nosql
play

NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | - PowerPoint PPT Presentation

Jan 15, 2023 •486 likes •1.02k views

NoSQL MEANS no SECURITY? Philipp Kre no @xer ab INFRASTRUCTURE | DEVELOPER ADVOCATE Vie no aDB Papers We Love Vie no a SQL Injections? JavaScript Injection

  1. NoSQL MEANS no SECURITY? Philipp Kre no ���� @xer ab

  2. INFRASTRUCTURE | DEVELOPER ADVOCATE

  3. Vie no aDB Papers We Love Vie no a

  7. SQL Injections?

  8. JavaScript Injection HTTP://WWW.KALZUMEUS.COM/2010/09/22/SECURITY-LESSONS-LEARNED-FROM-THE-DIASPORA-LAUNCH/ def self.search(query) Person.all('$where' => "function() { return this.diaspora_handle.match(/^#{query}/i) || this.profile.first_name.match(/^#{query}/i) || this.profile.last_name.match(/^#{query}/i); }") end

  9. Problem JS Evaluation $where db.eval() db.runCommand( { mapReduce: db.collection.group()

  10. Solution JS Evaluation DEACTIVATE: --noscripting OR security.javascriptEnabled: false ESCAPE: CodeWScope

  11. S ab rbrücker Cybersicherheits-Studenten entdecken bis zu 40.000 ungesicherte Datenbanken im Internet — http://www.uni-saarland.de/nc/aktuelles/artikel/nr/12173.html

  12. Bound to a lm interfaces by default?

  13. Authentication enabled by default?

  14. Authentication & Authorization

  15. Enable auth=true

  16. <3.0 MONGODB CHALLENGE RESPONSE MONGODB-CR

  17. >=3.0 IETF RFC 5802 SCRAM-SHA-1

  18. SCRAM-SHA-1 CONFIGURABLE iterationCount SALT PER USER INSTEAD OF SERVER SHA-1 INSTEAD OF MD5 SERVER AUTHENTICATES AGAINST THE CLIENT AS WELL

  19. Predefined Roles read / readAnyDatabase readWrite / readWriteAnyDatabase dbAdmin / dbAdminAnyDatabase userAdmin / userAdminAnyDatabase dbOwner BACKUP, RESTORE, CLUSTER MANAGEMENT,...

  20. $ mongod --noauth --port 27017 --dbpath test/ --logpath testlog $ mongo localhost/admin > db.createUser({ user: "philipp", pwd: "password", roles: [ { role: "root", db: "admin" } ] }) > db.system.users.find() > exit

  21. $ mongod --auth --port 27017 --dbpath test/ --logpath testlog $ mongo localhost/admin > show dbs > exit $ mongo localhost/admin -u philipp -p --authenticationDatabase admin > show dbs > db.createUser({ user: "alice", pwd: "password", roles: [ { role: "read", db: "testA" }, { role: "readWrite", db: "testB" } ] }) > db.system.users.find() > exit

  22. $ mongo localhost/testA -u alice -p --authenticationDatabase admin --norc > db.test.insert({ foo: "bar" }) > db.test.find() > use testB > db.test.insert({ foo: "bar" }) > db.test.find() > use testC > db.test.find()

  23. SSL Co mn ercial OR SELF-COMPILED

  25. Bound to a lm interfaces by default?

  26. SINCE 3.2.0 (2016/05) Protected Mode ANSWER LOCAL QUERIES RESPOND WITH AN ERROR FOR REMOTE

  27. Authentication & Authorization

  28. a tiny layer of authentication — http://redis.io/topics/security

  29. AUTH <password> COMMAND PLAIN-TEXT PASSWORD IN REDIS.CONF NO (BUILT-IN) SSL OR RATE LIMITS

  30. Hiding Co mn ands

  31. SET IN REDIS.CONF RESET AFTER RESTART

  32. rename-command CONFIG mysecretconfigname

  33. rename-command CONFIG ""

