Security in the Coud (Cyber)Security for Software Engineers
---> Jump to No SQL Injection after sql injection <---
Merci à Botify (expertise SEO) de nous recevoir ce mercredi prochain 26 sept au 22 Rue Royale 75008.
2 talks au programme :
19h30 - Jean-Baptiste Barth (Botify) - Centralizing security policies with an API gateway
20h00 - Vladimir de Turckheim (Sqreen) - Applicative DOS through NoSQL injection
Voici le transcript qui est un article orienté SEO et en anglais!
Une question? Posez-la ici
Aide au développement d'applications
19h30 - Jean-Baptiste Barth (Botify) - Centralizing security policies with an API gateway
Jean Baptiste Barth, infrastruvture lead . Botify is a company that produces SEO tools for BIG players in the industry, Expedia, Ebay...
github.com/botify-labs
We started with a majestic Monolith wich was writen in Python Django. Beautiful, but ridiculous because we needed to add https, we needed a maintenance mages, and we added a big administration panel. All thoses features are developped in Django.
A few month ahead, we need to scale and put https on the load balancer amazon, with a WAF, Web application Firewall.
So we read articles about micro services , with Go and with Scala which has authentication. We learned Go too. With an internal tool, we put Jenkis.
So, how to do micro services?
We started to do this with Apache/Nginx with specific module, but it was difficult.
So we came to Kong!
Kong, an open source / Enterprise API Gateway
With different Apis: it's an API gateway, it's not just an IP, it's based on OpenResty. Cassandra or Postgres for configuration persistence.
But What is Kong?
Various APIs to manage: services, routes, consulers, plugins, certificates...
A service is an API web application which you want to expose
A Route is a way to inform where the request go
The plugin concept: everything in Kong is a plugin. All is plugin and easy.
Th goal is to have Kong between the load balancer and the front-end .
plugins in https://docs.konghq.com/hub/
Open source: basic auth, jwt, rate limit, cors, ssl, ip restriction, acl, aws lambda...
We package it with a docker image.
luarocks make and go!
Sample architecture of Kang
When using Kong, there is 2, the public facing service (port 80), proxy and an admin service on another port (8001) not exposed to the net, but to the administrators.
Wen can add a service with jsut a post curl:
curl -X post ...
Same thing to add route:
curl -X POST http://kong-admin:8001/services/kong-demo/routes
...
...
Demo:
Request GET
admin interface and user interface exposed to the web
kong-admin:8001
server kong/0.13.1
kong-demo.botify.com
kong-proxy
Plugin creation:
./plugin-create-external-oauth
SO, Kong, the community answers very fast if you need help, LuaJIT is fast. Lua is a nice investment, a really simple language.
But Lua ecosystem is fragmented, small
Varying quality of plugins, beware of security holes
Other API gateways equivalent: AWS Api Gateway, Tyk, HAProxy, Nginx/OpenREstry ... Or build your own, but it's not recommended ;-)
Une question? Posez-la ici
Aide au développement d'applications
20h00 - Vladimir de Turckheim (Sqreen) - Applicative DOS through NoSQL injection
DOS is Deny of service, is a threat than can freeze a website. we see in this page that is SQL Injection one of the top threats in the web.
The real name is "How to find exploits just by reading the doc"
We'll talk about MongoDB
Lead Node.JS Engineer at Sqreen
Securing NodeJS? ping vladimir!
From SQL to NoSQL injections
Because SQL injections are dead...
select * from items where ID=1 OR TRUE ;
We can put an union query and get infos from another tables, for exemple:
select * from items where item
SQLi hall of shame:
Drupal, World trade organization, Symantec, Equifax, Facebook, Instagram
https://codecurmugdgeon.com/wp/
In MongoDB, database operations are performed through an API, that's the major difference with Mysql, PostgreSQL...
It's like this:
db.items.find(queryObject)
db = current database object
items = collection
find= method
queryObject = an object to get the query
What is a mongoDB injection in practise?
app.post('/documents/find',(req,res)=>{
const query = {type: req.body.desiredType}
...
});
req.body {desiredType: ($ne: 0 } }
Because Node.JS developers don't verify data entered in JSON format, except if they use frameworks that they help to do that.
Denial of service, is a class of attack that is it is successfull, when users can't access the application. Abusing TCP, http, LOIC ion canon by the anonymous...
Now it's application DOS. In the javascript, all the code run in the main thread, mono thread.
In the official MongoDB documentation, there is a poolsize, with a parameter. Can we exhaust the pool size? YES!
FIrst, there is a where operator, that is passing a string in parameter, executed in the database. It will be run in the collection. If there is 100000 objects, the query will run on ALL OBJECTS! And there is the sleep() method to have a very very slow mongoDB query
ab with curl
ab lauch http request to the server.
during the bench we send a legitimate traffic with curl, which represent the user.
url: /dogs?$where=sleep(1)
query {$where:'sleep(1)'}
It's an applicative denial of service!
How do you protect?
We will expand the pool size? No
Validate what gets inside your application: never trust what users do!
More infos about pentesting MongoDB:
https://www.sqreen.io/plugins/mongodb-injection
Une question? Posez-la ici
Aide au développement d'applications
Ce transcript reflète exclusivement l'opinion de ses auteurs et n’engage en aucune façon Consultingit
Vous souhaitez aussi un transcript de votre conférence? C'est par là:
Besoin d'infos?