dnallsopp | 29 Jun 21:12 2011

CQL injection attacks?


Someone asked a while ago whether Cassandra was vulnerable to injection attacks:

http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra

With Thrift, the answer was 'no'.

With CQL, presumably the situation is different, at least until prepared
statements are possible (CASSANDRA-2475) ?

Has there been any discussion on this already that someone could point me to,
please? I couldn't see anything on JIRA (searching for CQL AND injection, CQL
AND security, etc).

Thanks.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology 
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.

(Continue reading)

Nate McCall | 30 Jun 21:20 2011

Re: CQL injection attacks?

The CQL drivers are all still sitting on top of the execute_cql_query
Thrift API method for now.

On Wed, Jun 29, 2011 at 2:12 PM,  <dnallsopp <at> taz.qinetiq.com> wrote:
>
> Someone asked a while ago whether Cassandra was vulnerable to injection attacks:
>
> http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra
>
> With Thrift, the answer was 'no'.
>
> With CQL, presumably the situation is different, at least until prepared
> statements are possible (CASSANDRA-2475) ?
>
> Has there been any discussion on this already that someone could point me to,
> please? I couldn't see anything on JIRA (searching for CQL AND injection, CQL
> AND security, etc).
>
> Thanks.
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed.
> If you are not the intended recipient of this email, you must neither
> take any action based upon its contents, nor copy or show it to anyone.
> Please contact the sender if you believe you have received this email in
> error. QinetiQ may monitor email traffic data and also the content of
> email for the purposes of security. QinetiQ Limited (Registered in
(Continue reading)

Stephen Connolly | 1 Jul 08:58 2011
Picon

Re: CQL injection attacks?

nate,

that is not relevant. cql is a text query that gets parsed. without parameters you have to build the query by string concatenation. if i give you a string which contains a single quote, unless you have written your app to escape that quote, i can force a corrupted query on you that does something else. .. cql injection attacks

- Stephen
---
Sent from my Android phone, so random spelling mistakes, random nonsense words and other nonsense are a direct result of using swype to type on the screen

On 30 Jun 2011 20:20, "Nate McCall" <nate <at> datastax.com> wrote:
> The CQL drivers are all still sitting on top of the execute_cql_query
> Thrift API method for now.
>
> On Wed, Jun 29, 2011 at 2:12 PM, <dnallsopp <at> taz.qinetiq.com> wrote:
>>
>> Someone asked a while ago whether Cassandra was vulnerable to injection attacks:
>>
>> http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra
>>
>> With Thrift, the answer was 'no'.
>>
>> With CQL, presumably the situation is different, at least until prepared
>> statements are possible (CASSANDRA-2475) ?
>>
>> Has there been any discussion on this already that someone could point me to,
>> please? I couldn't see anything on JIRA (searching for CQL AND injection, CQL
>> AND security, etc).
>>
>> Thanks.
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is addressed.
>> If you are not the intended recipient of this email, you must neither
>> take any action based upon its contents, nor copy or show it to anyone.
>> Please contact the sender if you believe you have received this email in
>> error. QinetiQ may monitor email traffic data and also the content of
>> email for the purposes of security. QinetiQ Limited (Registered in
>> England & Wales: Company Number: 3796233) Registered office: Cody Technology
>> Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
>>
dnallsopp | 2 Jul 20:17 2011

Re: CQL injection attacks?

Quoting Stephen Connolly <stephen.alan.connolly <at> gmail.com>:

All,

As Stephen said, regardless of the transfer protocol, if the content is parsed,
then there is the potential for attacks.

Just to illustrate; the typical injection pattern is:

String user = getUserName()
String cql = "select * from users where KEY='"+user+"';"
execute_cql(cql)

Now, if the user string is obtained from an external source (e.g. web form or
other UI), then the attacker may enter a username of:

jsmith'; DROP COLUMNFAMILY 'users

which results in a CQL query of:

select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users';

Ouch.

