Transcription
International Journal of Digital Society (IJDS), Volume 10, Issue 4, December 2019Security Analysis of MongoDBSahib SinghHeinz College, Carnegie Mellon UniversityUSAAbstractNoSQL Databases are a form of non-relationaldatabases whose primary purpose is to store andretrieve data. Due to recent advancements in cloudcomputing platforms and the emergence of Big Data,NoSQL Databases are more becoming popular thanever. In this paper we are going to understand andanalyze the fundamental security features and thevulnerabilities of MongoDB and how it performscompared to relational databases on these fronts.1. IntroductionThe term NoSQL was brought into light by“Carlos Strozzi” who used the term to identify hisdatabase which was a lightweight, open relationaldatabase which didn’t use SQL. The term NoSQLrefers to a system which is Not Only SQL rather thanthe earlier version referring it as a database withoutSQL using to it is SQL like query support system.NoSQL models are generally quicker and are ableto process large amounts of heterogenous datacompared to relational database models hence oftenbeing the first choice while working with large andunstructured datasets owing to their speed andflexibility. Not only can they handle unstructured datathey are also able to process Big Data quickly hencemaking them the first choice among top technologycompanies such as Facebook, Google, Twitter etc.One type of NoSQL database which is going to beour primary focus for this paper will be MongoDB.MongoDB, written in C , is an open source databasewhich is currently the most popular NoSQL databaseaccording to DB-Engines trackingThe DB-Engines ranks over 340 database systemsbased on their popularity. This popularity score isgenerated by taking a number of factors intoconsideration such as search engine results, GoogleTrends, Stack Overflow discussions forums, thenumber of jobs available and profiles present inprofessional networks such as LinkedIn, and socialnetworks like Twitter.2. Features of MongoDB“Binary JSON”. Documents in MongoDB are storedin a collection which are stored in a database.Some features of Mongo DB which are worthgoing over from a security standpoint are given below[5]:1) Map reduce based Aggregation Framework: Thisfeature of MongoDB is similar to the ‘Group By’clause offered in MySQL. MongoDB uses MapReduce paradigm to perform aggregation. A map isbasically a procedure for filtering and sorting datawhile reduce procedure performs a summaryoperation (Eg counting the number of people standingin a queue). MapReduce is generally used toprocessing large volume of data parallely bydistributing it across clusters.2) Schema Less Database: The schema refers to thestructure in which the data should be stored. In thecase of relational databases such schema is definedusing tables. By schema-less we are referring todynamically typed schema as opposed to staticallytyped schemas in Relational Databases. Eg XMLallows you to specify XSD if required however BSONcan accept a varied type of data. Since there is noconstraint on the data and every document in thecollection can have different attributes from eachother we call it schema less.3) Ad-hoc Querying: MongoDB supports SQL likecomplex queries including regex. Similarly, we canalso write queries to fetch data less than or greaterthan a value or use regular expressions for patternmatching.4) Replication and fail-over support: MongoDBsupports replication by distributing data over variousclusters, this is achieved using replica set which isessentially a group of instances hosting the same data.In a replica set, one node is defined as the primarynode while all other nodes classify as secondary. Allwrite operations are assigned to the primary node (i.e.the master node) whereas the secondary nodes mayperform read operations.MongoDB is a document-based databasedeveloped by 10gen which manages collection ofJSON like documents format called BSON or simplyCopyright 2019, Infonomics Society1556
International Journal of Digital Society (IJDS), Volume 10, Issue 4, December 20193. Security FeaturesFollowing are some of the Key Security featuresprovided by MongoDB with regards to authentication,encryption and access control. [4]1) Enabling Access Control: MongoDB requires thatall users (clients as well as servers) provide validcredentials before they are able to connect to ion and requires all users to identifythemselves before a connection is made. With AccessControl enabled, there is a user administrator roledefined which is responsible for creating users,granting and revoking access of other users as well asmodifying user roles.Following is an example on how to set up anadmin provided in the official MongoDBdocumentation:3) System Auditing: The System Auditing facilityallows admins and users to track their systemsactivities during testing and deployment phases.On enabling the Audit System can record