Presentation Material

Abstract

With the rise of NoSQL databases,more and more corporates as well as end users have started moving on to NoSQL,However is it safe.Does NoSQL mean we will not have to worry about Injection attacks. Yes We Do. This paper concentrates on exploiting NoSQL DB’s especially with its reach towards Mongodb,Couchdb and Redis and automating it using the NoSQL Exploitation Framework. It focuses on: Why NoSQL hasn’t solved the problem yet Why the DB administrator should worry as the default security could cost you your job How an attacker with just an IP could take down the server and perform a resource exhaustion attack Various exploitation techniques such as timing based attacks similar to blind SQL injection with no feedback from the application Discussion on why NoSQL encryption techniques have failed and why they aren’t secure Various vulnerabilities in 3rd party apps such as mongoose How an attacker could leverage the various API’s within NoSQL for JSON-Injection In conjunction with this talk, the NoSQL Exploitation Framework will be released which focuses on enumerating servers with support for Mongo, CouchDB, Redis, Cassandra and for the first time, H-Base. Dictionary attacks on Servers, DoS attacks, MITM attacks for the various DB’s, SHODAN search, a scanning and fuzzing module plus various exploitation attacks will be demoed.