See also the obligatory XKCD cartoon: http://xkcd.com/327/

I guess one way to protect against this would be to pre-encode 'tainted' inputs
as hex bytes, e.g. (using the examples from
https://github.com/rantav/hector/wiki/Using-CQL)

update Standard1 set '626972746879656172' = '31393736' WHERE KEY =
'6d796b657931'

instead of

update StandardLong1 set 'birthyear' = '1976' WHERE KEY = 'mykey1'

which ensures that there aren't any single quotes or other dangerous characters
in those inputs - though I'm not sure if this works if you've set
validators/comparators other than BytesType?

> nate,
>
> that is not relevant. cql is a text query that gets parsed. without
> parameters you have to build the query by string concatenation. if i give
> you a string which contains a single quote, unless you have written your app
> to escape that quote, i can force a corrupted query on you that does
> something else. .. cql injection attacks
>
> - Stephen
> ---
> Sent from my Android phone, so random spelling mistakes, random nonsense
> words and other nonsense are a direct result of using swype to type on the
> screen
> On 30 Jun 2011 20:20, "Nate McCall" <nate <at> datastax.com> wrote:
> > The CQL drivers are all still sitting on top of the execute_cql_query
> > Thrift API method for now.
> >
> > On Wed, Jun 29, 2011 at 2:12 PM, <dnallsopp <at> taz.qinetiq.com> wrote:
> >>
> >> Someone asked a while ago whether Cassandra was vulnerable to injection
> attacks:
> >>
> >>
>
http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra
> >>
> >> With Thrift, the answer was 'no'.
> >>
> >> With CQL, presumably the situation is different, at least until prepared
> >> statements are possible (CASSANDRA-2475) ?
> >>
> >> Has there been any discussion on this already that someone could point me
> to,
> >> please? I couldn't see anything on JIRA (searching for CQL AND injection,
> CQL
> >> AND security, etc).

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology 
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.

Eric Evans | 3 Jul 02:12 2011

Re: CQL injection attacks?

On Sat, 2011-07-02 at 19:17 +0100, dnallsopp <at> taz.qinetiq.com wrote:
> Just to illustrate; the typical injection pattern is:
> 
> String user = getUserName()
> String cql = "select * from users where KEY='"+user+"';"
> execute_cql(cql)
> 
> Now, if the user string is obtained from an external source (e.g. web
> form or
> other UI), then the attacker may enter a username of:
> 
> jsmith'; DROP COLUMNFAMILY 'users
> 
> which results in a CQL query of:
> 
> select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users'; 

No, each CQL query must contain exactly one statement, so this sort of
attack would not work.

And, as a rule of thumb, there are also no statement types that contain
other statements, which would be another common vector for an
injection.  

Now, there are batch statements for INSERT and UPDATE that are
essentially a collection of statements for that type.  That's probably
enough to say that, hypothetically speaking, it's possible in the
presence of an extremely buggy driver implementation, and some very
sloppy client code, for a clever attacker to create a new record (or
overwrite an existing one).

TTBMK, there are currently no drivers with bugs that egregious, so make
use of the driver's parameter substitution, sanitize your input, and you
shouldn't have anything to worry about (there is almost certainly less
risk of an injection attack than with SQL).

--

-- 
Eric Evans
eevans <at> rackspace.com

dnallsopp | 3 Jul 22:23 2011

Re: CQL injection attacks?

Quoting Eric Evans <eevans <at> rackspace.com>:

> On Sat, 2011-07-02 at 19:17 +0100, dnallsopp <at> taz.qinetiq.com wrote:
> > Just to illustrate; the typical injection pattern is:
> > select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users';
>
> No, each CQL query must contain exactly one statement, so this sort of
> attack would not work.

Excellent, that changes the picture enormously! I guess it might be worth adding
this fact to the preamble of the documentation?

[...]

> TTBMK, there are currently no drivers with bugs that egregious, so make
> use of the driver's parameter substitution, sanitize your input, and you
> shouldn't have anything to worry about (there is almost certainly less
> risk of an injection attack than with SQL).

Thanks very much,

David.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

This email and any attachments to it may be confidential and are
intended solely for the use of the individual to whom it is addressed.
If you are not the intended recipient of this email, you must neither
take any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error. QinetiQ may monitor email traffic data and also the content of
email for the purposes of security. QinetiQ Limited (Registered in
England & Wales: Company Number: 3796233) Registered office: Cody Technology 
Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.


Gmane