NoSQL Injection SEC642. Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S
|
|
- Hector Carr
- 5 years ago
- Views:
Transcription
1 SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S NoSQL Injection Copyright Justin Searle and Adrien de Beaupré All Rights Reserved Version D01_01
2 About me Consultant Principal SANS Instructor InfoSec full time since 2000 Black Belt & Martial Arts Enthusiast CoAuthor of SANS SEC 460 and 642
3 Modern Penetration Testing Use the features of the operating system Use the features of the network protocols Use the features of the web application New framework = new features to learn Exploitation is just making use of new features in ways that might not have been anticipated, or known to implementers / developers 3 SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 3
4 THE MEAN STACK End-to-end JavaScript from client to database MEAN is a lightweight MVC framework Found on Mean.io The components are: mongodb (NoSQL Database) Express (MVC Framework) AngularJS (Client-Side Framework) Node.JS (JavaScript Server) SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 4
5 NoSQL DATABASES: DEFINITION No standards between platforms, no common query language Security features: Authentication: Often not enabled by default, and if available, limited. Some databases require additional software like proxies for authentication. Access Controls: Many NoSQL databases, even if they require users to authenticate, do not use different roles. All users have access to everything. Auditing: Some NoSQL Databases do not log, at all. Hit-and-miss if TLS is built into the database. Encryption is normally not provided beyond filesystem encryption. Only few NoSQL databases provide data encryption features. SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 5
6 DATABASES SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 6
7 MONGODB MongoDB is a Document-Oriented Database It does not use traditional SQL: Uses NoSQL formatted in JSON-like messages Language called BSON, or Binary JSON Different than a relational database, the schemas are dynamic and can be changed on demand Queries can include JavaScript functions "Mongo only pawn in game of life" SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 7
8 UNDERSTANDING HOW NoSQL WORKS SQL Made of rows and tables Generally ACID-compliant: Atomicity Consistency Isolation Durability Maintains consistency even if limits scalability NoSQL Made of key-value pairs: MongoDB has "documents" Riak has "buckets" Generally BASE-compliant: Basically Available Soft State Eventually Consistent Trades consistency for scalability SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 8
9 NoSQL vs. SQL SQL: MySQL Example SQL Queries: SELECT * FROM users where ID=1; Update a User: UPDATE users SET password = '<input>' WHERE ID = <#>; Create Table: CREATE TABLE users (id MEDIUMINT NOT NULL AUTO INCREMENT, user_id Varchar(30)) NoSQL: MongoDB Example NoSQL Queries: db.users.find({user_id: 1,}) Example User Update: db.users.update({user_id: <#>}, {$set: {password:'<input>'}}) Create Table: db.createcollection('users') SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 9
10 MONGODB NOSQL INJECTION MongoDB, like other NoSQL backended databases, will not be vulnerable to SQL injection as you may traditionally understand it Injection attacks use JSON or BSON to control queries on databases: MongoDB is often attacked via its $where operator (similar to SQL's where clause) Arbitrary JavaScript may also be injected into unprotected db.eval(), mapreduce, and group operators Parameter injection like so: The [$ne] is added so that it evaluates potentially as user not equal SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 10
11 MONGODB FUZZING Things to try for Mongo NoSQLi: JavaScript -> Inserting a function can be interesting! Json -> / { } : Trigger MongoDB syntax error -> ' " \ ; { } Insert logic -> ' '1' == '1' ; // Comment out -> // Operators -> $where $gt $lt $ne $regex Mongo commands -> db.getcollectionnames() SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 11
12 NOSQL INJECTION METHODOLOGY Have a baseline valid request for comparison Attempt to cause a syntax error response from the database Inject operators that modify the query Inject logic to cause the query to return multiple records Inject new records that modify the schema <- careful! Delete or modify records <- careful! Inject JavaScript Inject JSON or BSON directly to the database Access REST APIs, management interfaces, or the database directly SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 12
13 NOSQL INJECTION PROJECTS Tools: NoSQLMap NoSQL Exploitation Framework FuzzDB list of injection strings (all 21 lines) Some commercial automated web application scanners Vulnerable applications: One written by Robin "digininja" Wood Bundled in NoSQLMap Written for the Websecurify blog post on NoSQL Injection Many others, likely not intentional though! SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 13