thefollowing information: SchemaReplica SetSharded ClustersAuthorizationsCRUD operationsFurther the Auditing system writes every auditdocument to an in-memory buffer of audit eventswhich later get written into disk.4. Security Flaws And AddressalFollowing are some of the Security Issues found inMongoDB and we will always see if there are anyways to address these issues [8]:After the admin has been created, you can then go onto create additional users based on exact accessprinciple (giving the least privilege required).2) Confidential Network: MongoDB only allowsusers to connect over defined interfaces on a givenport in which MongoDB instances are available. Thisis done to reduce the risk of exposure and ensure onlytrusted users have access. This networkconfidentiality can be achieved using the followingtwo routes: IP Binding: Starting MongoDB 3.6, MongoDBbinaries bind to localhost by default. The binary canadditionally bind to other IPv6 addresses by settingthem up through the command line interface orthrough the “net.bindIp” configuration file. Network Hardening: One way to achieve this isusing Firewalls which limits traffic to only those fromtrusted sources. The other way is to use Virtual PrivateNetworks which makes it possible to two networksover an encrypted and limited access network. VirtualPrivate Networks can also be used to preventtampering and “man in the middle” attacks since theytake place over a secure tunnel.Copyright 2019, Infonomics Society1) Lack of Data Encryption Currently there is no encryption on data files inMongoDB. This is a cause of concern since anyonewith access to file systems can extract the informationfrom these files. To prevent any issues arising from such lack ofencryption the application should explicitly encryptall the sensitive information before writing it to theirdatabase also file permissions should be adequatelyput into place to prevent any unauthorized user fromaccessing them.2) Vulnerable to Injection Attacks Simply because MongoDB does not deal directlywith a query language in the form of string does notmake it immune to injection attacks (See examplebelow on how injection attacks take place in SQL).Injection attacks are still possible owing toMongoDB’s dependence on JavaScript. MongoDB’soperations allow arbitrary JavaScript expressions tobe executed directly on the server.Classic SQL InjectionThe above example shows how SQL injectionstake place since 1 1 is always true, the above querywill be executed, and attackers might be able to getaccess to private information (E.g. the above tablemight contain usernames and passwords.) Hence suchstatements might be unknowingly be running on yourdatabase.1557
International Journal of Digital Society (IJDS), Volume 10, Issue 4, December 2019MongoDB InjectionIn the above example, username and passwordhave not been validated to ensure they are stringshence they may contain any field but strings andmanipulate the query structure. Based on MongoDB’s official documentation [4],user can express most queries in MongoDB withoutJavaScript and for the queries which do requireJavaScript, user can mix JavaScript and NonJavaScript inside a single query by placing all theuser-supplied fields directly in a BSON field andpassing JavaScript code to the where field.3) Authentication & Authorization MongoDB does not provide authentication insharded configuration unless run in standalone orreplica set mode also the onus of security lies entirelyin the hand of the developer. Any user by default hasthe permission to access the entire database, moreoverany user with administrator access has completeread/write privileges for the complete database. A reverse proxy can be configured using RESTAPI’s to define fine grained permission adding toauthentication.MongoDB authentication with Kerberos MySQL stores data in the form of tables with rowsand columns. It uses schema to defines it’s databasestructure and requires all rows within the table tofollow the same structure MongoDB stores data in JSON like documents andis schema free i.e. we don’t have to define thestructure first and different documents can havedifferent types of data as earlier discussed.2) Replication MySQL supports master-slave and master-masterreplications and allows multi-source replication. MongoDB has built in features for replication andsharding i.e. distributing data across multiplemachines to support large scale deployments at scale.3) ScalingHorizontal scaling refers to adding more machinesinto our resource pool while Vertical Scaling meansadding more power to an existing machine. Achievinghorizontal scaling with MySQL often requiressignificant engineering efforts and resources andvertical scaling is often not possible beyond a limit.MongoDB can be scaled within and across multipledistributed data centers with high throughput andalmost no downtime [4]. It also provides support forauto sharding and application