No SQL, No Injection? Examining NoSQL Security
Aviv Ron, Alexandra Shulman-Peleg, Emanuel Bronshtein
TL;DR
This paper investigates the security vulnerabilities of NoSQL databases, demonstrating that despite differences from SQL systems, they remain susceptible to injection and CSRF attacks, highlighting the need for improved security measures.
Contribution
It provides an analysis of NoSQL security vulnerabilities, introduces attack techniques, and discusses mitigation strategies, emphasizing the gap in security awareness compared to traditional databases.
Findings
NoSQL databases are vulnerable to injection and CSRF attacks.
Existing security measures for NoSQL are insufficient and underdeveloped.
Awareness of NoSQL security issues is still lacking in the community.
Abstract
NoSQL data storage systems have become very popular due to their scalability and ease of use. This paper examines the maturity of security measures for NoSQL databases, addressing their new query and access mechanisms. For example the emergence of new query formats makes the old SQL injection techniques irrelevant, but are NoSQL databases immune to injection in general? The answer is NO. Here we present a few techniques for attacking NoSQL databases such as injections and CSRF. We analyze the source of these vulnerabilities and present methodologies to mitigate the attacks. We show that this new vibrant technological area lacks the security measures and awareness which have developed over the years in traditional RDBMS SQL systems.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCloud Data Security Solutions · Cloud Computing and Resource Management · Security and Verification in Computing