14 Demo! SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 14
15 Demo: NoSQL INJECTION mongo.sec642.org Click on Guess_The_Key Type in a guess Now we have a baseline SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 15
16 Demo: NoSQL INJECTION GUESS_THE_KEY SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 16
17 Demo: NoSQL INJECTION ASKING FOR THE KEY With the stack trace, we can create the attack The context of their code dictates our exploit Close off the previous logic, insert new logic, comment off the rest of the line ' ; return key; // Voila, the key value appears SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 17
18 Demo: NoSQL INJECTION USER LOOKUP Return to the home page Click on User_Lookup Type in a name We now see a valid but negative response Type in sid to see a valid and positive response for our baseline SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 18
19 Demo: NoSQL INJECTION USING QUERY PARAMETERS Entering sid gave us a valid query and response Fuzzing gave us nothing useful We will need to insert JavaScript, logic, or query operators to achieve our goal [$ne], [$gt], and [$regex] will help use here. SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 19
20 Demo: NoSQL INJECTION USING QUERY PARAMETERS type[$ne]=user& username[$ne]=sid Success! type[$regex]=.*& username[$regex]=.* Dumps the whole table! SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 20 20
21 Demo: NoSQL INJECTION LOGIN We want to be administrator! There are three parameters: type, username, password How can we bypass the password check once we have a valid username and user type? SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 21
22 Demo: NoSQL INJECTION AUTHENTICATION BYPASS Query operators once again. type[$ne]=user &username[$ne]=foo &password=bar' '1'=='1 SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 22
23 New series of web app pen test cheat sheets Crowdsource! SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 23
24 Questions? SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 24
25 COURSE RESOURCES AND CONTACT INFORMATION AUTHOR CONTACT Moses Frost Justin Adrien de PEN TESTING RESOURCES pen-testing.sans.org SANS INSTITUTE Rockville Pike, Suite 200 North Bethesda, MD SANS(7267) SANS GENERAL INQUIRIES: REGISTRATION: TUITION: PRESS/PR: SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques 25
NoSQL: NoInjections or NoSecurity
NoSQL: NoInjections or NoSecurity A Guide to MongoDB Exploitation Stark Riedesel Oct 2016 What is Document Database (NoSQL) Documents = JSON Schema-free Nested documents (No JOINs) BSON for efficiency
More informationBUILDING A DIGITAL EVIDENCE CLASSIFICATION MODEL
DFIR Summit Prague 2018 BUILDING A DIGITAL EVIDENCE CLASSIFICATION MODEL Copyright 2018 Jason Jordaan, All Right Reserved INTRODUCTION While digital forensics plays a key role in cybersecurity, it is also
More informationMaking MongoDB Accessible to All. Brody Messmer Product Owner DataDirect On-Premise Drivers Progress Software
Making MongoDB Accessible to All Brody Messmer Product Owner DataDirect On-Premise Drivers Progress Software Agenda Intro to MongoDB What is MongoDB? Benefits Challenges and Common Criticisms Schema Design
More informationMongoDB w/ Some Node.JS Sprinkles
MongoDB w/ Some Node.JS Sprinkles Niall O'Higgins Author MongoDB and Python O'Reilly @niallohiggins on Twitter niallo@beyondfog.com MongoDB Overview Non-relational (NoSQL) document-oriented database Rich
More informationHuman vs Artificial intelligence Battle of Trust
Human vs Artificial intelligence Battle of Trust Hemil Shah Co-CEO & Director Blueinfy Solutions Pvt Ltd About Hemil Shah hemil@blueinjfy.net Position -, Co-CEO & Director at BlueInfy Solutions, - Founder
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationJargons, Concepts, Scope and Systems. Key Value Stores, Document Stores, Extensible Record Stores. Overview of different scalable relational systems
Jargons, Concepts, Scope and Systems Key Value Stores, Document Stores, Extensible Record Stores Overview of different scalable relational systems Examples of different Data stores Predictions, Comparisons
More informationCSE 530A. Non-Relational Databases. Washington University Fall 2013
CSE 530A Non-Relational Databases Washington University Fall 2013 NoSQL "NoSQL" was originally the name of a specific RDBMS project that did not use a SQL interface Was co-opted years later to refer to
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationMulti-Post XSRF Web App Exploitation, total pwnage
Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.
