Making Mongo Cry-Attacking NoSQL for Pen Testers

DerbyCon 4.0 - Family Rootz

Presented by: Russell Butturini
Date: Saturday September 27, 2014
Time: 09:00 - 09:50
Location: Track 4

NoSQL databases continue to grow in popularity due to their scalability, dynamic data structures, ease of development and cloud readiness. As these types of databases become more prevalent, penetration testers need to understand how these databases work, how applications interact with them, and where the inherent weaknesses of NoSQL databases are. This presentation is targeted towards penetration testers and putting the theoretical attacks researchers have discussed into practice during a penetration testing engagement. It will discuss weaknesses with a particular focus on MongoDB and how to quickly and easily exploit them as well as where the high value targets in the system are post exploitation. NoSQLMap, a Python tool written for automatically stealing data from NoSQL database servers and web applications, will also be demoed.

Russell Butturini


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats