Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

MongoDB/NoSQL Injection - Security

DZone's Guide to

MongoDB/NoSQL Injection - Security

Check out these various links concerning MongoDB/NoSQL injection, with tips on security. Read on to learn more.

· Database Zone ·
Free Resource

RavenDB vs MongoDB: Which is Better? This White Paper compares the two leading NoSQL Document Databases on 9 features to find out which is the best solution for your next project.  

Everyone knows that SQL databases can be victims of SQL injection and have to work about query security. NoSQL database are vulnerable to many kinds of query injection—from the drivers used, to SQL interfaces like Drill, to drivers, to their native query languages. Often NoSQL stores have even less security then RDBMS and on many occassions will default to having no username and no password for authentication.

If you want to test your NoSQL datastore, try NoSQLMap. This tool will attempt to hack your datastore. You want to test your database for NoSQL injection, especially MongoDB.   MongoDB being the most popular NoSQL engine has a lot attack vectors. Here is an example of a MongoDB attack. There are a few other frameworks to try. Check out the NoSQL Project and the NoSQL Exploitation Framework.

One popular attack utilizes a Rainbow Table. But, sometimes people can use a very easy attack since there's no username or default passwords!

A quick search on Shodan (the IoT search engine), will result in a ton of insecure Redis and MongoDB installations on the web. With IoT a lot of default device ports and settings are out there and a lot of connections to check. Be sure to pentest your server and devices before you put them on the public internet.

Do you pay to use your database? What if your database paid you? Learn more with RavenDB.

Topics:
mongodb ,sql ,sql injection ,security ,nosql ,nodejs

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}