More informationInjectable Exploits. New Tools for Pwning Web Apps and Browsers
Injectable Exploits New Tools for Pwning Web Apps and Browsers Kevin Johnson kevin@inguardians.com Justin Searle justin@inguardians.com Frank DiMaggio frank@secureideas.net 1 Who are we? Kevin Johnson
More informationUnderstanding basics of MongoDB and MySQL
Understanding basics of MongoDB and MySQL PSOSM summer school @ IIITH Divyansh Agarwal - Research Associate 3rd July, 2017 Precog Labs, IIIT-Delhi What is a Database? Organized collection of data. Collection
More informationCIS 601 Graduate Seminar. Dr. Sunnie S. Chung Dhruv Patel ( ) Kalpesh Sharma ( )
Guide: CIS 601 Graduate Seminar Presented By: Dr. Sunnie S. Chung Dhruv Patel (2652790) Kalpesh Sharma (2660576) Introduction Background Parallel Data Warehouse (PDW) Hive MongoDB Client-side Shared SQL
More informationGetting MEAN. with Mongo, Express, Angular, and Node SIMON HOLMES MANNING SHELTER ISLAND
Getting MEAN with Mongo, Express, Angular, and Node SIMON HOLMES MANNING SHELTER ISLAND For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher
More informationDatabases/JQuery AUGUST 1, 2018
Databases/JQuery AUGUST 1, 2018 Databases What is a Database? A table Durable place for storing things Place to easily lookup and update information Databases: The M in MVC What is a Database? Your Model
More informationIntroduction to Big Data. NoSQL Databases. Instituto Politécnico de Tomar. Ricardo Campos
Instituto Politécnico de Tomar Introduction to Big Data NoSQL Databases Ricardo Campos Mestrado EI-IC Análise e Processamento de Grandes Volumes de Dados Tomar, Portugal, 2016 Part of the slides used in
More informationOnline Multimedia Winter semester 2015/16
Multimedia im Netz Online Multimedia Winter semester 2015/16 Tutorial 09 Major Subject Ludwig-Maximilians-Universität München Online Multimedia WS 2015/16 - Tutorial 09-1 Today s Agenda Discussion: Intellectual
More informationMEAN Stack. 1. Introduction. 2. Foundation a. The Node.js framework b. Installing Node.js c. Using Node.js to execute scripts
MEAN Stack 1. Introduction 2. Foundation a. The Node.js framework b. Installing Node.js c. Using Node.js to execute scripts 3. Node Projects a. The Node Package Manager b. Creating a project c. The package.json
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationMongoDB Web Architecture
MongoDB Web Architecture MongoDB MongoDB is an open-source, NoSQL database that uses a JSON-like (BSON) document-oriented model. Data is stored in collections (rather than tables). - Uses dynamic schemas
More informationA Samurai-WTF intro to the Zed Attack Proxy
A Samurai-WTF intro to the Zed Attack Proxy Justin Searle justin@utilisec.com - @meeas Samurai-WTF 2 Versions: Live DVD and VMware Image Based on Ubuntu Linux Over 100 tools, extensions, and scripts, included:
More informationMongoDB - a No SQL Database What you need to know as an Oracle DBA
MongoDB - a No SQL Database What you need to know as an Oracle DBA David Burnham Aims of this Presentation To introduce NoSQL database technology specifically using MongoDB as an example To enable the
More informationEncrypting Data of MongoDB at Application Level
Advances in Computational Sciences and Technology ISSN 0973-6107 Volume 10, Number 5 (2017) pp. 1199-1205 Research India Publications http://www.ripublication.com Encrypting Data of MongoDB at Application
More information3 / 120. MySQL 8.0. Frédéric Descamps - MySQL Community Manager - Oracle
1 / 120 2 / 120 3 / 120 MySQL 8.0 a Document Store with all the benefits of a transactional RDBMS Frédéric Descamps - MySQL Community Manager - Oracle 4 / 120 Save the date! 5 / 120 Safe Harbor Statement
More informationReview. Fundamentals of Website Development. Web Extensions Server side & Where is your JOB? The Department of Computer Science 11/30/2015
Fundamentals of Website Development CSC 2320, Fall 2015 The Department of Computer Science Review Web Extensions Server side & Where is your JOB? 1 In this chapter Dynamic pages programming Database Others
More informationCassandra, MongoDB, and HBase. Cassandra, MongoDB, and HBase. I have chosen these three due to their recent
Tanton Jeppson CS 401R Lab 3 Cassandra, MongoDB, and HBase Introduction For my report I have chosen to take a deeper look at 3 NoSQL database systems: Cassandra, MongoDB, and HBase. I have chosen these
More informationNoSQL: Redis and MongoDB A.A. 2016/17
Università degli Studi di Roma Tor Vergata Dipartimento di Ingegneria Civile e Ingegneria Informatica NoSQL: Redis and MongoDB A.A. 2016/17 Matteo Nardelli Laurea Magistrale in Ingegneria Informatica -
More informationBackend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15
6.148 Backend IV: Authentication, Authorization and Sanitization The Internet is a scary place Security is a big deal! TODAY What is security? How will we try to break your site? Authentication,
More informationStudy of NoSQL Database Along With Security Comparison
Study of NoSQL Database Along With Security Comparison Ankita A. Mall [1], Jwalant B. Baria [2] [1] Student, Computer Engineering Department, Government Engineering College, Modasa, Gujarat, India ank.fetr@gmail.com
More informationCourse Content MongoDB
Course Content MongoDB 1. Course introduction and mongodb Essentials (basics) 2. Introduction to NoSQL databases What is NoSQL? Why NoSQL? Difference Between RDBMS and NoSQL Databases Benefits of NoSQL
More informationMySQL Document Store. How to replace a NoSQL database by MySQL without effort but with a lot of gains?
1 / 71 2 / 71 3 / 71 MySQL Document Store How to replace a NoSQL database by MySQL without effort but with a lot of gains? Percona University, Ghent, Belgium June 2017 Frédéric Descamps - MySQL Community
More informationMongoDB and Mysql: Which one is a better fit for me? Room 204-2:20PM-3:10PM
MongoDB and Mysql: Which one is a better fit for me? Room 204-2:20PM-3:10PM About us Adamo Tonete MongoDB Support Engineer Agustín Gallego MySQL Support Engineer Agenda What are MongoDB and MySQL; NoSQL
More informationMongoDB An Overview. 21-Oct Socrates
MongoDB An Overview 21-Oct-2016 Socrates Agenda What is NoSQL DB? Types of NoSQL DBs DBMS and MongoDB Comparison Why MongoDB? MongoDB Architecture Storage Engines Data Model Query Language Security Data
More informationTopics. History. Architecture. MongoDB, Mongoose - RDBMS - SQL. - NoSQL
Databases Topics History - RDBMS - SQL Architecture - SQL - NoSQL MongoDB, Mongoose Persistent Data Storage What features do we want in a persistent data storage system? We have been using text files to
More informationNOSQL EGCO321 DATABASE SYSTEMS KANAT POOLSAWASD DEPARTMENT OF COMPUTER ENGINEERING MAHIDOL UNIVERSITY
NOSQL EGCO321 DATABASE SYSTEMS KANAT POOLSAWASD DEPARTMENT OF COMPUTER ENGINEERING MAHIDOL UNIVERSITY WHAT IS NOSQL? Stands for No-SQL or Not Only SQL. Class of non-relational data storage systems E.g.
More informationUnder the hood testing - Code Reviews - - Harshvardhan Parmar
Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites
More informationAdvanced Database Project: Document Stores and MongoDB
Advanced Database Project: Document Stores and MongoDB Sivaporn Homvanish (0472422) Tzu-Man Wu (0475596) Table of contents Background 3 Introduction of Database Management System 3 SQL vs NoSQL 3 Document
More informationOpen source, high performance database. July 2012
Open source, high performance database July 2012 1 Quick introduction to mongodb Data modeling in mongodb, queries, geospatial, updates and map reduce. Using a location-based app as an example Example
More informationSQL Injection Attacks and Defense
SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O'Leary-Steele Alberto Revelli Marco
More informationIntro to MongoDB. Alex Sharp.
Intro to MongoDB Alex Sharp twitter: @ajsharp email: ajsharp@frothlogic.com So what is MongoDB? First and foremost... IT S THE NEW HOTNESS!!! omgomgomg SHINY OBJECTS omgomgomg MongoDB (from "humongous")
More informationPractical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd
Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Why this talk? The techniques are well known, but how about some way of applying ppy them? Commercial tools are
More informationRESTful API Design APIs your consumers will love
RESTful API Design APIs your consumers will love Matthias Biehl RESTful API Design Copyright 2016 by Matthias Biehl All rights reserved, including the right to reproduce this book or portions thereof in
More informationDatabase Availability and Integrity in NoSQL. Fahri Firdausillah [M ]
Database Availability and Integrity in NoSQL Fahri Firdausillah [M031010012] What is NoSQL Stands for Not Only SQL Mostly addressing some of the points: nonrelational, distributed, horizontal scalable,
More informationMySQL for Database Administrators Ed 3.1
Oracle University Contact Us: 1.800.529.0165 MySQL for Database Administrators Ed 3.1 Duration: 5 Days What you will learn The MySQL for Database Administrators training is designed for DBAs and other
More informationWeb Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
More informationHardcore PI System Hardening
Hardcore PI System Hardening Jozef Sujan, Lubos Mlcoch 1 Agenda 1. No-nonsense approach to Cyber Security 2. The Power of... PowerShell 3. Deadly Sins of PI Administrators Note: All examples in this presentation
More informationOur sponsors Zequi V Autopsy of Vulnerabilities
Our sponsors Our sponsors Our sponsors About me Who s me? Ezequiel Zequi Vázquez Backend Developer Sysadmin & DevOps Hacking & Security Speaker since 2013 About me Index 1 Introduction 2 Analysis of Vulnerabilities
More informationKim Greene - Introduction
Kim Greene kim@kimgreene.com 507-216-5632 Skype/Twitter: iseriesdomino Copyright Kim Greene Consulting, Inc. All rights reserved worldwide. 1 Kim Greene - Introduction Owner of an IT consulting company
More informationMASTERS COURSE IN FULL STACK WEB APPLICATION DEVELOPMENT W W W. W E B S T A C K A C A D E M Y. C O M
MASTERS COURSE IN FULL STACK WEB APPLICATION DEVELOPMENT W W W. W E B S T A C K A C A D E M Y. C O M COURSE OBJECTIVES Enable participants to develop a complete web application from the scratch that includes
More informationCSE 344 Final Review. August 16 th
CSE 344 Final Review August 16 th Final In class on Friday One sheet of notes, front and back cost formulas also provided Practice exam on web site Good luck! Primary Topics Parallel DBs parallel join
More informationUsing Node-RED to build the internet of things
IBM Bluemix Using Node-RED to build the internet of things Ever had one of those days Where the Application works! And then Can we also get some data from the this whatchamacallit? And send the logs off
More informationHolistic Database Security
