 Good afternoon, everyone. My name is Ming Chao, and I will be speaking today about NoSQL databases. How many people here is using a NoSQL database such as Mongo, Redis, Cassandra, HBase, many, many to name? How's your experience so far with them? Yeah, it's so far so good. They're fast. They're transactional. They're very easy to use. You don't need SQL to use them. And if you want to insert data, search for stuff, it's all based on the computer science principle of key value pairs. So if you've never seen a Mongo database or a NoSQL database, typically how you want to find data is I'm connected to a financial news database on Mongo right now. But if you want to find something, it's going to be something like the database, the name of the collection, then the fine routine. And typically it would take in JSON. So the key is going to be screen name. Let's say for the screen name is going to be CBS News. So what I'm going to do here, just a very simple example, is to show how you find all financial news that's from CBS News on Twitter. And so what happens is those are all your results. So really nice and easy. But that's only just one way, one of many ways to search for stuff in a NoSQL database such as Mongo. What about security of NoSQL databases? That's another story. That's all over the place. Right now we have a mixture of heterogeneous and homogeneous security issues. And that's what I'm here to talk about. Okay. I'm actually very surprised that the topic of just NoSQL database has never, ever been covered here at DEF CON. Two years ago I talked about building, you know, the issues of using HTML5, which is used to build things on the application side. There's actually just a lot too, just the database side of things. And a lot has changed in two years. But one thing that hasn't changed is we're all still new to NoSQL databases. You know, we're all new to this. And the only thing largely a lot of us care about is just making it work. Just making it work. And of course, that certainly, that has some, you know, you know how usually that goes, especially if you leave security into the hands of developers. So a homogeneous problem. A very simple one right off the bat. If you know a database vendor, you know the IP address, you know the port number, you've almost won the game. Okay. Why? Why is it just knowing just the IP address, the database vendor and the port number is good enough? That's because of this next thing, which is authentication and encryption. It's almost non-existent or extremely weak. If you use many NoSQL, if not all NoSQL databases out there, if you take them out of the box, you take them out of the box, administrator user authentication turned off. Okay. Turned off. Even if they do support features such as encryption and auditing, not only do you have to turn them on yourselves, but also the, you know, the scheme is really weak. Just for example, Mongols still uses my MD5 weak salts in CouchDB. If you ever read the documentation of Mongo, or Couch, or Redis, or Cassandra, there is this one line which I find very surprising. There's one thing in common with each and every one of these systems in that we urge you to use this database system on a trusted environment. That's from the documentation. Read the documentation. It's quite mind-boggling. Security is a complete afterthought. Look, how big is, you know, if, how big is NoSQL databases out there right now? Well, if you do a search on Shodan, right now, if you do a search on Shodan, it's 40,000 instances of Mongo that are out there, it has, and there are also 20,000 instances of Redis running. So it's a big deal. It's already there. So this is a, these are homogeneous issues that we've seen that affect all NoSQL databases. Okay, so there's a lot of chatter on this thing known as, okay, NoSQL. Not only do I not need to know NoSQL anymore, but this whole problem that I think you guys might have heard of called SQL injection goes away. Actually, in my humble opinion, the injection problem has gotten worse. Okay, now, okay, show SQL injection is gone, but now we have three, I say three different classes of injection attacks. Okay, one is called schema. Now, no SQL databases, how do they work? They're based off a very dynamic data model. Okay? If you insert a record, or if you create a, if you create a database that doesn't exist, automatically create it for you, right on the fly. Okay, yeah, it goes back to the original point that these NoSQL databases are really, really easy to use. Okay, very, very flexible. That's a good thing. Of course, the bad thing is, you know, you have flexible dynamic record and data entry. Also, if you can easily overwrite existing values for keys, very, very simply, last key wins. Okay? So, I am going to show you a few demos. Schema I'm going to do last. You can do query, very unsaved query, very simply by string concatenation. And now this gem, I love this one. How many people of you are good at JavaScript here? Okay, learn it. Okay, learn it. Now, a lot of these NoSQL databases, they take in JavaScript functions as parameters. To search and insert. Okay? And I'm going to give you an example of using the where clause. Now here, I am now going to give a quick demo on, this works, search by handle. In this example. So, what I've done in this example is, I've created a new search system. Okay, there's a whole bunch of Twitter handles that are used by the Bloomberg terminal. And I've actually stored 4,000 tweets in all. But let's say that I know that one of the Twitterers on the Bloomberg handle is venture beat. So, if I type in venture beat, hit search. Okay. This is a collection of all the news that I've returned by venture beat, that have been tweeted out by venture beat for, I don't know, a few days. Okay. All right, works well, CBS news. And so we have 208 items. Okay. Now, how can we beat this system? One thing is, what we can do is, if you want to see more records than you want. Okay. And PHP is a very interesting beast, working with Mongo databases. Let's put in for this query parameter known as search box. We have square brackets, dollar sign and E. Dollar sign and E in Mongo means not equal to. Okay. You can use dollar sign, I mean dollar sign and E to search for things that are not equal to something. Now, what PHP does? Okay. What PHP does? Any inputs that are within square brackets, they are automatically converted to an associated format. So, how are you going to read this is, okay, so what this now, this query will do, the original stuff I showed you was, okay, give me everything that is CBS news or venture beat. Now what we just did is we just modified the query and we just changed it on the fly and we said, okay, give me everything that is not equal to CBS news. Hit enter. Now, we have all these records, all these news items that are from sources on Twitter that are not CBS news. Okay. That we returned back everything. So what's the culprit here? What's the culprit? So if I can show you the source, search by handle dot PHP. And I'm going to show you the line, that one right there. Collection find arrays, search for screen name equals something. Now, remember what