Presentation Material
Abstract
The talk focuses on:
Why NoSQL hasn’t solved the problem yet Why the DB administrator should worry as the default security could cost you your job. How an attacker with just an IP could take down the server and perform a resource exhaustion attack Various exploitation techniques such as timing based attacks similar to blind SQL injection with no feedback from the web application Discussion on why NoSQL encryption techniques have failed and why they aren’t secure How an attacker could leverage the various API’s within NoSQL for JSON-Injection 0-day Bug in PHP Couch Driver which helps an attacker to leverage various resources.
AI Generated Summarymay contain errors
Here is a summarized version of the content:
Main Points
- The speaker discusses NoSQL databases, specifically Cassandra and HBase, which are written in Java.
- Cassandra uses the Thrift protocol, has a default port of 9160, and lacks union and self-referential terms. Its primary key can only be read.
- HBase supports billions of rows and columns, uses the REST protocol, and has a default port of 6379.
Security Issues
- Both Cassandra and HBase have security issues, such as CQL injections in web apps and exposed APIs that allow scanning and animation attacks.
- Memory leaks and buffer overflows are also rising concerns.
NoSQL Exploitation Framework
- The speaker introduces the NoSQL exploitation framework, a Python-based tool for exploiting vulnerabilities in NoSQL databases.
- The framework currently supports Couchbase, Redis, HBase, and Cassandra, with plans to add more databases soon.
- It includes features such as JavaScript attack testing, MongoDB dollar sign attacks, multi-threaded mass scanning, cloning, dictionary attacks, and payload list management.
Future Updates
- Upcoming updates include support for Cassandra energy-based attacks, resource exhaustion attacks, and report generation.
- The framework is open-source, and contributors are encouraged to participate on the No Secret Project GitHub page.