Holistic Database Security 1 Important Terms Exploit: Take advantage of a flaw or feature Attack Surface: Any node on the network that can be attacked. That can be the UI, People, anything that touches
More informationMySQL Views & Comparing SQL to NoSQL
CMSC 461, Database Management Systems Fall 2014 MySQL Views & Comparing SQL to NoSQL These slides are based on Database System Concepts book and slides, 6 th edition, and the 2009/2012 CMSC 461 slides
More informationThe connection has timed out
1 of 7 2/17/2018, 7:46 AM Mukesh Chapagain Blog PHP Magento jquery SQL Wordpress Joomla Programming & Tutorial HOME ABOUT CONTACT ADVERTISE ARCHIVES CATEGORIES MAGENTO Home» PHP PHP: CRUD (Add, Edit, Delete,
More informationManaging and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationA New Internet for Decentralized Apps
A New Internet for Decentralized Apps ETC Summit 2017-11-13 Hong Kong Larry Salibra A new internet for decentralized apps About Me 1. Core Developer, Blockstack: Blockstack Explorer (AngularJS) Blockstack
More informationCertified Vulnerability Assessor
Certified Vulnerability Assessor COURSE BENEFITS Course Title:Certified Vulnerability Assessor Duration: 3Day Language: English Class Format Options: Instructor-led classroom Live Online Training Prerequisites:
More informationDownload Studio 3T from
Download Studio 3T from https://studio3t.com/download/ Request a student license from the company. Expect email with a license key from the company. Start up Studio 3T. In Studio 3T go to Help > License
More informationInformix NoSQL-SQL-Crossover
Informix NoSQL-SQL-Crossover Mongo, Json, REST, and your existing data Sprecher andreas.legner@de.ibm.com Agenda Informix as a Json Document Store NoSQL extending SQL SQL and other Informix technologies
More informationCISC 7610 Lecture 4 Approaches to multimedia databases. Topics: Document databases Graph databases Metadata Column databases
CISC 7610 Lecture 4 Approaches to multimedia databases Topics: Document databases Graph databases Metadata Column databases NoSQL architectures: different tradeoffs for different workloads Already seen:
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationBlind Sql Injection with Regular Expressions Attack
Blind Sql Injection with Regular Expressions Attack Authors: Simone Quatrini Marco Rondini 1/9 Index Why blind sql injection?...3 How blind sql injection can be used?...3 Testing vulnerability (MySQL -
More informationGroup13: Siddhant Deshmukh, Sudeep Rege, Sharmila Prakash, Dhanusha Varik
Group13: Siddhant Deshmukh, Sudeep Rege, Sharmila Prakash, Dhanusha Varik mongodb (humongous) Introduction What is MongoDB? Why MongoDB? MongoDB Terminology Why Not MongoDB? What is MongoDB? DOCUMENT STORE
More informationLecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion
IN5290 Ethical Hacking Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion Universitetet i Oslo Laszlo Erdödi Lecture Overview What is SQL injection
More informationDATABASE SYSTEMS. Database programming in a web environment. Database System Course, 2016
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016 AGENDA FOR TODAY Advanced Mysql More than just SELECT Creating tables MySQL optimizations: Storage engines, indexing.
More informationUnderstanding Perimeter Security
Understanding Perimeter Security In Amazon Web Services Aaron C. Newman Founder, CloudCheckr Aaron.Newman@CloudCheckr.com Changing Your Perspective How do I securing my business applications in AWS? Moving
More informationCSE 544 Principles of Database Management Systems. Magdalena Balazinska Winter 2015 Lecture 14 NoSQL
CSE 544 Principles of Database Management Systems Magdalena Balazinska Winter 2015 Lecture 14 NoSQL References Scalable SQL and NoSQL Data Stores, Rick Cattell, SIGMOD Record, December 2010 (Vol. 39, No.
