Boyu Hou, K. Qian, Lei Li, Yong Shi, Lixin Tao, Jigang Liu
{"title":"MongoDB NoSQL Injection Analysis and Detection","authors":"Boyu Hou, K. Qian, Lei Li, Yong Shi, Lixin Tao, Jigang Liu","doi":"10.1109/CSCloud.2016.57","DOIUrl":null,"url":null,"abstract":"A NoSQL, also called a \"Non-Relational\" or \"Not only SQL,\" database system provides an approach to data management and database design for very large sets of distributed data and real-time web applications. A NoSQL database system is also a popular data storage for information retrieval because it supports better scalability, availability, and faster data access while comparing with traditional relational database management systems (RDBMS). What the RDBMS data needs is predictable as its data is stored in structured tables by defining the relationship between the different columns. In contrary the data in NoSQL databases does not need to be stored in a structured or fixed fashion. When performance and real-time access are more concerned than consistency, such as indexing and retrieving large numbers of records, NoSQL databases are more suitable than relational databases. With their obvious advantages in better performance, scalability, and flexibility, NoSQL databases have been adopted lately by many small businesses as they are moving their increasing business data into the clouds. However, the research on the security of a specific NoSQL database system or NoSQL database systems in general is very limited. Although there are many storage advantages in NoSQL databases, the need of quick and easy access to data has been seriously affected by the security issue of NoSQL databases. This paper examines the maturity of security measures for MongoDB, a typical NoSQL database system, with aspects in both attack and defense at the code level. The experimental testing on NoSQL injections is performed with JavaScript and PHP. After the demonstration on how a server-side JavaScript injection attack against a NoSQL database system reveals the customer's private data, two methods are discussed in preventing this type of security problems from happening. It is believed that our study will help database developers not only realizing that NoSQL database systems are not designed with security as a priority but also learning how to build a security layer to their organizations' NoSQL applications to avoid NoSQL injections.","PeriodicalId":410477,"journal":{"name":"2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)","volume":"36 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"24","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSCloud.2016.57","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 24
Abstract
A NoSQL, also called a "Non-Relational" or "Not only SQL," database system provides an approach to data management and database design for very large sets of distributed data and real-time web applications. A NoSQL database system is also a popular data storage for information retrieval because it supports better scalability, availability, and faster data access while comparing with traditional relational database management systems (RDBMS). What the RDBMS data needs is predictable as its data is stored in structured tables by defining the relationship between the different columns. In contrary the data in NoSQL databases does not need to be stored in a structured or fixed fashion. When performance and real-time access are more concerned than consistency, such as indexing and retrieving large numbers of records, NoSQL databases are more suitable than relational databases. With their obvious advantages in better performance, scalability, and flexibility, NoSQL databases have been adopted lately by many small businesses as they are moving their increasing business data into the clouds. However, the research on the security of a specific NoSQL database system or NoSQL database systems in general is very limited. Although there are many storage advantages in NoSQL databases, the need of quick and easy access to data has been seriously affected by the security issue of NoSQL databases. This paper examines the maturity of security measures for MongoDB, a typical NoSQL database system, with aspects in both attack and defense at the code level. The experimental testing on NoSQL injections is performed with JavaScript and PHP. After the demonstration on how a server-side JavaScript injection attack against a NoSQL database system reveals the customer's private data, two methods are discussed in preventing this type of security problems from happening. It is believed that our study will help database developers not only realizing that NoSQL database systems are not designed with security as a priority but also learning how to build a security layer to their organizations' NoSQL applications to avoid NoSQL injections.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