unaware scaling.6. Mysql Vs Mongodb Security ComparsionFollowing is a comparison done between MySQLand MongoDB from a security standpoint:1) Security Model MySQL provides a privilege-based security modeli.e. providing a user which access to only specificcommands such as CREATE, UPDATE, DELETEetc. hence based on the user type such privileges canbe defined. MongoDB supports TLS and SSL for encryption toensure the data is only accessible to the intended user.5. MongoDB Vs MySQLWhen talking about Relational Databases,MySQL is one of the first database which usuallycomes to mind. It’s a type of relational database whichis currently owned by Oracle and is a part of theLAMP Stack (Linux/Apache/MySQL/php).1) StructureCopyright 2019, Infonomics Society1558
International Journal of Digital Society (IJDS), Volume 10, Issue 4, December 20192) Injections MySQL is prone to SQL injections which isessentially placing malicious code in SQL statementsvia web page output. While MongoDB is not prone to SQL injections, itis not entirely error prone from injections (asdiscussed above) owing to the use of an interpretablelanguage such as JavaScript.3) Logging MySQL offers complete logging by default andsupporting transaction and rollbacks helps in ensuringdata integrity. Complete logging is not enabled by default inMongoDB. Additional logging is built into theoperating system and application layers. [2]4) Access Controls MySQL provides various types of access controlmechanisms like Discretionary Access Control(REVOKE & GRANT) commands, Role BasedAccess Control etc. MongoDB only offers a role-based access controlwhich is not enabled by default. It provides somebuilt-in roles which provide a set of privilegescommonly required in a database.5) Integrity Model MySQL follows ACID (Atomic, Consistent,Isolated, Durable) model. A relational database notfollowing any of these four goals is not consideredreliable. Database administrators use severalstrategies to enforce ACID such as write aheadlogging (WAL), shadow paging and two-phasecommit protocol. MongoDB follows the BASE (Basic Availability,Soft state, Eventual consistency) model. With therelease of MongoDB 4.0 we now have multidocument ACID transaction support. Throughsnapshot isolation, transactions provide a consistentview of data while enforcing all or nothing executionand maintaining data integrity [4].Figure 1. Atomic Transactions in MongoDB(Source: SimForm.com)Copyright 2019, Infonomics Society7. Data Breach Cases A security researcher named “Bob Diachenko”exposed a vulnerability in which was leaking thedetails of around 11 million users belonging to anemail marketing firm based out of California. Thedataset contained around 44 Gigabytes of dataincluding full names, email addresses, gender detailsand physical addresses of 10,999,535 users. Apartfrom these details DNS details as well as emaildelivery status information was also found. Accordingto the researcher, Bob, the database had been leftexposed since at least 13th September 2019. Based onreports the data belonged to a coupon or discountbased company called “Saverspy”, a daily dealswebsite operated by Coupons.com [7]. The databasealso contained a ransom message demanding bitcoinpayment to recover lost data. The message furtherasked to send along IP address and proof of paymentin order to get the data. Similar ransom messages werealso reported in China around June this year. Earlier in December’18 another leak of data wasexposed containing 854 Gigabytes of data without anyauthentication or password. The data contained thedetails of more than 200 million Chinese job seekers.The data, which was totally unprotected, was openand available for around a week’s timeframe. The datainstance was found using a BinaryEdge or Shodansearch. Each of the 200 million resumes alsocontained personal information such as contactnumber, email address, height, weight, driver license,salary expectations etc. This was particularlydangerous since it could have led to follow onphishing attacks. While the source of the dataremained, unknown there were speculations of itbeing scraped from 3rd party websites. The databasewas secured once the leak was reported. Security researchers discovered over 808 millionrecords including sensitive information such ascontact number and email address being exposed on aMongoDB instance. This 150GB exposed datainstance was reported around February’19. The datacomprised of three folders with about 800 millionrecords in one (emailrecords), 4 million contactinformation record in another (emailWithPhone) andaround 6 million records of business leads in the thirdfolder (businessLeads) which included informationsuch as mortgage details and other corporateinformation. The database was found out to o, a company which approves andverifies email addresses for third parties. The databasewas aimed at sending out spam emails in bulk.Following Snippet shows some of the leaked detailsin this regard:1559
