nosql
play

NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | - PowerPoint PPT Presentation

Jan 15, 2023 •486 likes •1.02k views

NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | DEVELOPER ADVOCATE Vie no aDB Papers We Love Vie no a SQL Injections? JavaScript Injection

  1. NoSQL MEANS no SECURITY? Philipp Kre no ���� @xer ab

  2. INFRASTRUCTURE | DEVELOPER ADVOCATE

  3. Vie no aDB Papers We Love Vie no a

  7. SQL Injections?

  8. JavaScript Injection HTTP://WWW.KALZUMEUS.COM/2010/09/22/SECURITY-LESSONS-LEARNED-FROM-THE-DIASPORA-LAUNCH/ def self.search(query) Person.all('$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }") end

  9. Problem JS Evaluation $where db.eval() db.runCommand( { mapReduce: db.collection.group()

  10. Solution JS Evaluation DEACTIVATE: --noscripting OR security.javascriptEnabled: false ESCAPE: CodeWScope

  11. S ab rbrücker Cybersicherheits-Studenten entdecken bis zu 40.000 ungesicherte Datenbanken im Internet — http://www.uni-saarland.de/nc/aktuelles/artikel/nr/12173.html

  12. Bound to a lm interfaces by default?

  13. Authentication enabled by default?

  14. Authentication & Authorization

  15. Enable auth=true

  16. <3.0 MONGODB CHALLENGE RESPONSE MONGODB-CR

  17. >=3.0 IETF RFC 5802 SCRAM-SHA-1

  18. SCRAM-SHA-1 CONFIGURABLE iterationCount SALT PER USER INSTEAD OF SERVER SHA-1 INSTEAD OF MD5 SERVER AUTHENTICATES AGAINST THE CLIENT AS WELL

  19. Predefined Roles read / readAnyDatabase readWrite / readWriteAnyDatabase dbAdmin / dbAdminAnyDatabase userAdmin / userAdminAnyDatabase dbOwner BACKUP, RESTORE, CLUSTER MANAGEMENT,...

  20. $ mongod --noauth --port 27017 --dbpath test/ --logpath testlog $ mongo localhost/admin > db.createUser({ user: "philipp", pwd: "password", roles: [ { role: "root", db: "admin" } ] }) > db.system.users.find() > exit

  21. $ mongod --auth --port 27017 --dbpath test/ --logpath testlog $ mongo localhost/admin > show dbs > exit $ mongo localhost/admin -u philipp -p --authenticationDatabase admin > show dbs > db.createUser({ user: "alice", pwd: "password", roles: [ { role: "read", db: "testA" }, { role: "readWrite", db: "testB" } ] }) > db.system.users.find() > exit

  22. $ mongo localhost/testA -u alice -p --authenticationDatabase admin --norc > db.test.insert({ foo: "bar" }) > db.test.find() > use testB > db.test.insert({ foo: "bar" }) > db.test.find() > use testC > db.test.find()

  23. SSL Co mn ercial OR SELF-COMPILED

  25. Bound to a lm interfaces by default?

  26. SINCE 3.2.0 (2016/05) Protected Mode ANSWER LOCAL QUERIES RESPOND WITH AN ERROR FOR REMOTE

  27. Authentication & Authorization

  28. a tiny layer of authentication — http://redis.io/topics/security

  29. AUTH <password> COMMAND PLAIN-TEXT PASSWORD IN REDIS.CONF NO (BUILT-IN) SSL OR RATE LIMITS

  30. Hiding Co mn ands

  31. SET IN REDIS.CONF RESET AFTER RESTART

  32. rename-command CONFIG mysecretconfigname

  33. rename-command CONFIG ""

  34. PS: Don't Pa st in Random Lua Scripts

  36. HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

  37. HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-5377 (5.1): RCE related to Groovy

  38. Painle st

  39. HIRED DEVELOPER 1 YEAR DEVELOPMENT

  40. Why build a brand new language when there are already so many to ch op se from? — https://www.elastic.co/blog/painless-a-new-scripting-language

  41. Goal SECURE & PERFORMANT

  42. {"name": "Philipp", "goals": [9,27,15], "assists": [0,0,0]} GET /hockey-stats/_search { "query": { "function_score": { "script_score": { "script": { "lang": "painless", "inline": "int total = 0; for (int i = 0; i < input.doc.goals.size(); ++i) { total += input.doc.goals[i]; } return total;" } } } } }

  43. STATIC & DYNAMIC TYPES LIST, MAP, AND ARRAY INITIALIZERS SHORTCUTS RELATED TO MAPS AND LISTS BUILT-IN REGULAR EXPRESSIONS LAMBDA EXPRESSIONS PERFORMANCE SIMILAR TO JAVA METHOD AND FIELD LEVEL WHITELISTING (NO <class>.forName ) SCORING SCRIPTS

  44. PAINLESS DEFAULT GROOVY, PYTHON, JAVASCRIPT DEPRECATED

  45. PS: Authentication, Authorization & SSL

  46. Conclusion

  47. Injections Are Sti lm a Thing

  48. Enable Security by Default

  49. Be Creative — or not

  50. Custom Scripting Can Make Sense

  51. Security Takes Time

  52. Thanks! QUESTIONS? Philipp Kre no ����� @xer ab PS: STICKERS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the

NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the

NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the Emerging World of Polyglot Persistence , Pearson Education, 2013 Objectives Introduce some key concepts behind the NoSQL family of databases Why NoSQL?

