You thought SQL injection was bad? Schema injection coming to a NoSQL site near you

Let’s nip this problem in the butt!

OWASP NYCSQL injections are the number one security vulnerability according to OWASP. Playing with MongoDB lately, I’m getting scared. Because I’m seeing some really bad practices out there. Seeing it in live code. In tutorials. And we need to make people aware of it. And put a stop to it NOW.

It’s bad enough that the average developer is completely oblivious to SQL Injection. But now with schema-less databases like MongoDB out there, expect to see something new. Schema injection.

Take a look at this Lithium Blog Tutorial. Is building a blog this way safe? Is traditional SQL Injection possible?

Probably not. I’m sure Lithium is binding parameters in that example. Therefore typical injection is not possible. However, we’re not done! How about Schema Validation???

Do you really want to let hackers easily inject columns into your database? They can add 1000 columns with any data they want!

It’s true that MongoDB makes some things easier on developers. But there’s some steps you shouldn’t skip just because it’s easy.

In the case of Lithium, you can secure your data by putting your field list in the model under $_schema and locking it in the $_meta attribute.

Mongo and Lithium are a great combination. But it’s on YOU the developer to use those tools properly.

Feel free to add columns to your production NoSQL database. That’s the good part of “no schema”. But you still need to add those columns to your code and make sure not to do inserts on unchecked columns.

Spread the word.

Enhanced by Zemanta
About these ads

5 responses to “You thought SQL injection was bad? Schema injection coming to a NoSQL site near you

  1. Yes, bravo for raising awareness of this! Don’t believe the marketing of “it just works” — there ain’t no such thing as a free lunch. Developers still have responsibility to follow good practices.

    PS: “Nip this problem in the bud.” http://idioms.thefreedictionary.com/nip+in+the+bud

  2. Wow, very timely I’m actually working on a mongo project right now. Thanks for the info Joe.

  3. Nice to know about this….scary though!

  4. Pingback: American Express (AMEX) fixes critical security vulnerability « NetSecurityIT

  5. Can someone please submit a talk about this next week for ConFoo? The average developer needs to hear this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s