Geekflare
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
By Chandan Kumar in Database  |  Last updated: October 29, 2022
Share on:

How to Audit NoSQL for Security Vulnerabilities?

nosql clients
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

SQL injection is one of the popular attack techniques, but it is not just in SQL (relational database) but also in NoSQL (non-SQL or also known as a non-relational database).

Do you know there are more than 100 NoSQL databases are available today?

Thanks to the open-source community.

Which one have you heard of?

MongoDB and Redis, probably! Yes, they are very popular.

NoSQL is not a new thing; it was first introduced in 1998 by Carlo Strozzi. But lately, it has gained a lot of popularity with its usage in modern applications. And why not. It is fast and solves some of the traditional relational database issues. There are differences between SQL and NoSQL.

If you are using a NoSQL database such as MongoDB and unsure if they are good for production, don’t expose vulnerabilities, misconfiguration, etc.. The following tools can help you find.

NoSQLMap

NoSQLMap is an open-source tiny utility based on Python, capable of auditing for finding misconfiguration and automating injection attacks. It supports the following databases at the moment.

  • MongoDB
  • CouchDB
  • Redis
  • Cassandra

To install NoSQLMap, you need Git, Python, and Setuptools module, which you can install below on Ubuntu.

apt-get install python
apt-get install python-setuptools

Once Python is installed, then following to install NoSQLMAP.

git clone https://github.com/codingo/NoSQLMap.git
python setup.py install

Once done, you can execute ./nosqlmap.py from the GIT cloned directory, which will prompt like below.

_  _     ___  ___  _    __  __           
| \| |___/ __|/ _ \| |  |  \/  |__ _ _ __ 
| .` / _ \__ \ (_) | |__| |\/| / _` | '_ \
|_|\_\___/___/\__\_\____|_|  |_\__,_| .__/
 v0.7 codingo@protonmail.com        |_|   


1-Set options
2-NoSQL DB Access Attacks
3-NoSQL Web App attacks
4-Scan for Anonymous MongoDB Access
5-Change Platform (Current: MongoDB)
x-Exit
Select an option:

You need to set the target by going to option 1 before testing. Check out below demo tutorial.

YouTube video

Mongoaudit

As you can guess by the name, it is specific for MongoDB. Mongoaudit is good for performing pentest to find a bug, misconfiguration, and potential risks. It checks against many best practices, including the following.

  • If MongoDB is running on the default port and the HTTP interface is enabled
  • If secured with TLS, Authentication
  • Authentication method
  • CRUD operations

Installing Mongoaudit is easy. You can use the pip command.

pip install mongoaudit

Once installed, execute mongoaudit command to run the scan. You will be prompted to select the scan level and enter MongoDB listener details.

Whatever tool you use to run a security scan against NoSQL databases, remember to be responsible. You got to ensure you are running against your own database instance or authorized to run the test. If you often work on NoSQL, you may be interested in exploring these clients to manage better productivity.

And check out this article to find SQL injection vulnerability in a relational database.

Tagged as
Thanks to our Sponsors
More great readings on Database
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti
    Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Brightdata
    Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush
    Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder
    Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder