[Owasp-germany] 39. OWASP Stammtisch Karlsruhe am kommenden Montag (06.02.2017)

zai zai at z.ai
Wed Feb 1 20:43:24 UTC 2017

Hallo zusammen,

am kommenden Montag, den *06.02.2017*, wird es um *19:00 Uhr* wieder einen
OWASP Stammtisch in Karlsruhe geben.

Wir werden uns in den Räumlichkeiten der *1&1 Internet SE* in der
10* treffen.

Den Vortrag bestreitet dieses Mal Patrick Spiegel mit dem Thema "NoSQL
Injection revisited".
Im Anschluss daran können wir wieder gemeinsam zum Kühlen Krug spazieren
und den Abend gemütlich ausklingen lassen.

Da wir für den Wachdienst eine Namensliste benötigen, würden wir um via
Meetup, Doodle oder einem Kommunikationsweg eurer Wahl bitten :)
Die Links dazu:

Anbei noch der Abstract zum Talk und ich freue mich auf ein Wiedersehen
nächste Woche!

In the last decade many new challenges, such as big data, changed the way
we build applications. The generation of emerging NoSQL databases provides
a solution for these challenges. But does it provide security? Regarding
injection, there exists a prevalent opinion: “We are not building queries
from strings, so we do not have to worry about injection vulnerabilities! “

This presentation gives an overview of NoSQL injection attacks and
therefore takes a look at some of the most widespread NoSQL databases -
MongoDB, Redis, CouchDB and Memcached. Considered along with typical
application layers and drivers, the semantics of the query languages can be
examined. Starting from known vulnerabilities, new attack vectors for the
mentioned databases are introduced. With the full technology stack in mind,
payloads for different kind of requests can be crafted, that allow the
altering of parameter’s object structure. As a result, the semantics of
query parameters are changed and therefore unintended behavior of the
database can be achieved. The presented attacks will be accompanied by
multiple practical demonstrations. In the end, an approach for NoSQL
injection mitigation is briefly outlined.


More information about the Owasp-germany mailing list