I want to know what are the best practices to secure NoSql
database like MongoDB
. How is it possible? Any tips?
- 4,784
- 8
- 35
- 61
- 131
- 5
-
4Welcome to Security.se, you question as formulated here is too broad. Could you refine your question with more details like: what did you already did, what is the architecture of your service (is it direct access to DB via internet, is it a server for an online application, ...), what data do you want to protect (user data, credit card number, ...). As is, this question is very likely to be closed. – M'vy Mar 07 '13 at 09:29
-
I want to protect user data for my application. – Ganesh Kunwar Mar 07 '13 at 10:02
-
1I suggest you edit the question with the relevant details. – M'vy Mar 07 '13 at 10:03
-
I want to know tips for securing my database. – Ganesh Kunwar Mar 07 '13 at 10:06
-
Most like you should just read this: http://security.stackexchange.com/questions/7610/how-to-secure-a-mongodb-instance?rq=1 – Brendan Long Mar 07 '13 at 16:38
1 Answers
For mongodb i have written this answer
First vulnerability similar to sql injection can be done in mongodb or nosql databases too. which would be mongodb injection.
Try to run mongodb on different port instead on default 27017 to avoid exposing. For official security practices you can always check out http://docs.mongodb.org/manual/administration/security/
It tell security practices that should be used with mongodb server.
Mongodb Injection :
its fully describes here for php how mongodb injection can take place in phpwebapp if client side data is not filtered properly. Also solution to mongodb injection too
http://www.idontplaydarts.com/2010/07/mongodb-is-vulnerable-to-sql-injection-in-php-at-least/
Mongodb Null byte injection attack
http://www.idontplaydarts.com/2011/02/mongodb-null-byte-injection-attacks/
This is also a type of attack that is well written on this site , Have a look how certain fields in mongo collection can be overwritten using this method can this can be done in any webapp.
- 191
- 6
-
-
Security by obscurity does not exist.....changing the port does not automatically protect the database. – Matthew Xerri Nov 29 '13 at 11:48