NoSQL, which stands for Not Only SQL, is a common term for nonrelational databases. Among popular NoSQL databases you will find the MongoDB, Cassandra, CouchDB, Redis and more. NoSQL databases have become increasingly popular thanks to their benefits in particular use cases, especially in big data and real-time Web usages where performance, scalability and flexibility are key.
Database security has
been and will continue to be one of the more critical aspects of
application security. Access to the database grants an attacker a
dangerous amount of control over the most critical information.
Although the number of SQL injection vulnerabilities has been
declining since 2008 due to use of secure frameworks and improved
awareness, it has remained a high-impact risk.
With the emergence of new
databases and query techniques, the old attack methods become
obsolete and new ones emerge. For example, most NoSQL databases do
not use SQL and instead use the JavaScript Object Notation (JSON)
query language and an HTTP API. This makes old techniques like SQL
injection obsolete. However, NoSQL definitely does not imply zero
risk. In fact, NoSQL databases are vulnerable to injection attacks,
cross-site request forgery (CSRF) and other vulnerabilities.
In a paper titled “No
SQL, No Injection? Examining NoSQL Security,” in Web 2.0 Security
and Privacy conference it has been demonstrated that a number of
techniques for injections in different runtimes using MongoDB are
possible. Additionally, the paper discusses Web APIs and their risks,
such as CSRF, and some deployment recommendations.
Knowing the risks is key
for protecting against them. Having automated security testing is
also significant for achieving consistent results. Web application
scanners, for instance, can use rules for finding vulnerabilities in
NoSQL databases to help you protect against the new exploitation
techniques.
No comments:
Post a Comment