919 views • 19 slides
NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What

NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What

NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What is NoSQL? Not only SQL SQL means Relational model Strong typing ACID compliance Normalization NoSQL means more freedom or flexibility 4

376 views • 34 slides
NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and

NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and

IKT437 Knowledge Engineering and Representation NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and Motivation History of NoSQL Categories of NoSQL Examples of NoSQL systems Encodings

694 views • 55 slides
NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian

NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian

NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian Swami GM, NoSQL @swami_79 @ksshams how can you build your own DynamoDB Scale service? @swami_79 @ksshams lets start with a story about a

1.27k views • 77 slides
1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT

1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT

1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT &amp; WHEN? Characteristics of NoSQL databases Aggregate data models CAP theorem Ashwani Kumar 16 February 2018 NOSQL Databases 3

647 views • 31 slides
Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense?

Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense?

Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense? Voldemort Riak HBase Neo4j Cassandra MongoDB CouchDB Membase Redis (and the list goes on...) 2 What went wrong with SQL databases? Nothing!

854 views • 57 slides
How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich | 26.04.2012 Agenda Speaker Profile New Demands on Data Access New Types of Data Stores Integrating NoSQL Data Stores Spring Data

360 views • 18 slides
How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel | 30.08.2012 Agenda Speaker Profile New Demands on Data Access New Types of Data Stores Integrating NoSQL Data Stores Spring Data

1.28k views • 28 slides
The NoSQL Ecosystem 7-21-10 Wednesday, July 21, 2010 Executive summary NoSQL is about using

The NoSQL Ecosystem 7-21-10 Wednesday, July 21, 2010 Executive summary NoSQL is about using

Jonathan Ellis @spyced jbellis@riptano.com The NoSQL Ecosystem 7-21-10 Wednesday, July 21, 2010 Executive summary NoSQL is about using the right tool for the job Wednesday, July 21, 2010 My bias Started working on Cassandra in 2009

524 views • 49 slides
NoSQL CS226 Big-data Management 1 Based on a presentation by Traversy Media 2 What is

NoSQL CS226 Big-data Management 1 Based on a presentation by Traversy Media 2 What is

NoSQL CS226 Big-data Management 1 Based on a presentation by Traversy Media 2 What is NoSQL? Not only SQL SQL means Relational model Strong typing ACID compliance Normalization NoSQL means more freedom or flexibility 3

470 views • 25 slides
SQL and JS Pitfalls Assignment 2 Preparation SQL Concepts SQL vs. NoSQL

SQL and JS Pitfalls Assignment 2 Preparation SQL Concepts SQL vs. NoSQL

SQL and JS Pitfalls Assignment 2 Preparation SQL Concepts SQL vs. NoSQL https://www.youtube.com/watch?v=Nu1UQblRQdM SQL Support for complex aggregation tools Normalized Data NoSQL Flexible data models

667 views • 17 slides
Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc.

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc.

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc. Supervisor: F. Turkmen PhD February 6, 2017 University of Amsterdam Introduction Problem Securely storing BigData on NoSQL database systems.

669 views • 48 slides
Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev,

Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev,

Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev, Kirill Yukhin, Product Manager@Mail.ru Engineering Manager @Mail.ru 1 Agenda Agenda What is Mail.ru Group? What is Tarantool? Performance Storage

1.44k views • 55 slides
The NoSQL Movement FlockDB CSCI 470: Web Science Keith Vertanen 2 3

The NoSQL Movement FlockDB CSCI 470: Web Science Keith Vertanen 2 3

The NoSQL Movement FlockDB CSCI 470: Web Science Keith Vertanen 2 3 http://techcrunch.com/2012/10/27/big-data-right-now-five-trendy-open-source-technologies/ 4 http://blog.beany.co.kr/archives/275 5 What's in a name? #nosql

811 views • 26 slides
MySQL+HandlerSocket=NoSQL Protocol Using HS Commands Peculiarities Configuration hints Use

MySQL+HandlerSocket=NoSQL Protocol Using HS Commands Peculiarities Configuration hints Use

