How can I audit NoSQL security vulnerabilities?

SQL injection is a common attack technique that is used not only in SQL (relational databases) but also in NoSQL (also known as non-SQL or non-relational databases).

Did you know that there are over 100 NoSQL databases available today?

Thank you to the open source community.

Which one have you heard?

Probably MongoDB and Redis! Yes, they are very popular.

NoSQL is not new. It was first introduced by Carlo Strozzi in 1998. But recently it has become very popular due to its use in modern applications. And why not? It is fast and solves some of the problems of traditional relational databases. There are differences between SQL and NoSQL.

If you’re using a NoSQL database like MongoDB and aren’t sure if it’s suitable for production, don’t expose vulnerabilities, misconfigurations, etc. The following tools will help you find them.

NoSQL map

NoSQLMap is a small open source utility based on Python that allows auditing to detect misconfigurations and automate injection attacks. Currently we support the following databases:

• Mongo DB
• couch db
• ladies
• cassandra

Installing NoSQLMap requires Git, Python, and the Setuptools module. These can be installed on Ubuntu with:

 apt-get install python
apt-get install python-setuptools

Once Python is installed, install NoSQLMAP as follows:

 git clone https://github.com/codingo/NoSQLMap.git
python setup.py install

Once completed, run ./nosqlmap.py from the GIT clone directory and you will see a prompt similar to the one below.

 _  _     ___  ___  _    __  __           
| \| |___/ __|/ _ \| |  |  \/  |__ _ _ __ 
| .` / _ \__ \ (_) | |__| |\/| / _` | '_ \
|_|\_\___/___/\__\_\____|_|  |_\__,_| .__/
 v0.7 codingo@protonmail.com        |_|   


1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option:

Before testing, you need to go to option 1 and set the target. Check out the demo tutorial below.

mongo audit

As you might guess from the name, it’s MongoDB specific. Mongoaudit is great for running penetration tests to find bugs, misconfigurations, and potential risks. Check against many best practices, including:

• If MongoDB is running on the default port and the HTTP interface is enabled
• Authentication if secured with TLS
• Authentication method
• CRUD operations

Installing Mongoaudit is easy. You can use pip command.

 pip install mongoaudit

Once installed, run the mongoaudit command to perform a scan. You will be prompted to select a scan level and enter your MongoDB listener details.

Whatever tools you use to perform security scans on NoSQL databases, do so responsibly. You need to make sure that you are running against your own database instance or that you are allowed to run the test. If you frequently work with NoSQL, you may be interested in considering these clients to improve your productivity.

Also, check out this article to find SQL injection vulnerabilities in relational databases.