Over a million developers have joined DZone.

MongoDB/NoSQL Injection - Security

Check out these various links concerning MongoDB/NoSQL injection, with tips on security. Read on to learn more.

· Database Zone

Build fast, scale big with MongoDB Atlas, a hosted service for the leading NoSQL database. Try it now! Brought to you in partnership with MongoDB.

Everyone knows that SQL databases can be victims of SQL injection and have to work about query security. NoSQL database are vulnerable to many kinds of query injection—from the drivers used, to SQL interfaces like Drill, to drivers, to their native query languages. Often NoSQL stores have even less security then RDBMS and on many occassions will default to having no username and no password for authentication.

If you want to test your NoSQL datastore, try NoSQLMap. This tool will attempt to hack your datastore. You want to test your database for NoSQL injection, especially MongoDB.   MongoDB being the most popular NoSQL engine has a lot attack vectors. Here is an example of a MongoDB attack. There are a few other frameworks to try. Check out the NoSQL Project and the NoSQL Exploitation Framework.

One popular attack utilizes a Rainbow Table. But, sometimes people can use a very easy attack since there's no username or default passwords!

A quick search on Shodan (the IoT search engine), will result in a ton of insecure Redis and MongoDB installations on the web. With IoT a lot of default device ports and settings are out there and a lot of connections to check. Be sure to pentest your server and devices before you put them on the public internet.

Now it's easier than ever to get started with MongoDB, the database that allows startups and enterprises alike to rapidly build planet-scale apps. Introducing MongoDB Atlas, the official hosted service for the database on AWS. Try it now! Brought to you in partnership with MongoDB.

mongodb,sql,sql injection,security,nosql,nodejs

Published at DZone with permission of Tim Spann, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}