I said, if you use square brackets for your query parameters, those stuff will be in, that will be translated to an associated array. So what this will do will be the associated array will be screen name and then arrow, the value will be in an array, associated array format, not equal to as the operator. And of course, what did I use? I think I used CBS news. Okay. So now I'm going to show you an example of JavaScript injection. Okay. Search hack me dot PHP. Very, really plain looking box here. Now, what you can't do it, I didn't give any direction on how to use this. Okay. But what we can do is this. We can actually use JavaScript functions. We're going to type in a few JavaScript functions. Function. Okay. Now, let's say I want to return all the news items from, let's say NBC news. So return this dot screen name. Okay. Equals, equals. And of course, the string is going to be NBC news. Okay. Semi-colon to close the statement. Close the function. And here we go. Return. Okay. This is what it's going to do. It's going to return all the news items from CBS news. But this is using JavaScript. Let's do one more. Let's do one more, which is pretty nice. Which is going to be function. Okay. Let's see if we can get everything. Can we also do other manglings using JavaScript as well too? Sure. Why not? How about this one? This. Okay. Return. This. Dot. Text. Dot. We can do a regular expression. Question matching. Okay. What we're going to search for is Apple. What this is going to do? It's going to search for all the news hay. All 4,000 plus records. Anything that has a word Apple in them. Okay. Let's do some even more great ideas thing. We can also do this. Function. While. One. Print. More. Actually, I'm going to point out what this is going to do. Did I close? No. I'm missing one more. All right. Going. It's going. But I'm going to stop this. You don't need this anymore. But what I can show you is this. SSH into the box. Okay. Probably going to get a password error. Oh, I didn't. Okay. CD bar log. Okay. CD MongoDB. Take a look at what I just did in mangled logs. Okay. And more. MongoDB log. I don't like this. How about this one? How about tail? That was from, you know, this is one by result of using, well, what you can do with, well, if your query is based on, if your injection is a JavaScript function. Now, I only got 20 minutes for this whole talk. I just have not even mentioned what if you do this instead of PHP if you use something like, of course, Node.js and express. Okay. Now, let's go back to the schema attacks. How about this one? I like this. I got to show you this. So right now, the server is 19%. But what if, what if, if I run the script that I created using Ruby. Okay. One of the nice byproducts. Okay. One of the nice byproducts of all of this, of schema attack, you know, of this whole dynamic model. Okay. What it's going to do is I'm going to open up a word list of, a word list file. Okay. And it's going to create a brand new database for each and every word in this file. One nice byproduct is you can exhaust the system resources on the server. Take up 100% of the space. Okay. So if you take a look. Now, not yet. Okay. We'll let this thing run. Let this thing run. Okay. All right. Heterogeneous problems. Now, how many Node SQL databases there are? This many. Okay. Too many to name. Now, the big problem is different database systems, different systems. You're also dealing with different sets of terminology. For example, Mongo. The whole idea of a table is a collection. And the whole idea of a record is a document. It's completely different in Cassandra. Redis is just key value pairs. Okay. And how about the results? I know different systems, like for example, CouchDB, they support different sets of outputs as well too. Outputs that you can use JSON and even binary JSON. So what does that have to do with anything security? We have this problem. This infers this problem known as complexity. Okay. Now, in order to really understand the problem with Node SQL, you got to read each and every documentation individually because different systems, different features, different inputs, different outputs. Look, even MongoDB, some vendor specific items. MongoDB. MongoDB is actually bound to all the interfaces when you take it out of the box. You can actually take a look at, you know, some really cool start-up data, such as process information in this local collection. Okay. In CouchDB, HTTP is actually opened by default. All right. So how do you actually protect yourself from... So what does this all mean? I mean, how do you secure no SQL databases? I hate to use this term known as defense and depth because it's really overused. But the problem is it relies on the full perimeter. Okay. The full perimeter security is really, really, really important. Okay. Configuration, if you want to make no SQL databases work right, configuration is very important. You just can't take it out of the box and expect it to use it right away. And this whole idea of validation becomes very important. Not only are you validating inputs now. You also have to... You also have more things to validate in terms of inputs, including JavaScript functions. Hey, for output, you also have to validate the binary JSON and JSON as well too. So validation becomes even more critical this time. Okay. So what does this all mean? Look, back in the good old days, the only good... The only game in town were, what, Oracle, MySQL. You can build any application using that thing now. But now, okay, those are not the only games in town and you have systems such as Mongo, Redis, Couch. You got to use the right database for the right job, for the right application. Okay. Yeah. So not only do you... Okay. So you can't just assume that SQL injection have gone away. In fact, there's been many, many more opportunities depending on what database system that you choose. But the thing that really, really bugged the living hell out of me are these things. Right now, no SQL databases are completely brand new, but we have a problem right now with A, we have technologies completely deployed naively. They're just out there. I mean, people just say, especially if you believe in the hand of the developers, they just assume, okay, we're not going to get hit. We're just going to put it out there and use... No, that's not the way how it works. So now you have the technologies being deployed naively. And one last thing, a lot of people use no SQL databases. I think the word on the street is so we can get away from this whole idea of a database as an administration. Well, the DBA, the death of a DBA had been greatly, greatly exaggerated because now they have even more... There's even more opportunities out there. You just have to read the documentation for what this database system would support. Okay. So those are my points. And that's all that I have. But let's see if this thing actually just run. Nope, still running. Still running. Still running. I don't know what happened to it. But what it would do, this thing would exhaust 100% of the disk space on the server that I have. So that's all I got. Okay. Thank you guys so much. Thanks a lot.