Why you need NoSQL Alternatives Meet HS HS internal working HS-MySQL interoperability Interface MySQL+HandlerSocket=NoSQL Protocol Using HS Commands Peculiarities Configuration hints Use cases @ Badoo Tuning Further reading Aggregate

520 views • 14 slides
NoSQL Concepts, Techniques &amp; Systems Part 2 Valentina Ivanova IDA, Linkping University

NoSQL Concepts, Techniques &amp; Systems Part 2 Valentina Ivanova IDA, Linkping University

NoSQL Concepts, Techniques &amp; Systems Part 2 Valentina Ivanova IDA, Linkping University NoSQL Concepts, Techniques &amp; Systems / Valentina Ivanova 2017-03-22 78 Outline NoSQL Systems - Types and Applications Dynamo HBase

1.13k views • 89 slides
V.Testa, S. Antoniucci, F. Pedichini &amp; the SHARK-VIS Science

V.Testa, S. Antoniucci, F. Pedichini &amp; the SHARK-VIS Science

V.Testa, S. Antoniucci, F. Pedichini &amp; the SHARK-VIS Science Team 11/04/2017 ADONI Meeting - Padova 1 THE SHARK-VIS SCIENCE TEAM S. Antoniucci 2 , F. Bacciotti 3 , C. Baffa 3 , S.

472 views • 24 slides
On Paraconsistent Belief Revision Rafael R. Testa Centre for Logic, Epistemology and History of

On Paraconsistent Belief Revision Rafael R. Testa Centre for Logic, Epistemology and History of

On Paraconsistent Belief Revision Rafael R. Testa Centre for Logic, Epistemology and History of Science State University of Campinas Brazil joint work with Marcelo Coniglio and Mrcio Ribeiro 2nd Madeira Workshop on Belief Revision and

460 views • 28 slides
Design for Testability 1 Basic Concept Design for testability (DFT) Design techniques

Design for Testability 1 Basic Concept Design for testability (DFT) Design techniques

9/19/2012 Design for Testability 1 Basic Concept Design for testability (DFT) Design techniques that make test generation and test application cost-effective. DFT methods for digital circuits: Ad-hoc methods Structured

760 views • 23 slides
Logic synthesis for post-CMOS technologies Eleonora Testa Integrated Systems Laboratory EPFL,

Logic synthesis for post-CMOS technologies Eleonora Testa Integrated Systems Laboratory EPFL,

Logic synthesis for post-CMOS technologies Eleonora Testa Integrated Systems Laboratory EPFL, Lausanne, Switzerland Joint work with Mathias Soeken and Giovanni De Micheli February, 2017 Logic synthesis HDL module function ( Translate a,

578 views • 23 slides
Erasmus+ Online Linguistic Support 1 Erasmus+ OLS Language Assessment 2 You are now guided

Erasmus+ Online Linguistic Support 1 Erasmus+ OLS Language Assessment 2 You are now guided

Erasmus+ Online Linguistic Support 1 Erasmus+ OLS Language Assessment 2 You are now guided through the Erasmus+ OLS Language Assessment 3 Everything starts with an invitation you receive by email 4 University X 5 Use the credentials from

823 views • 51 slides
Meson Spectroscopy and Resonances Sinad Ryan School of Mathematics, Trinity College Dublin,

Meson Spectroscopy and Resonances Sinad Ryan School of Mathematics, Trinity College Dublin,

Meson Spectroscopy and Resonances Sinad Ryan School of Mathematics, Trinity College Dublin, Ireland Hadron 2011, 13 th June 2011 Lattice QCD Lattice - a nonperturbative, gauge-invariant regulator for QCD Nielson-Ninomiya theorem Lattice

620 views • 38 slides
Lecture 5: Procedure &amp; Process Models 2018-05-03 Prof. Dr. Andreas Podelski, Dr. Bernd

Lecture 5: Procedure &amp; Process Models 2018-05-03 Prof. Dr. Andreas Podelski, Dr. Bernd

Softwaretechnik / Software-Engineering Lecture 5: Procedure &amp; Process Models 2018-05-03 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal Albert-Ludwigs-Universitt Freiburg, Germany 5 2018-05-03 main Topic Area Project

763 views • 40 slides
LSB Galaxies Detection Using Markovian Segmentation on Astronomical Images Mireille Louys 1 ,

LSB Galaxies Detection Using Markovian Segmentation on Astronomical Images Mireille Louys 1 ,

LSB Galaxies Detection Using Markovian Segmentation on Astronomical Images Mireille Louys 1 , Benjamin Perret 1 Bernd Vollmer 2 , Franois Bonnarel 2 Sebastien Lefvre 1 , Christophe Collet 1 1 L aboratoire des S ciences de l I nformatique ,

317 views • 13 slides

More recommend