Highest Voted 'mongodb' Questions - IT Security Stack Exchange

28

votes

3 answers

How to secure a MongoDB instance?

Does anybody have experience with securing/hardening MongoDB server? Check lists or guides would be welcome.

asked Sep 27 '11 at 11:26

AaronS

2,575
5
22
26

22

votes

4 answers

What type of attacks can be used vs MongoDB?

I'm starting to learn MongoDB and was curious if it was susceptible to some type of injection attack similar to SQLi. Due to the nature of the DB, I don't think you can inject into it but... What other type of attacks can be leveraged against…

attacks sql-injection databases nosql mongodb

asked Nov 07 '12 at 16:08

Digital fire

3,126
5
31
44

11

votes

2 answers

MongoDB Nosql injection in python code

Here is the code snippet for accessing to MongoDB. client = MongoClient() db = client.test_database collection = db.test # Get data from fields condition = form.getvalue('name') if condition: where = {"$where": "this.name == '"+condition+"'"…

penetration-test injection python mongodb nosql

asked Mar 06 '15 at 23:35

Yang Yu

439
3
5
12

11

votes

2 answers

Encrypting with Mongo

How can I achieve the following goals? All compute and storage to be located in the cloud. Encryption in transit of all data between web nodes and db nodes running MongoDB. How to set up tunnels? Which protocols/tools? Encryption at rest of all…

encryption key-management databases mongodb nosql

asked Apr 11 '11 at 16:10

yfeldblum

2,807
20
13

9

votes

1 answer

Store user passwords in NoSQL database?

I am currently coding the backend of a website and I have not come across an article where this is discussed. I want to store all my application data in MongoDB but I'd like to split out my sensitive user information into a MySQL database. My…

passwords authentication databases mysql mongodb

asked Sep 12 '12 at 17:25

MikeG

193
1
3

8

votes

2 answers

Is it safe to expose MongoDB ObjectID to users (e.g. in URI)?

I'm developing a RESTful API using MongoDB as the backend. The easiest thing to do programmatically would be to simply use MongoDB's _id field in the URI, such as: https://api.example.com/collection/507c7f79bcf86cd7994f6c0e I know that the ObjectID…

mongodb

asked Jul 22 '14 at 23:30

Ben

323
2
8

8

votes

4 answers

Security risks of using MongoDB ID vs a counter in URL?

In my Angular app, I use the MongoDB id in the URLs. Are there any security risks to this? Should I use a counter instead, and then in my DB have some sort of collection that links this counter to the actual ID? So instead of…

web-application mongodb

asked Apr 19 '16 at 15:10

userMod2

181
1
3

6

votes

2 answers

Isn't MongoDB actually storing plaintext passwords?

According to the documentation at http://docs.mongodb.org/meta-driver/latest/legacy/implement-authentication-in-driver/: The driver then runs the authenticate command for the database on which to authenticate. The authenticate command has the…

authentication mongodb

asked Jul 14 '13 at 15:21

Svante

161
1
3

5

votes

2 answers

How secure is MongoDB wire protocol?

I'm building a JavaFX 2.0 standalone application (it'll be distributed as an .exe) and it opens a connection to a MongoDB instance. The connection is just a standard Mongo connection using the Mongo wire protocol. Is the Mongo wire protocol secure…

tls java databases nosql mongodb

asked Oct 22 '13 at 16:13

Jon Onstott

155
7

5

votes

2 answers

MongoDB/Debian server successfully attacked - reason for public ip to get to mongodb server?

I got a mongodb server which from the logfiles got a connection from a remote ip address, though its obviously not allowed (or to be more precise: the mongod is not bound to any public interface) due to the mongodb configuration file as shown…

attacks docker debian mongodb

asked Apr 25 '17 at 09:51

Techradar

177
5

5

votes

0 answers

MongoDB injection, reading and writing to files

I've been playing around with Nosql and specifically MongoDB injection on a few challenges and my lab. If you have an injection point you can easily enumerate and dump the database. But can you go beyond that, like the many things you can do with a…

injection mongodb nosql

asked Oct 15 '15 at 10:47

Juicy

1,407
4
16
31

4

votes

1 answer

Handling User Permissions Between Front-end and Back-end

We are trying to come up with a permissions/security implementation on our MongoDB backend/Angular front-end environment that accomplishes what we need it to, without being over-bearing or too difficult to build-out/adjust in the future. And, to…

permissions rbac mongodb

asked Mar 14 '19 at 14:34

Muirik

171
1
4

4

votes

1 answer

Storing UK bank account and sort code in MongoDB database

The company I work for has to send monthly payments to 20 to 50 users at a time. These users can change from month to month. Generally, each user will receive money from us for 2-3 months. The users complete a form in which they enter their…

hardening countermeasure mongodb

asked Jul 08 '17 at 19:58

Daniel San

143
2

2

votes

1 answer

Field-level encryption vs disk encryption for PCI compliance

We are in the process of setting up a PCI compliant server (with Firehost's help). We are using MongoDB as our primary database. I am having some concerns about the encryption, though. Are there any advantages of Field-level data encryption over…

encryption pci-dss disk-encryption file-encryption mongodb

asked Apr 21 '14 at 16:08

Jonathan

121
2

2

votes

1 answer

What are Security Practices for NoSql databases

I want to know what are the best practices to secure NoSql database like MongoDB. How is it possible? Any tips?

nosql mongodb

asked Mar 07 '13 at 08:52

Ganesh Kunwar

131
5

Questions tagged [mongodb]