Print

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

Security in the Coud (Cyber)Security for Software Engineers

 

 

 

---> Jump to No SQL Injection after sql injection <---

 

Nosql injection

 

Merci à Botify (expertise SEO) de nous recevoir ce mercredi prochain 26 sept au 22 Rue Royale 75008. 

2 talks au programme :

19h30 - Jean-Baptiste Barth (Botify) - Centralizing security policies with an API gateway

20h00 - Vladimir de Turckheim (Sqreen) - Applicative DOS through NoSQL injection

 

Voici le transcript qui est un article orienté SEO et en anglais!

 

  

Une question? Posez-la ici

Aide au développement d'applications 

19h30 - Jean-Baptiste Barth (Botify) - Centralizing security policies with an API gateway

Jean Baptiste Barth, infrastruvture lead . Botify is a company that produces SEO tools for BIG players in the industry, Expedia, Ebay...

 

github.com/botify-labs

 

We started with a majestic Monolith wich was writen in Python Django. Beautiful, but ridiculous because we needed to add https, we needed a maintenance mages, and we added a big administration panel. All thoses features are developped in Django.

 

A few month ahead, we need to scale and put https on the load balancer amazon, with a WAF, Web application Firewall.  

 

So we read articles about micro services , with Go and with Scala which has authentication. We learned Go too.  With an internal tool, we put Jenkis. 

 

So, how to do micro services?

 

We started to do this with Apache/Nginx with specific module, but it was difficult.

 

So we came to Kong!

 

Kong, an open source / Enterprise API Gateway

 

With different Apis: it's an API gateway, it's not just an IP, it's based on OpenResty. Cassandra or Postgres for configuration persistence.

But What is Kong?

Various APIs to manage: services, routes, consulers, plugins, certificates...

A service is an API web application which you want to expose

A Route is a way to inform where the request go

The plugin concept: everything in Kong is a plugin. All is plugin and easy.

Th goal is to have Kong between the load balancer and the front-end . 

 

plugins in https://docs.konghq.com/hub/

 

Open source: basic auth, jwt, rate limit, cors, ssl, ip restriction, acl, aws lambda...

 

We package it with a docker  image.

 

luarocks make and go!

 

Sample architecture of Kang 

 

When using Kong, there is 2, the public facing service (port 80), proxy and an admin service on another port (8001) not exposed to the net, but to the administrators.

 

Wen can add a service with jsut a post curl:

curl -X post ...

 

Same thing to add route:

 

curl -X POST http://kong-admin:8001/services/kong-demo/routes

...

...

 

 

Demo:

Request GET

admin interface and user interface exposed to the web

kong-admin:8001

server kong/0.13.1

 

kong-demo.botify.com

kong-proxy

Plugin creation:

./plugin-create-external-oauth

 

SO, Kong, the community answers very fast if you need help, LuaJIT is fast. Lua is a nice investment, a really simple language.

But Lua ecosystem is fragmented, small

Varying quality of plugins, beware of security holes

 

Other API gateways equivalent: AWS Api Gateway, Tyk, HAProxy, Nginx/OpenREstry ... Or build your own, but it's not recommended ;-)

 

  

Une question? Posez-la ici

Aide au développement d'applications

nosql injection

20h00 - Vladimir de Turckheim (Sqreen) - Applicative DOS through NoSQL injection

 

DOS is Deny of service, is a threat than can freeze a website. we see in this page that is SQL Injection one of the top threats in the web. 

The real name is "How to find exploits just by reading the doc"

We'll talk about MongoDB

Lead Node.JS Engineer at Sqreen

Securing NodeJS? ping vladimir!

From SQL to NoSQL injections

Because SQL injections are dead...

select * from items where ID=1 OR TRUE ;

We can put an union query and get infos from another tables, for exemple:

select * from items where item

SQLi hall of shame:

Drupal, World trade organization, Symantec, Equifax, Facebook, Instagram

https://codecurmugdgeon.com/wp/

In MongoDB, database operations are performed through an API, that's the major difference with Mysql, PostgreSQL...

It's like this:

db.items.find(queryObject)

db = current database object

items = collection

find= method

queryObject = an object to get the query

What is a mongoDB injection in practise?

app.post('/documents/find',(req,res)=>{

const query = {type: req.body.desiredType}

...

});

req.body {desiredType: ($ne: 0 } }

Because Node.JS developers don't verify data entered in JSON format, except if they use frameworks that they help to do that.

Denial of service, is a class of attack that is it is successfull, when users can't access the application. Abusing TCP, http, LOIC ion canon by the anonymous...

Now it's application DOS. In the javascript, all the code run in the main thread, mono thread. 

In the official MongoDB documentation, there is a poolsize, with a parameter. Can we exhaust the pool size? YES!

FIrst, there is a where operator, that is passing a string in parameter, executed in the database.  It will be run in the collection. If there is 100000 objects, the query will run on ALL OBJECTS! And there is the sleep() method to have a very very slow mongoDB query

ab with curl

ab lauch http request to the server.

during the bench we send a legitimate traffic with curl, which represent the user.

url: /dogs?$where=sleep(1)

query {$where:'sleep(1)'}

It's an applicative denial of service! 

How do you protect?

We will expand the pool size? No

Validate what gets inside your application: never trust what users do!

More infos about pentesting MongoDB:

https://www.sqreen.io/plugins/mongodb-injection

 

  

Une question? Posez-la ici

Aide au développement d'applications

 

 

Ce transcript reflète exclusivement l'opinion de ses auteurs et n’engage en aucune façon Consultingit


Vous souhaitez aussi un transcript de votre conférence? C'est par là:

Piges SEO Consultingit

Besoin d'infos?