💉 How to audit NoSQL for vulnerabilities?

SQL injection is one of the popular attack methods, but it is applied not only in SQL (relational database), but also in NoSQL (non-SQL or also known as non-relational database).

Did you know that there are over 100 NoSQL databases available today?

Thanks to the open source community.

Which one have you heard of?

Probably MongoDB and Redis!

Yes, they are very popular.

NoSQL is not new;

It was first introduced in 1998 by Carlo Strozzi. But recently it has gained a lot of popularity thanks to its use in modern applications. And why not. They are fast and solve some of the traditional problems with relational databases. There are differences between SQL and NoSQL. You can find out more details here:

👥 SQL or NoSQL – which one to use for the next project?

If you are using a NoSQL database such as MongoDB and are not sure if they are suitable for production – identify vulnerabilities, misconfigurations, etc. The following tools can help you find them.

NoSQLMap

NoSQLMap is a tiny open source Python-based utility capable of auditing for misconfiguration and automating injection attacks.

It currently supports the following databases.

  • MongoDB
  • CouchDB
  • Redis
  • Cassandra

To install NoSQLMap you need the Git module, Python and Setuptools, which you can install below using Ubuntu example.

apt-get install python
apt-get install python-setuptools

After installing Python, follow the instructions to install NoSQLMAP.

git clone https://github.com/codingo/NoSQLMap.git
python setup.py install

After that you can run ./nosqlmap.py from the cloned GIT directory:

_  _     ___  ___  _    __  __
| | |___/ __|/ _ | |  |  /  |__ _ _ __
| .` / _ __  (_) | |__| |/| / _` | '_ 
|_|____/___/_______|_|  |___,_| .__/
 v0.7 [email protected]        |_|


1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option:

You need to set a goal by going to option 1 before testing.

Mongoaudit

As the name suggests, it is MongoDB specific. Mongoaudit is good for performing a penetration test to find bugs, misconfigurations, and potential risks. It is tested against many best practices, including the following.

  • Is MongoDB running on default port and HTTP interface enabled
  • Is the base secured with TLS, authentication
  • Authentication Method
  • CRUD operations

Installing Mongoaudit is very easy. You can use pip command.

pip install mongoaudit

After installation, run the mongoaudit command to start scanning. You will be prompted to select a scan level and enter your MongoDB details.

💉 How to audit NoSQL for vulnerabilities?

Whatever tool you use to scan the security of NoSQL databases, remember to be responsible. You must ensure that you are working with your own database instance or that you are authorized to run the test. And check out this article to find SQL injection vulnerability in relational database. 💉 What is SQL injection and how to prevent it in PHP applications

Sidebar