NoSQL Exploitation Framework – Tool of the Month
NoSQL Exploitation Framework – A Tool for Script kiddies to Learn NOSQL – SQLInjection
NoSQL, which stands for Not Only SQL, is a common term for nonrelational databases. Among popular NoSQL databases you will find the aforementioned MongoDB and CouchDB, along with Redis, Cassandra and more. NoSQL databases have become increasingly popular thanks to their benefits in particular use cases, especially in big data and real-time Web usages where performance, scalability and flexibility are key. NoSQL Exploitation Framework
Author: Francis Alexander 9630 The URL: https://github.com/torque59/nosql-exploitation-framework System:Linux and WindowsRecently added to the innovation project:
- Support Mongo, Couch, Redis, H-Base, Cassandra;
- support NoSQL WebApps;
- List payload for JS-injection, transfer of web applications;
- opportunity skanirovaniya Mongo, Couch and Redis;
- the possibility of dictionary attacks on Mongo, Couch and Redis;
- transferring module for database to obtain data;
- detection of web-based interface for Mongo;
- Shodan support request;
- multi-threaded scanner IP-addresses from the list;
- sniffing for Mongo, Couch and Redis.
How Do I Prevent It?
- Prepared Statements: For SQL calls, use prepared statements instead of building dynamic queries using string concatenation.
- Input Validation: Validate inputs to detect malicious values. For NoSQL databases, also validate input types against expected types
- Least Privilege: To minimize the potential damage of a successful injection attack, do not assign DBA or admin type access rights to your application accounts. Similarly minimize the privileges of the operating system account that the database process runs under.