International Journal of Digital Society (IJDS), Volume 10, Issue 4, December 20199. Conclusion8. Common Vulnerabilities and ties, having at least one public referenceare described below [5]: A privileged escalation was detected in FlintCms (Acontent management system) allowing takeover dueto blind MongoDB injection during password reset. IBM API connect getting affected by a NoSQLinjection in MongoDB connector for the LoopBackframework. The MongoDB Js-Bson module versions before1.0.5 are vulnerable to Regular expression Denial ofService (ReDoS), the flaw being triggered on callingfromString() function to parse a long untrusted string. MongoDB earlier versions of 3.4.x before 3.4.10 hasa disabled-by-default configuration setting exposing avulnerability which when enabled could be exploitedto deny service or modify memory by a maliciousattacker. mongodb-instance before 0.0.3 installs MongoDBlocally downloading binary resources over HTTPleaving it vulnerable to MITM attacks. The client in MongoDB use world readablepermissions on .dbshells history files which risksallowing local users obtaining sensitive informationby going through these files. Certain MongoDB versions between 2.4 and 2.6provide vulnerabilities in security to allow a denial ofservice attack using UTF-8 string in a BSON basedrequest. MongoDB earlier versions (between 2.10 and 2.20)do not properly validate requests to native helperfunction in SpiderMonkey allowing remoteauthenticated users to cause a denial of service attackor executing arbitrary code through a crafted memoryaddress in the first segment. MongoDB dissector in Wireshark before 1.8.2 in1.8.x is vulnerable to denial of service attacks througha small value for BSON document length. The default MongoDB configuration before 2.3.2does not validate objects exposing remoteauthenticated users to read system memory through acrafted BSON object in column name inside an insertcommand, triggering a buffer over read.Copyright 2019, Infonomics SocietyData is growing at a rapid pace and is becomingmore and more unstructured, such as emails, audiofiles, and videos. As of today, more than 95% of thedata generated is in unstructured format. Having theflexibility for development without any predefinedschema is a massive boost for MongoDB however itis essential that it is backed by a robust securitymechanism to prevent malicious attacks andunwanted interferences. Based on the findings abovewe can say that MySQL is usually better when youneed reliable data protection and ease in datamanagement. On the other hand, if you haveunstructured data or an undefined schema in hand andwant to process large amounts of data MongoDBwould be a reasonable choice. From a securitystandpoint, we can see that MySQL being an oldplayer has identified most of its loopholes and eventhough SQL injections are still present there are somedecent workarounds. MongoDB on the other handdoes not offer most security configurations by defaulthowever, it’s still less prone to injections attacksconsidering it does not directly deal with a querylanguage in the form of string. However, there are stilllots of vulnerabilities in MongoDB specially relatedto system crashing and denial of service attacks as wehave seen in the Common Vulnerabilities andExposure section. There is an expectation to improvethese security flaws in the upcoming MongoDBversions to ensure deployment of robust and largescale applications.10. References[1] Dave, M. (2012). SQL and NoSQL Databases.International Journal of Advanced Research in ComputerScience and Software Engineering.[2] DB Engines, Database Management Ranking.[3] Hou, B., Qian, K., Li, L., Shi, Y., Tao, L., Liu, J. (2016).MongoDB NoSQL Injection Analysis and Detection. 75-78.10.1109/CSCloud.2016.57.[4] MongoDB Official documentation.[5] CVE Mitre official entries containing publicly knowncybersecurity vulnerabilities.[6] ThrearPost, Security News Portal.[7] ZdNet, Security Website owned by CNET.[8] Okman, L., Gal-Oz, N., Gonen, Y., Gudes, E., Abramov,J. (2011). Security Issues in NoSQL Databases.TRUSTCOM '11 Proceedings of the 2011IEEE 10thInternational Conference on Trust, Security and Privacy inComputing and Communications, Pages 541-547.1560
International Journal of Digital Society (IJDS), Volume 10, Issue 4, December 2019[9] Shahriar, H., Haddad, H.M., Security Vulnerabilities ofNoSQL and SQL Databases for MOOC Applications,Department of Information Technology, Department ofComputer Science Kennesaw State University, USA.Copyright 2019, Infonomics Society1561
Documents in MongoDB are stored in a collection which are stored in a database. Some features of Mongo DB which are worth going over from a security standpoint are given below [5]: 1) Map reduce based Aggregation Framework: This feature of MongoDB is similar to the 'Group By' clause offered in MySQL. MongoDB uses Map-
