cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dnalls...@taz.qinetiq.com
Subject Re: CQL injection attacks?
Date Sat, 02 Jul 2011 18:17:20 GMT
Quoting Stephen Connolly <stephen.alan.connolly@gmail.com>:

All,

As Stephen said, regardless of the transfer protocol, if the content is parsed,
then there is the potential for attacks.

Just to illustrate; the typical injection pattern is:

String user = getUserName()
String cql = "select * from users where KEY='"+user+"';"
execute_cql(cql)

Now, if the user string is obtained from an external source (e.g. web form or
other UI), then the attacker may enter a username of:

jsmith'; DROP COLUMNFAMILY 'users

which results in a CQL query of:

select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users';

Ouch.

See also the obligatory XKCD cartoon: http://xkcd.com/327/

I guess one way to protect against this would be to pre-encode 'tainted' inputs
as hex bytes, e.g. (using the examples from
https://github.com/rantav/hector/wiki/Using-CQL)

update Standard1 set '626972746879656172' = '31393736' WHERE KEY =
'6d796b657931'

instead of

update StandardLong1 set 'birthyear' = '1976' WHERE KEY = 'mykey1'

which ensures that there aren't any single quotes or other dangerous characters
in those inputs - though I'm not sure if this works if you've set
validators/comparators other than BytesType?

> nate,
>
> that is not relevant. cql is a text query that gets parsed. without
> parameters you have to build the query by string concatenation. if i give
> you a string which contains a single quote, unless you have written your app
> to escape that quote, i can force a corrupted query on you that does
> something else. .. cql injection attacks
>
> - Stephen
> ---
> Sent from my Android phone, so random spelling mistakes, random nonsense
> words and other nonsense are a direct result of using swype to type on the
> screen
> On 30 Jun 2011 20:20, "Nate McCall" <nate@datastax.com> wrote:
> > The CQL drivers are all still sitting on top of the execute_cql_query
> > Thrift API method for now.
> >
> > On Wed, Jun 29, 2011 at 2:12 PM, <dnallsopp@taz.qinetiq.com> wrote:
> >>
> >> Someone asked a while ago whether Cassandra was vulnerable to injection
> attacks:
> >>
> >>
>
http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra
> >>
> >> With Thrift, the answer was 'no'.
> >>
> >> With CQL, presumably the situation is different, at least until prepared
> >> statements are possible (CASSANDRA-2475) ?
> >>
> >> Has there been any discussion on this already that someone could point me
> to,
> >> please? I couldn't see anything on JIRA (searching for CQL AND injection,
> CQL
> >> AND security, etc).





----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology 
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.

Mime
View raw message