Last month I was lucky enough to be able to attend and speak at the first ever Crater Remote Conference!
I gave a talk entitled “NoSQL Injection in Modern Web Applications”. The talk was heavily focused on exploiting NoSQL injection vulnerabilities in applications using MongoDB. The bulk of the talk was spent in a hands-on demo showing how a malicious user could approach and attack a Meteor application vulnerable to these types of attacks.
Check out a recording of the presentation below, and be sure to watch a few of these highlights!
02:41 - Why security?
04:57 - What is “NoSQL Injection”?
12:25 - Grabbing all products by exploiting a publication.
17:36 - Getting all carts by exploiting a publication.
20:20 - Getting all carts through a
23:42 - Removing all user carts in the system.
25:26 - Modifying product prices.
29:40 - Escalating myself to admin level permissions.
34:55 - MongoDB denial of service through a
38:55 - How do we fix it?
42:30 - Why pick on MongoDB?
44:10 - Are other NoSQL databases safe?
47:40 - Q&A with Josh Owens.
I also linked to my own package, Check Checker (
east5th:check-checker), which helps you find methods and publications within your Meteor application that aren’t being thoroughly checked.
I had a blast watching the Crater Conf talks this year, and I’m looking forward to the next conference!