  34. PS: Don't Pa st in Random Lua Scripts

  36. HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2014-6439 (4.3): CORS misconfiguration CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-3337 (4.3): Directory traversal CVE-2015-4165 (3.3): File modifications CVE-2015-5377 (5.1): RCE related to Groovy CVE-2015-5531 (5.0): Directory traversal

  37. HTTPS://WWW.ELASTIC.CO/COMMUNITY/SECURITY CVE-2014-3120 (6.8): Dynamic scripting CVE-2015-1427 (6.8): Groovy sandbox escape CVE-2015-5377 (5.1): RCE related to Groovy

  38. Painle st

  39. HIRED DEVELOPER 1 YEAR DEVELOPMENT

  40. Why build a brand new language when there are already so many to ch op se from? — https://www.elastic.co/blog/painless-a-new-scripting-language

  41. Goal SECURE & PERFORMANT

  42. {"name": "Philipp", "goals": [9,27,15], "assists": [0,0,0]} GET /hockey-stats/_search { "query": { "function_score": { "script_score": { "script": { "lang": "painless", "inline": "int total = 0; for (int i = 0; i < input.doc.goals.size(); ++i) { total += input.doc.goals[i]; } return total;" } } } } }

  43. STATIC & DYNAMIC TYPES LIST, MAP, AND ARRAY INITIALIZERS SHORTCUTS RELATED TO MAPS AND LISTS BUILT-IN REGULAR EXPRESSIONS LAMBDA EXPRESSIONS PERFORMANCE SIMILAR TO JAVA METHOD AND FIELD LEVEL WHITELISTING (NO <class>.forName ) SCORING SCRIPTS

  44. PAINLESS DEFAULT GROOVY, PYTHON, JAVASCRIPT DEPRECATED

  45. PS: Authentication, Authorization & SSL

  46. Conclusion

  47. Injections Are Sti lm a Thing

  48. Enable Security by Default

  49. Be Creative — or not

  50. Custom Scripting Can Make Sense

  51. Security Takes Time

  52. Thanks! QUESTIONS? Philipp Kre no ����� @xer ab PS: STICKERS

Recommend

NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the

NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the

NoSQL Source: Pramod J. Sadalage and Martin Fowler NoSQL Distilled: A Brief Guide to the Emerging World of Polyglot Persistence , Pearson Education, 2013 Objectives Introduce some key concepts behind the NoSQL family of databases Why NoSQL?

919 views • 19 slides
NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What

NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What

NoSQL and MongoDB 1 2 Introduction to NoSQL Based on a presentation by Traversy Media 3 What is NoSQL? Not only SQL SQL means Relational model Strong typing ACID compliance Normalization NoSQL means more freedom or flexibility 4

376 views • 34 slides
NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and

NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and

IKT437 Knowledge Engineering and Representation NoSQL Terje Gjster, Ph.D. UiA, Grimstad 16. November 2015 Overview Introduction and Motivation History of NoSQL Categories of NoSQL Examples of NoSQL systems Encodings

694 views • 55 slides
NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian

NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian

NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian Swami GM, NoSQL @swami_79 @ksshams how can you build your own DynamoDB Scale service? @swami_79 @ksshams lets start with a story about a

1.27k views • 77 slides
1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT

1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT

1 2 What is covered in this presentation? A brief history of databases NoSQL WHY, WHAT &amp; WHEN? Characteristics of NoSQL databases Aggregate data models CAP theorem Ashwani Kumar 16 February 2018 NOSQL Databases 3

647 views • 31 slides
Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense?

Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense?

Why NoSQL? Why Riak? Justin Sheehy justin@basho.com 1 What's all of this NoSQL nonsense? Voldemort Riak HBase Neo4j Cassandra MongoDB CouchDB Membase Redis (and the list goes on...) 2 What went wrong with SQL databases? Nothing!

