No SQL, No Injection? Examining NoSQL Security
This addresses security risks for users of NoSQL databases, highlighting a critical gap in protection.
The paper examines security vulnerabilities in NoSQL databases, finding that they are not immune to injection attacks and lack mature security measures compared to traditional SQL systems, with examples including injection and CSRF techniques.
NoSQL data storage systems have become very popular due to their scalability and ease of use. This paper examines the maturity of security measures for NoSQL databases, addressing their new query and access mechanisms. For example the emergence of new query formats makes the old SQL injection techniques irrelevant, but are NoSQL databases immune to injection in general? The answer is NO. Here we present a few techniques for attacking NoSQL databases such as injections and CSRF. We analyze the source of these vulnerabilities and present methodologies to mitigate the attacks. We show that this new vibrant technological area lacks the security measures and awareness which have developed over the years in traditional RDBMS SQL systems.