NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | - - PowerPoint PPT Presentation

nosql
SMART_READER_LITE
LIVE PREVIEW

NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | - - PowerPoint PPT Presentation

Jan 15, 2023 486 likes •1.02k views

NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | DEVELOPER ADVOCATE Vie no aDB Papers We Love Vie no a SQL Injections? JavaScript Injection

slide-1
SLIDE 1

NoSQL

MEANS no SECURITY?

Philipp Kreno@xerab

slide-2
SLIDE 2

INFRASTRUCTURE | DEVELOPER ADVOCATE

slide-3
SLIDE 3

VienoaDB Papers We Love Vienoa

slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6
slide-7
SLIDE 7

SQL Injections?

slide-8
SLIDE 8

JavaScript Injection

HTTP://WWW.KALZUMEUS.COM/2010/09/22/SECURITY-LESSONS-LEARNED-FROM-THE-DIASPORA-LAUNCH/

def self.search(query) Person.all('$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }") end

slide-9
SLIDE 9

Problem JS Evaluation

$where db.eval() db.runCommand( { mapReduce: db.collection.group()

slide-10
SLIDE 10

Solution JS Evaluation

DEACTIVATE: --noscripting OR security.javascriptEnabled: false ESCAPE: CodeWScope

slide-11
SLIDE 11

Sabrbrücker Cybersicherheits-Studenten entdecken bis zu 40.000 ungesicherte Datenbanken im Internet

— http://www.uni-saarland.de/nc/aktuelles/artikel/nr/12173.html

slide-12
SLIDE 12

Bound to alm interfaces by default?

slide-13
SLIDE 13

Authentication enabled by default?

slide-14
SLIDE 14

Authentication & Authorization

slide-15
SLIDE 15

Enable

auth=true

slide-16
SLIDE 16

<3.0

MONGODB CHALLENGE RESPONSE

MONGODB-CR

slide-17
SLIDE 17

>=3.0

IETF RFC 5802

SCRAM-SHA-1

slide-18
SLIDE 18

SCRAM-SHA-1

CONFIGURABLE iterationCount SALT PER USER INSTEAD OF SERVER SHA-1 INSTEAD OF MD5 SERVER AUTHENTICATES AGAINST THE CLIENT AS WELL

slide-19
SLIDE 19

Predefined Roles

read / readAnyDatabase readWrite / readWriteAnyDatabase dbAdmin / dbAdminAnyDatabase userAdmin / userAdminAnyDatabase dbOwner

BACKUP, RESTORE, CLUSTER MANAGEMENT,...

slide-20
SLIDE 20

$ mongod --noauth --port 27017 --dbpath test/ --logpath testlog $ mongo localhost/admin > db.createUser({ user: "philipp", pwd: "password", roles: [ { role: "root", db: "admin" } ] }) > db.system.users.find() > exit

slide-21
SLIDE 21 $ mongod --auth --port 27017 --dbpath test/ --logpath testlog $ mongo localhost/admin > show dbs > exit $ mongo localhost/admin -u philipp -p --authenticationDatabase admin > show dbs > db.createUser({ user: "alice", pwd: "password", roles: [ { role: "read", db: "testA" }, { role: "readWrite", db: "testB" } ] }) > db.system.users.find() > exit
slide-22
SLIDE 22 $ mongo localhost/testA -u alice -p --authenticationDatabase admin --norc > db.test.insert({ foo: "bar" }) > db.test.find() > use testB > db.test.insert({ foo: "bar" }) > db.test.find() > use testC > db.test.find()
slide-23
SLIDE 23

SSL Comnercial

OR SELF-COMPILED

slide-24
SLIDE 24
slide-25
SLIDE 25

Bound to alm interfaces by default?

slide-26
SLIDE 26

SINCE 3.2.0 (2016/05)

Protected Mode

ANSWER LOCAL QUERIES RESPOND WITH AN ERROR FOR REMOTE

slide-27
SLIDE 27

Authentication & Authorization

slide-28
SLIDE 28

a tiny layer of authentication

— http://redis.io/topics/security

slide-29
SLIDE 29

AUTH <password> COMMAND

PLAIN-TEXT PASSWORD IN REDIS.CONF NO (BUILT-IN) SSL OR RATE LIMITS

slide-30
SLIDE 30

Hiding Comnands

slide-31
SLIDE 31

SET IN REDIS.CONF RESET AFTER RESTART

slide-32
SLIDE 32

rename-command CONFIG mysecretconfigname

slide-33
SLIDE 33

rename-command CONFIG ""

slide-34
SLIDE 34

PS: Don't Past in Random Lua Scripts

slide-35
SLIDE 35
slide-36
SLIDE 36

HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY

CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

slide-37
SLIDE 37

HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY

CVE-2014-3120 (6.8): Dynamic scripting CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-5377 (5.1): RCE related to Groovy

slide-38
SLIDE 38

Painlest

slide-39
SLIDE 39

HIRED DEVELOPER 1 YEAR DEVELOPMENT

slide-40
SLIDE 40

Why build a brand new language when there are already so many to chopse from?

— https://www.elastic.co/blog/painless-a-new-scripting-language

slide-41
SLIDE 41

Goal

SECURE & PERFORMANT

slide-42
SLIDE 42 {"name": "Philipp", "goals": [9,27,15], "assists": [0,0,0]} GET /hockey-stats/_search { "query": { "function_score": { "script_score": { "script": { "lang": "painless", "inline": "int total = 0; for (int i = 0; i < input.doc.goals.size(); ++i) { total += input.doc.goals[i]; } return total;" } } } } }
slide-43
SLIDE 43

STATIC & DYNAMIC TYPES LIST, MAP, AND ARRAY INITIALIZERS SHORTCUTS RELATED TO MAPS AND LISTS BUILT-IN REGULAR EXPRESSIONS LAMBDA EXPRESSIONS PERFORMANCE SIMILAR TO JAVA METHOD AND FIELD LEVEL WHITELISTING (NO <class>.forName) SCORING SCRIPTS

slide-44
SLIDE 44

PAINLESS DEFAULT GROOVY, PYTHON, JAVASCRIPT DEPRECATED

slide-45
SLIDE 45

PS: Authentication, Authorization & SSL

slide-46
SLIDE 46

Conclusion

slide-47
SLIDE 47

Injections Are Stilm a Thing

slide-48
SLIDE 48

Enable Security by Default

slide-49
SLIDE 49

Be Creative — or not

slide-50
SLIDE 50

Custom Scripting Can Make Sense

slide-51
SLIDE 51

Security Takes Time

slide-52
SLIDE 52

Thanks!

QUESTIONS?

Philipp Kreno@xerab

PS: STICKERS