854 views • 57 slides
How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Zrich | 26.04.2012 Agenda Speaker Profile New Demands on Data Access New Types of Data Stores Integrating NoSQL Data Stores Spring Data

360 views • 18 slides
How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel |

How to Use NoSQL in Enterprise Java Applications Patrick Baumgartner NoSQL Roadshow | Basel | 30.08.2012 Agenda Speaker Profile New Demands on Data Access New Types of Data Stores Integrating NoSQL Data Stores Spring Data

1.28k views • 28 slides
The NoSQL Ecosystem 7-21-10 Wednesday, July 21, 2010 Executive summary NoSQL is about using

The NoSQL Ecosystem 7-21-10 Wednesday, July 21, 2010 Executive summary NoSQL is about using

Jonathan Ellis @spyced jbellis@riptano.com The NoSQL Ecosystem 7-21-10 Wednesday, July 21, 2010 Executive summary NoSQL is about using the right tool for the job Wednesday, July 21, 2010 My bias Started working on Cassandra in 2009

524 views • 49 slides
NoSQL CS226 Big-data Management 1 Based on a presentation by Traversy Media 2 What is

NoSQL CS226 Big-data Management 1 Based on a presentation by Traversy Media 2 What is

NoSQL CS226 Big-data Management 1 Based on a presentation by Traversy Media 2 What is NoSQL? Not only SQL SQL means Relational model Strong typing ACID compliance Normalization NoSQL means more freedom or flexibility 3

470 views • 25 slides
SQL and JS Pitfalls Assignment 2 Preparation SQL Concepts SQL vs. NoSQL

SQL and JS Pitfalls Assignment 2 Preparation SQL Concepts SQL vs. NoSQL

SQL and JS Pitfalls Assignment 2 Preparation SQL Concepts SQL vs. NoSQL https://www.youtube.com/watch?v=Nu1UQblRQdM SQL Support for complex aggregation tools Normalized Data NoSQL Flexible data models

667 views • 17 slides
Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc.

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc.

Security and Performance Analysis of Encrypted NoSQL Databases M.W. Grim BSc., Abe Wiersma BSc. Supervisor: F. Turkmen PhD February 6, 2017 University of Amsterdam Introduction Problem Securely storing BigData on NoSQL database systems.

669 views • 48 slides
Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev,

Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev,

Tarantool - a NoSQL Tarantool - a NoSQL database with SQL database with SQL Pavel Lapaev, Kirill Yukhin, Product Manager@Mail.ru Engineering Manager @Mail.ru 1 Agenda Agenda What is Mail.ru Group? What is Tarantool? Performance Storage

1.44k views • 55 slides
The NoSQL Movement FlockDB CSCI 470: Web Science Keith Vertanen 2 3

The NoSQL Movement FlockDB CSCI 470: Web Science Keith Vertanen 2 3

The NoSQL Movement FlockDB CSCI 470: Web Science Keith Vertanen 2 3 http://techcrunch.com/2012/10/27/big-data-right-now-five-trendy-open-source-technologies/ 4 http://blog.beany.co.kr/archives/275 5 What's in a name? #nosql

811 views • 26 slides
MySQL+HandlerSocket=NoSQL Protocol Using HS Commands Peculiarities Configuration hints Use

MySQL+HandlerSocket=NoSQL Protocol Using HS Commands Peculiarities Configuration hints Use

Why you need NoSQL Alternatives Meet HS HS internal working HS-MySQL interoperability Interface MySQL+HandlerSocket=NoSQL Protocol Using HS Commands Peculiarities Configuration hints Use cases @ Badoo Tuning Further reading Aggregate

520 views • 14 slides
NoSQL Concepts, Techniques &amp; Systems Part 2 Valentina Ivanova IDA, Linkping University

NoSQL Concepts, Techniques &amp; Systems Part 2 Valentina Ivanova IDA, Linkping University

NoSQL Concepts, Techniques &amp; Systems Part 2 Valentina Ivanova IDA, Linkping University NoSQL Concepts, Techniques &amp; Systems / Valentina Ivanova 2017-03-22 78 Outline NoSQL Systems - Types and Applications Dynamo HBase

1.13k views • 89 slides
NoSQL Introduction CS 377: Database Systems Recap: Data Never Sleeps

NoSQL Introduction CS 377: Database Systems Recap: Data Never Sleeps

NoSQL Introduction CS 377: Database Systems Recap: Data Never Sleeps https://www.domo.com/blog/2015/08/data-never-sleeps-3-0/ CS 377 [Spring 2016] - Ho Web 2.0 Lorenzo Alberton Talk, NoSQL Databases: Why, what and when CS 377 [Spring