More informationOral Questions and Answers (DBMS LAB) Questions & Answers- DBMS
Questions & Answers- DBMS https://career.guru99.com/top-50-database-interview-questions/ 1) Define Database. A prearranged collection of figures known as data is called database. 2) What is DBMS? Database
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationLiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017
LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017 Contents Introduction... 3 Supported Platforms... 3 Protecting Data in Transit... 3 Protecting Data at Rest... 3 Encryption...
More informationIEEE Sec Dev Conference
IEEE Sec Dev Conference #23, Improving Attention to Security in Software Design with Analytics and Cognitive Techniques Jim Whitmore (former) IBM Distinguished Engineer Carlisle, PA jjwhitmore@ieee.org
More informationAWS Lambda + nodejs Hands-On Training
AWS Lambda + nodejs Hands-On Training (4 Days) Course Description & High Level Contents AWS Lambda is changing the way that we build systems in the cloud. This new compute service in the cloud runs your
More informationITS. MySQL for Database Administrators (40 Hours) (Exam code 1z0-883) (OCP My SQL DBA)
MySQL for Database Administrators (40 Hours) (Exam code 1z0-883) (OCP My SQL DBA) Prerequisites Have some experience with relational databases and SQL What will you learn? The MySQL for Database Administrators
More informationIntroduction to NoSQL Databases
Introduction to NoSQL Databases Roman Kern KTI, TU Graz 2017-10-16 Roman Kern (KTI, TU Graz) Dbase2 2017-10-16 1 / 31 Introduction Intro Why NoSQL? Roman Kern (KTI, TU Graz) Dbase2 2017-10-16 2 / 31 Introduction
More informationMySQL Database Administrator Training NIIT, Gurgaon India 31 August-10 September 2015
MySQL Database Administrator Training Day 1: AGENDA Introduction to MySQL MySQL Overview MySQL Database Server Editions MySQL Products MySQL Services and Support MySQL Resources Example Databases MySQL
More informationCurso: Ethical Hacking and Countermeasures
Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security
More informationOWASP Broken Web Application Project. When Bad Web Apps are Good
OWASP Broken Web Application Project When Bad Web Apps are Good About Me Mordecai (Mo) Kraushar Director of Audit, CipherTechs OWASP Project Lead, Vicnum OWASP New York City chapter member Assessing the
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationSQL Azure. Abhay Parekh Microsoft Corporation
SQL Azure By Abhay Parekh Microsoft Corporation Leverage this Presented by : - Abhay S. Parekh MSP & MSP Voice Program Representative, Microsoft Corporation. Before i begin Demo Let s understand SQL Azure
More informationFinal Exam Review 2. Kathleen Durant CS 3200 Northeastern University Lecture 23
Final Exam Review 2 Kathleen Durant CS 3200 Northeastern University Lecture 23 QUERY EVALUATION PLAN Representation of a SQL Command SELECT {DISTINCT} FROM {WHERE
More informationTaking Control of Your Application Security
EDUCAUSE Wednesday, May 3 rd Taking Control of Your Application Security 2017 SANS Institute All Rights Reserved INTRODUCTION Eric Johnson, CISSP, GSSP-Java, GSSP-.NET, GWAPT Application Security Curriculum
More informationRate-Limiting at Scale. SANS AppSec Las Vegas 2012 Nick
Rate-Limiting at Scale SANS AppSec Las Vegas 2012 Nick Galbreath @ngalbreath nickg@etsy.com Who is Etsy? Marketplace for Small Creative Businesses Alexa says #51 for USA traffic > $500MM transaction volume
More informationA Review to the Approach for Transformation of Data from MySQL to NoSQL
A Review to the Approach for Transformation of Data from MySQL to NoSQL Monika 1 and Ashok 2 1 M. Tech. Scholar, Department of Computer Science and Engineering, BITS College of Engineering, Bhiwani, Haryana
More informationDocument Object Storage with MongoDB
Document Object Storage with MongoDB Lecture BigData Analytics Julian M. Kunkel julian.kunkel@googlemail.com University of Hamburg / German Climate Computing Center (DKRZ) 2017-12-15 Disclaimer: Big Data
More informationAccessing other data fdw, dblink, pglogical, plproxy,...
