SQL injection is one of the popular attack techniques, but it is not just in SQL (relational database) but also in NoSQL (non-SQL or also known as a non-relational database).
Do you know there are more than 100 NoSQL databases are available today?
Thanks to the open-source community.
Which one have you heard of?
MongoDB and Redis, probably! Yes, they are very popular.
NoSQL is not a new thing; it was first introduced in 1998 by Carlo Strozzi. But lately, it has gained a lot of popularity with its usage in modern applications. And why not. It is fast and solves some of the traditional relational database issues. There are differences between SQL and NoSQL.
If you are using a NoSQL database such as MongoDB and unsure if they are good for production, don’t expose vulnerabilities, misconfiguration, etc.. The following tools can help you find.
NoSQLMap is an open-source tiny utility based on Python, capable of auditing for finding misconfiguration and automating injection attacks. It supports the following databases at the moment.
To install NoSQLMap, you need Git, Python, and Setuptools module, which you can install below on Ubuntu.
apt-get install python apt-get install python-setuptools
Once Python is installed, then following to install NoSQLMAP.
git clone https://github.com/codingo/NoSQLMap.git python setup.py install
Once done, you can execute
./nosqlmap.py from the GIT cloned directory, which will prompt like below.
_ _ ___ ___ _ __ __ | \| |___/ __|/ _ \| | | \/ |__ _ _ __ | .` / _ \__ \ (_) | |__| |\/| / _` | '_ \ |_|\_\___/___/\__\_\____|_| |_\__,_| .__/ v0.7 firstname.lastname@example.org |_| 1-Set options 2-NoSQL DB Access Attacks 3-NoSQL Web App attacks 4-Scan for Anonymous MongoDB Access 5-Change Platform (Current: MongoDB) x-Exit Select an option:
You need to set the target by going to option 1 before testing. Check out below demo tutorial.
As you can guess by the name, it is specific for MongoDB. Mongoaudit is good for performing pentest to find a bug, misconfiguration, and potential risks. It checks against many best practices, including the following.
- If MongoDB is running on the default port and the HTTP interface is enabled
- If secured with TLS, Authentication
- Authentication method
- CRUD operations
Installing Mongoaudit is easy. You can use the
pip install mongoaudit
Once installed, execute
mongoaudit command to run the scan. You will be prompted to select the scan level and enter MongoDB listener details.
Whatever tool you use to run a security scan against NoSQL databases, remember to be responsible. You got to ensure you are running against your own database instance or authorized to run the test. If you often work on NoSQL, you may be interested in exploring these clients to manage better productivity.
And check out this article to find SQL injection vulnerability in a relational database.