Skip to main content
Springer Nature Link
Log in

A Survey on Security Threats and Mitigation Strategies for NoSQL Databases

MongoDB as a Use Case

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14424))

Included in the following conference series:

  • 826 Accesses

Abstract

With the advent of IoT devices, cloud computing, accessible mobile devices, social networking sites and other advancements in technology a huge amount of data is being generated. NoSQL databases were evolved to provide a better storage capability, scalability, improved performance for read and write operations for the enormous data generated by various systems which are continuously being read and written by large number of users. Initially it was believed to provide better security in comparison to the traditional relational database management system (RDBMS), but in due course of time NoSQL databases were also exposed to various security breaches and vulnerabilities. In this paper we studied in detail the various security vulnerabilities of MongoDB, along with the need to secure the interfaces being used to access MongoDB. We analyzed the prevention and mitigation strategies for the same. The study of this paper can be used as a best practice to secure NoSQL or MongoDB database. It suggests how to secure the queries and all the interfaces that are being used to access the database.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Brewer, E.A.: Towards robust distributed systems. In: PODC, vol. 7 (2000)

    Google Scholar 

  2. Db engines. https://db-engines.com/en/ranking. Accessed 02 Sept 2022

  3. Okman, L., Gal-Oz, N., Gonen, Y., Gudes, E., Abramov, J.: Security Issues in NoSQL Databases. In: 10th International Conference on Trust, Security and Privacy in Computing and Communications, Changsha, China, 2011 (2011)

    Google Scholar 

  4. Sicari, S., Rizzardi, A., Coen-Porisini, A.: Security& privacy issues and challenges in NoSQL databases. Comput. Netw. Int. J. Comput. Telecommun. Netw. 206(C), 341 (2022)

    Google Scholar 

  5. Fahd, K., Venkatraman, S., Hammeed, F.K.: A comparative study of NOSQL system vulnerabilities with big data. Int. J. Managing Inf. Technol. (IJMIT), 11(4), 1–19 (2019)

    Google Scholar 

  6. Ron, A., Shulman-Peleg, A., Puzanov, A.: Analysis and mitigation of NoSQL injections. IEEE Secur. Priv. 14(2), 30–39 (2016)

    Google Scholar 

  7. Zdnet. https://www.zdnet.com/article/chinese-companies-have-leaked-over-590-million-resumes-via-open-databases/. Accessed 02 July 2023

  8. Bleeping computer. https://www.bleepingcomputer.com/news/security/russian-streaming-platform-confirms-data-breach-affecting-75m-users/. Accessed 09 July 2023

  9. Bleeping computer. https://www.bleepingcomputer.com/news/security/over-275-million-records-exposed-by-unsecured-mongodb-database/. Accessed 09 July 2023

  10. Cpomagazine. https://www.cpomagazine.com/cyber-security/toyota-connected-service-decade-long-data-leak-exposed-2-15-million-customers/. Accessed 18 July 2023

  11. Bleeping computer. https://www.bleepingcomputer.com/news/security/redis-mongodb-and-elastic-2022-s-top-exposed-databases/. Accessed 18 July 2023

  12. Imam, A.A., Basri, S., González-Aparicio, M.T., Balogun, A.O., Kumar, G.: NoInjection: preventing unsafe queries on NoSQL-document-model databases. In: 2nd International Conference on Computing and Information Technology (ICCIT) (2022)

    Google Scholar 

  13. Ron, A., Shulman-Peleg, A., Bronshtein, E: No SQL, No Injection? Examining NoSQL Security

    Google Scholar 

  14. Hou, B., Qian, K., Li, L., Shi, Y., Tao, L., Liu, J.: MongoDB NoSQL Injection Analysis and Detection. In: IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), 2016 (2016)

    Google Scholar 

  15. A survey on detection and prevention of SQL and NoSQL injection attack on server-side applications. Int. J. Comput. Appl. (0975 - 8887), 183 (2021)

    Google Scholar 

  16. Invicti. https://www.invicti.com/blog/web-security/what-is-nosql-injection/. Accessed 07 Nov 2022

  17. Spiegel, P.: NoSQL injection fun with objects and arrays (2022). https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf

  18. Databases security issues - a short analysis on the emergent security problems generated by NoSQL databases. Economic Computation and Economic Cybernetics Studies and Research 53(3) (2019)

