Ruby on Rails

Features of some programming languages Mass assignment in Ruby on Rails:

Features of some programming languages Mass assignment in Ruby on Rails:

Features of some programming languages NodeJS

Features of some programming languages JSON injection в NodeJS + MongoDB: SEND VULNERABLE SOURCE CODE: RESULT QUERY: Хакер 02/12 (157)

Features of some programming languages PHP

Features of some programming languages Types of vulnerabilities: Bypass authorization via Array in php driver. Injecting SSJS code. Blind SSJS injecting, Time-based

Features of some programming languages As you know, php processes data from GPC as Array: password[$ne]=parol1 There is find() function in the official driver for php:

Features of some programming languages And we got this query to mongodb collection: With these techniques you can bypass authorization:

Features of some programming languages Injecting in SSJS. For example, we have this vulnerable code: $q = function() { var loginn = $login ; var passs = $pass ; db.members.insert({id : 2, login : loginn, pass : passs}); } ; / $db->execute($q); We can see our login, id and pass in answer Trying to inject in SSJS query: As you can see, we rewrite login value by db.version() value

Features of some programming languages Sometimes we can t see answer from our SSJS code. For this situations we can use Time-Based technique: A special script was written for this task.

NoSQL-injection Cheat Sheet db.getname() Get current DB name db.members.count() Get number of documents in the collection db.members.validate({ full : true}) Get ALL information about this collection db.members.stats() Get information about this collection db.members.remove() remove all documents from current collection db.members.find().skip(0).limit(1) Get documents from DB (Change only number in skip() function) db.getmongo().getdbnames().tostring() Get the list of all DBs db.members.find()[0][ pass ] Get pass value from current collection

Thanks! Firstov Mikhail mfirstov@ptsecurity.ru

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information