NoSQL and Security: An Analytical Study for Injection Prevention in NoSQL Databases
Abstract
The analysis of security vulnerabilities in NoSQL databases, with a focus on code injection attacks, reveals the challenges faced by systems widely adopted in web and cloud applications. The exponential growth of NoSQL databases, driven by their ability to handle large volumes of unstructured data and horizontal scalability, contrasts with the robustness and transactional integrity of relational databases (SQL). Despite the flexibility and efficiency offered by NoSQL systems, they present new security threats, particularly related to injection attacks, which can compromise the integrity and confidentiality of the stored data. A detailed comparison between SQL and NoSQL architectures highlights the main vulnerabilities associated with each, mapping existing methods and tools for the prevention and mitigation of attacks in NoSQL systems. Attack simulations in a controlled environment replicate real-world usage scenarios, including techniques such as tautologies, Piggyback Queries, and UNION attacks, to test vulnerabilities and evaluate the effectiveness of defense strategies. Input validation through Deterministic Finite Automata (DFA) emerges as an effective approach to prevent injection attempts before they can impact the database. RSA encryption is explored as an additional layer of protection for sensitive data, reinforcing the security of NoSQL systems against attacks. The results demonstrate that, while NoSQL injections represent a significant threat, the application of advanced mitigation techniques, such as DFAbased input validation and RSA encryption, can substantially reduce the associated risks. The research provides practical and theoretical insights to strengthen the security of NoSQL systems in various application contexts.
Keywords:
NoSQL, Security, Injection
References
KHAN, W. et al. SQL and NoSQL Database Software Architecture Performance Analysis and Assessments—A Systematic Literature Review. Big Data and Cognitive Computing. MDPI, 1 jun. 2023.
POSTON, H. What is NoSQL Injection?. Infosec Institute, 18 fev. 2020. Disponível em: [link]. Acesso em: 2 jul. 2024.
SHACHI, M. et al. A Survey on Detection and Prevention of SQL and NoSQL Injection Attack on Server-side Applications. International Journal of Computer Applications, v. 183, n. 10, p. 1–7, 21 jun. 2021
GUO, D.; ONSTEIN, E. State-of-the-art geospatial information processing in NoSQL databases. ISPRS International Journal of Geo-Information. MDPI AG, 1 maio 2020.
LAWAL, M. A.; SALEH, M. A. Security Testing Tool for NoSQL Systems. JKAU: Comp. IT. Sci, v. 8, n. 1, p. 85–93, 2019.
GOMES, R.; KAMALANATHAN, D. Comparing NoSQL and SQL Database Systems Based on Vulnerability to Injection and Adequacy of Countermeasures. [s.l: s.n.]. Disponível em: [link]. Acesso em: 15 ago. 2024.
UL ISLAM, M. R. et al. Automatic detection of NoSQL injection using supervised learning. Proceedings - International Computer Software and Applications Conference. Anais... IEEE Computer Society, 1 jul. 2019.
MEIER, A.; KAUFMANN, M. SQL & NoSQL Databases Models, Languages, Consistency Options and Architectures for Big Data Management. [s.l: s.n.].
SACHDEVA, V.; SACHIN GUPTA. Vulnerability Assesment For Advanced Injection Attacks Against Mongodb. JOURNAL OF MECHANICS OF CONTINUA AND MATHEMATICAL SCIENCES, v. 14, n. 1, 23 fev. 2019.
DEVALLA, V. et al. MURLi: A Tool for Detection of Malicious URLs and Injection Attacks. Procedia Computer Science. Anais... Elsevier B.V., 2022.
POSTON, H. What is NoSQL Injection?. Infosec Institute, 18 fev. 2020. Disponível em: [link]. Acesso em: 2 jul. 2024.
SHACHI, M. et al. A Survey on Detection and Prevention of SQL and NoSQL Injection Attack on Server-side Applications. International Journal of Computer Applications, v. 183, n. 10, p. 1–7, 21 jun. 2021
GUO, D.; ONSTEIN, E. State-of-the-art geospatial information processing in NoSQL databases. ISPRS International Journal of Geo-Information. MDPI AG, 1 maio 2020.
LAWAL, M. A.; SALEH, M. A. Security Testing Tool for NoSQL Systems. JKAU: Comp. IT. Sci, v. 8, n. 1, p. 85–93, 2019.
GOMES, R.; KAMALANATHAN, D. Comparing NoSQL and SQL Database Systems Based on Vulnerability to Injection and Adequacy of Countermeasures. [s.l: s.n.]. Disponível em: [link]. Acesso em: 15 ago. 2024.
UL ISLAM, M. R. et al. Automatic detection of NoSQL injection using supervised learning. Proceedings - International Computer Software and Applications Conference. Anais... IEEE Computer Society, 1 jul. 2019.
MEIER, A.; KAUFMANN, M. SQL & NoSQL Databases Models, Languages, Consistency Options and Architectures for Big Data Management. [s.l: s.n.].
SACHDEVA, V.; SACHIN GUPTA. Vulnerability Assesment For Advanced Injection Attacks Against Mongodb. JOURNAL OF MECHANICS OF CONTINUA AND MATHEMATICAL SCIENCES, v. 14, n. 1, 23 fev. 2019.
DEVALLA, V. et al. MURLi: A Tool for Detection of Malicious URLs and Injection Attacks. Procedia Computer Science. Anais... Elsevier B.V., 2022.
Published
2024-11-27
How to Cite
AWAD, Kassem Ubinski; CARDOSO, Luciano Santos; BUSSADOR, Alessandra.
NoSQL and Security: An Analytical Study for Injection Prevention in NoSQL Databases. In: LATIN AMERICAN CONGRESS ON FREE SOFTWARE AND OPEN TECHNOLOGIES (LATINOWARE), 21. , 2024, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 464-467.
DOI: https://doi.org/10.5753/latinoware.2024.245334.