    Google Scholar 

  19. Rodríguez, G.E., Torres, J.G., Flores, P., Benavides, D.E.: Cross-site scripting (XSS) attacks and mitigation: a survey. Comput. Netw. 166, 106960 (2020)

    Google Scholar 

  20. OWASP. https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_SSL_TLS_Ciphers_Insufficient_Transport_Layer_Protection. Accessed 28 July 2023

  21. Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_2

    Chapter  Google Scholar 

  22. Qualys. https://blog.qualys.com/product-tech/2013/03/19/rc4-in-tls-is-broken-now-what. Accessed 09 July 2023

  23. Zugaj, W., Beichler, A.S.: Analysis of standard security features for selected NoSQL systems. Am. J. Inf. Sci. Technol. (2019)

    Google Scholar 

  24. Meow attack. https://www.bleepingcomputer.com/news/security/new-meow-attack-has-deleted-almost-4-000-unsecured-databases/. Accessed 02 Oct 2023

  25. Hackernoon. https://hackernoon.com/learnings-from-the-meow-bot-attack-on-our-mongodb-databases-y22q3zs8. Accessed 12 Oct 2023

  26. Techtarget. https://www.techtarget.com/searchsecurity/news/252486971/Meow-attacks-continue-thousands-of-databases-deleted. Accessed 9 Oct 2023

  27. Osborn, S.L., Servos, D., Shermin, M.: Issues in access control and privacy for big data. In: Meyers, R.A. (eds.) Encyclopedia of Complexity and Systems Science, pp. 1–9. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-642-27737-5_752-1

  28. MongoDB docs. https://www.mongodb.com/docs/drivers/go/current/fundamentals/auth/. Accessed 22 June 2023

  29. MongoDB manual. https://www.mongodb.com/docs/manual/. Accessed 22 June 2023

  30. Ajayi, O.O., Adebiyi, T.O.: Application of data masking in achieving information privacy. IOSR J. Eng. (IOSRJEN) 4(2), 13–21 (2014)

    Google Scholar 

  31. Cuzzocrea, A., Shahriar, H.: Data masking techniques for NoSQL database security: a systematic review. In: 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, USA (2017)

    Google Scholar 

  32. Git hub Data masking. https://github.com/pkdone/mongo-data-masking. Accessed 06 July 2023

  33. Mozilla docs. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS. Accessed 18 July 2023

  34. Lavrenovs, A., Melón, F.J.R.: HTTP security headers analysis of top one million websites. In: 10th International Conference on Cyber Conflict (CyCon), Tallinn, Estonia (2018)

    Google Scholar 

  35. MongoDB manual. https://www.mongodb.com/docs/manual/core/security-transport-encryption/. Accessed 04 July 2023

  36. MongoDB manual, CSFLE. https://www.mongodb.com/docs/manual/core/csfle/. Accessed 16 July 2023

  37. CouchDB homepage. https://couchdb.apache.org/. Accessed 19 June 2023

Download references

Author information

Authors and Affiliations

  1. Centre for Development of Advanced Computing (C-DAC), 68-Electronic City, Bengaluru, 560100, India

    Surabhi Dwivedi, R. Balaji, Praveen Ampatt & S. D. Sudarsan

Authors
  1. Surabhi Dwivedi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. R. Balaji
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Praveen Ampatt
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. S. D. Sudarsan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Surabhi Dwivedi .

Editor information

Editors and Affiliations

  1. Griffith University, Gold Coast, QLD, Australia

    Vallipuram Muthukkumarasamy

  2. Centre for Development of Advanced Computing (C-DAC), Bangalore, India

    Sithu D. Sudarsan

  3. Indian Institute of Technology Bombay, Mumbai, India

    Rudrapatna K. Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dwivedi, S., Balaji, R., Ampatt, P., Sudarsan, S.D. (2023). A Survey on Security Threats and Mitigation Strategies for NoSQL Databases. In: Muthukkumarasamy, V., Sudarsan, S.D., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2023. Lecture Notes in Computer Science, vol 14424. Springer, Cham. https://doi.org/10.1007/978-3-031-49099-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-49099-6_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-49098-9

  • Online ISBN: 978-3-031-49099-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics