MongoDB/NoSQL Injection - Security
Check out these various links concerning MongoDB/NoSQL injection, with tips on security. Read on to learn more.
Join the DZone community and get the full member experience.Join For Free
Everyone knows that SQL databases can be victims of SQL injection and have to work about query security. NoSQL database are vulnerable to many kinds of query injection—from the drivers used, to SQL interfaces like Drill, to drivers, to their native query languages. Often NoSQL stores have even less security then RDBMS and on many occassions will default to having no username and no password for authentication.
If you want to test your NoSQL datastore, try NoSQLMap. This tool will attempt to hack your datastore. You want to test your database for NoSQL injection, especially MongoDB. MongoDB being the most popular NoSQL engine has a lot attack vectors. Here is an example of a MongoDB attack. There are a few other frameworks to try. Check out the NoSQL Project and the NoSQL Exploitation Framework.
One popular attack utilizes a Rainbow Table. But, sometimes people can use a very easy attack since there's no username or default passwords!
A quick search on Shodan (the IoT search engine), will result in a ton of insecure Redis and MongoDB installations on the web. With IoT a lot of default device ports and settings are out there and a lot of connections to check. Be sure to pentest your server and devices before you put them on the public internet.
Published at DZone with permission of Tim Spann, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.