NoSQL Racket: A Testing Tool for Detecting NoSQL Injection Attacks in Web Applications

A NoSQL injection attack targets interactive Web applications that employ NoSQL database services. These applications accept user inputs and use them to form query statements at runtime. During NoSQL injection attack, an attacker might provide malicious query segments as user input which could resul...

Full description

Saved in:
Bibliographic Details
Published in:International journal of advanced computer science & applications 2017-01, Vol.8 (11)
Main Authors: M., Ahmed, H., Omar, M., Hazem, S., Ahmed
Format: Article
Language:English
Subjects:
Applications programs
Computer science
Information science
Information systems
Queries
Query languages
Relational data bases
Static code analysis
Citations: Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:A NoSQL injection attack targets interactive Web applications that employ NoSQL database services. These applications accept user inputs and use them to form query statements at runtime. During NoSQL injection attack, an attacker might provide malicious query segments as user input which could result in a different database request. In this paper, a testing tool is presented to detect NoSQL injection attacks in web application which is called “NoSQL Racket”. The basic idea of this tool depends on checking the intended structure of the NoSQL query by comparing NoSQL statement structure in code query statement (static code analysis) and runtime query statement (dynamic analysis). But we faced a big challenge, there is no a common query language to drive NoSQL databases like the same way in relational database using SQL as a standardized query language. The proposed tool is tested on four different vulnerable web applications and its effectiveness is compared against three different well known testers, none of them is able to detect any NoSQL Injection attacks. However, the implemented testing tool has the ability to detect the NoSQL injection attacks.
ISSN:2158-107X
2156-5570
DOI:10.14569/IJACSA.2017.081178