Accessing other data fdw, dblink, pglogical, plproxy,... Hannu Krosing, Quito 2017.12.01 1 Arctic Circle 2 Who am I Coming from Estonia PostgreSQL user since about 1990 (when it was just Postgres 4.2)
More informationLecture Overview. INF5290 Ethical Hacking. Lecture 4: Get in touch with services. Where are we in the process of ethical hacking?
Lecture Overview INF5290 Ethical Hacking Lecture 4: Get in touch with services Trying out default credentials Brute-forcing techniques and mitigations What are the exploits and how to use them Using open-relay
More informationINF5290 Ethical Hacking. Lecture 4: Get in touch with services. Universitetet i Oslo Laszlo Erdödi
INF5290 Ethical Hacking Lecture 4: Get in touch with services Universitetet i Oslo Laszlo Erdödi Lecture Overview Trying out default credentials Brute-forcing techniques and mitigations What are the exploits
More informationNoSQL Databases Analysis
NoSQL Databases Analysis Jeffrey Young Intro I chose to investigate Redis, MongoDB, and Neo4j. I chose Redis because I always read about Redis use and its extreme popularity yet I know little about it.
More informationCIB Session 12th NoSQL Databases Structures
CIB Session 12th NoSQL Databases Structures By: Shahab Safaee & Morteza Zahedi Software Engineering PhD Email: safaee.shx@gmail.com, morteza.zahedi.a@gmail.com cibtrc.ir cibtrc cibtrc 2 Agenda What is
More informationWeb Application Attacks
Web Application Attacks What can an attacker do and just how hard is it? By Damon P. Cortesi IOActive, Inc. Comprehensive Computer Security Services www.ioactive.com cortesi:~
More informationCIS 612 Advanced Topics in Database Big Data Project Lawrence Ni, Priya Patil, James Tench
CIS 612 Advanced Topics in Database Big Data Project Lawrence Ni, Priya Patil, James Tench Abstract Implementing a Hadoop-based system for processing big data and doing analytics is a topic which has been
More informationSurrogate Dependencies (in
Surrogate Dependencies (in NodeJS) @DinisCruz London, 29th Sep 2016 Me Developer for 25 years AppSec for 13 years Day jobs: Leader OWASP O2 Platform project Application Security Training JBI Training,
More informationKarthik Bharathy Program Manager, SQL Server Microsoft
Karthik Bharathy Program Manager, SQL Server Microsoft Key Session takeaways Understand the many views of SQL Server Look at hardening SQL Server At the network level At the access level At the data level
More informationSecure RESTful Web Services to Mobilize Powerful Website Penetration Testing Tools
Secure RESTful Web Services to Mobilize Powerful Website Penetration Testing Tools Problem statement Powerful penetration testing cyber security tools and techniques are freely available via OS based distributions.
More informationDATABASE SYSTEMS. Database programming in a web environment. Database System Course,
DATABASE SYSTEMS Database programming in a web environment Database System Course, 2016-2017 AGENDA FOR TODAY The final project Advanced Mysql Database programming Recap: DB servers in the web Web programming
More informationGranting Read-only Access To An Existing Oracle Schema
Granting Read-only Access To An Existing Oracle Schema Oracle recommends that you only grant the ANY privileges to trusted users. Use the IDENTIFIED BY clause to specify a new password for an existing
More informationWeb Applications Penetration Testing
Web Applications Penetration Testing Team Members: Rahul Motwani (2016ME10675) Akshat Khare (2016CS10315) ftarth Chopra (2016TT10829) Supervisor: Prof. Ranjan Bose Before proceeding further, we would like
More informationPenetration Testing. James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationCSE 530A ACID. Washington University Fall 2013
CSE 530A ACID Washington University Fall 2013 Concurrency Enterprise-scale DBMSs are designed to host multiple databases and handle multiple concurrent connections Transactions are designed to enable Data
More information