الفهرس | Only 14 pages are availabe for public view |
Abstract The recent advance in web applications and cloud computing has generated the need to store large amount of data in databases that can provide high availability and scalability. In last years, a growing number of businesses have adopted various types of non-relational databases, commonly referred to as NoSQL “Not only SQL” databases, and as the applications they serve emerge, they gain extensive market interest. NoSQL database systems are not using only SQL as a query language and usually does not have schema, and they come with looser consistency models than traditional relational databases and there are many product vendors for NoSQL database systems (many NoSQL implementations are open source). Currently, NoSQL databases are in the evolutionary stage of their lifecycle and the possibility of attacks in NoSQL databases aren’t well mapped out. On the other side, many testing tools aren’t able to detect and prevent these attacks. This thesis offers a new approach for detecting and preventing injection attacks in web applications. The proposed approach was developed using PHP and applied on five different NoSQL Databases which are MongoDB, Cassandra, CouchDB, Redis and Amazon DynamoDB. Also, its ability for detection and prevention compared with the most powerful web application testing tools which are Netsparker, Vega and Skipfish. According to scanning results, none of mentioned tools was able to detect NoSQL injection attack. However, the proposed implemented approach was able to detect the NoSQL injection attack. To be more practical in real web applications environments, the proposed approach was implemented as an independent RESTful service. This service has the ability for responding to different requests format like JSON, XML without dependency on any framework and it was tested using “Httpmaster” and a google chrome extension which is called “Advanced REST client”. |