AppSec USA 2017 has ended
Back To Schedule
Friday, September 22 • 2:30pm - 3:15pm
NoSQL Is Not NoVulnerable

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

SQL Injection has long been a common dangerous vulnerability found in many web applications. But many modern web applications forgo the use of SQL in favor of more modern databases commonly referred to as “NoSQL” databases. These databases don’t just use different storage engines, but also provide different query language. Some of the limitations imposed by the query language make traditional injection attacks less likely. But with different query languages and probably even more importantly different more complex datatypes come new classes of vulnerabilities which in the end can be as dangerous and exploitable as SQL injection. In addition, many of these new databases lack some of the more granular security and access controls developers are accustomed to from traditional SQL databases. In this talk, we will survey popular NoSQL databases to compare different threats an application may be exposed to by using these databases. We will also demonstrate some new attacks that instead of focusing on injection of query language commands take advantage of new complex data types like JSON and how they can be manipulated to bypass application level access controls to access or manipulate data.

avatar for Johannes Ullrich

Johannes Ullrich

Dean of Research and a faculty member, SANS Technology Institute
Johannes Ullrich, dean of research at the SANS Technology Institute, is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. His research interests include IPv6, network traffic analysis and secure software development. In 2004, Network World named... Read More →

Friday September 22, 2017 2:30pm - 3:15pm EDT
Coronado L