Upload
designveloper
View
84
Download
5
Embed Size (px)
Citation preview
NOSQL INJECTION IN APPS
Vietnam
WWW.DESIGNVELOPER.COM
1.INTRODUCTION
WWW.DESIGNVELOPER.COM
Hello!I am Son Leo At Designveloper for > 2
yearso Work with Meteor for > a
year
You can find me at:@sonlexqt
Required: familiarity with
WWW.DESIGNVELOPER.COM
Don’t get me wrong !
is NOT INSECURE
WWW.DESIGNVELOPER.COM
SQL InjectionQueries use STRINGs as the control mechanism.
WWW.DESIGNVELOPER.COM
Exploits of a Mom
// queryINSERT INTO Students VALUES ( '$Name' )// inputRobert'); DROP TABLE Students; --// resultINSERT INTO Students VALUES ( 'Robert' ); DROP TABLE Students; --' )
source: https://xkcd.com/327
WWW.DESIGNVELOPER.COM
SQL Injection - One more example// querySELECT * FROM users WHERE username='peter’AND (password= ('$PWD'))// input' OR '1'='1’// resultSELECT * FROM users WHERE username='peter' AND (password='' OR '1'='1')
WWW.DESIGNVELOPER.COM
NoSQL InjectionQueries use OBJECTs as the control mechanism.
WWW.DESIGNVELOPER.COM
2.DEMO TIME
Meteor-shop web application
WWW.DESIGNVELOPER.COM
Let’s play a role of a hacker !With NoSQL Injection skill.
WWW.DESIGNVELOPER.COM
3.SOLUTIONS
WWW.DESIGNVELOPER.COM
“MAKE
ASSERTIONS ON USER
INPUT DATA
WWW.DESIGNVELOPER.COM
CHECK to the rescuehttps://atmospherejs.com/meteor/check
Check whether a value matches a
pattern$ meteor add check
check(slug, String);
ERROR: Expected String, got Object
WWW.DESIGNVELOPER.COM
CHECK-CHECKERhttps://atmospherejs.com/east5th/check-checker Scan the code to detect methods / publish
functions which haven’t checked for its input data.
$ meteor add east5th:check-checker
WWW.DESIGNVELOPER.COM
Thanks!Any questions?
o meteor-shop demo application https://github.com/sonlexqt/meteor-shop
WWW.DESIGNVELOPER.COM