827 views • 44 slides
NoSQL Concepts, Techniques &amp; Systems Part 1 Valentina Ivanova IDA, Linkping University

NoSQL Concepts, Techniques &amp; Systems Part 1 Valentina Ivanova IDA, Linkping University

NoSQL Concepts, Techniques &amp; Systems Part 1 Valentina Ivanova IDA, Linkping University NoSQL Concepts, Techniques &amp; Systems / Valentina Ivanova 2017-03-20 2 Outline Today Part 1 RDBMS NoSQL NewSQL DBMS

1.22k views • 64 slides
Erik M eijer M icrosoft SQL Server Gavin Bierman M icrosoft Research Cambridge Towards a

Erik M eijer M icrosoft SQL Server Gavin Bierman M icrosoft Research Cambridge Towards a

Erik M eijer M icrosoft SQL Server Gavin Bierman M icrosoft Research Cambridge Towards a mathematical model for noSQL NoSQL Took Away The Relational M odel And Gave Nothing Back Benjamin Black 10/ 26/ 2010 Palo Alto NoSQL meetup What he

895 views • 41 slides
Data Modeling in the NoSQL World By: Ashutosh Kale, Adham Kamel, Jordan Mercado Kevin Kim,

Data Modeling in the NoSQL World By: Ashutosh Kale, Adham Kamel, Jordan Mercado Kevin Kim,

Data Modeling in the NoSQL World By: Ashutosh Kale, Adham Kamel, Jordan Mercado Kevin Kim, Pratyusha Pogaru, Edgar Velazquez Link to paper: https://hal.archives-ouvertes.fr/hal-01611628/document Parts &amp; names 1. Introduction &amp; NoSQL

526 views • 35 slides
NoSQL Postgres Oleg Bartunov Ivan Panchenko Postgres Professional Moscow University PGDay,

NoSQL Postgres Oleg Bartunov Ivan Panchenko Postgres Professional Moscow University PGDay,

NoSQL Postgres Oleg Bartunov Ivan Panchenko Postgres Professional Moscow University PGDay, Saint Petersburg, July 6, 2017 NoSQL () Relatjonal DBMS - integratjonal All APPs communicatjes through RDBMS SQL

1.02k views • 70 slides
NoSQL : Unleash the Power of MongoDB Abhishek Bagga 24 th September 2019 1 Abhishek Bagga

NoSQL : Unleash the Power of MongoDB Abhishek Bagga 24 th September 2019 1 Abhishek Bagga

NoSQL : Unleash the Power of MongoDB Abhishek Bagga 24 th September 2019 1 Abhishek Bagga Solution Architect abhishek.bagga@outlook.com linkedin.com/in/abhishekbagga/ @abhishekbagga28 2 Session Contents 1. NoSQL: What, Why &amp; Benefits

293 views • 27 slides
Consistency of NoSQL Models Au Tran, Thy Nguyen, Chaz Chang, Vijaypal Singh, Timothy To, Akash

Consistency of NoSQL Models Au Tran, Thy Nguyen, Chaz Chang, Vijaypal Singh, Timothy To, Akash

Consistency of NoSQL Models Au Tran, Thy Nguyen, Chaz Chang, Vijaypal Singh, Timothy To, Akash Budholia Introduction: From RBDMS to NoSQL In the past, ACID (Atomicity, Consistency, Isolation, and Durability) was a must have requirement for

1.23k views • 73 slides
CS 61: Database Systems NoSQL/Mongo CRUD Adapted from mongodb.com unless otherwise noted Agenda

CS 61: Database Systems NoSQL/Mongo CRUD Adapted from mongodb.com unless otherwise noted Agenda

CS 61: Database Systems NoSQL/Mongo CRUD Adapted from mongodb.com unless otherwise noted Agenda 1. Why choose NoSQL 2. Mongo CRUD 2 Relational databases have historically been the safe bet for the enterprise SQL databases are a solid

667 views • 29 slides

More recommend