这是来自 Crater Remote Conference 的一个视频,主题是「现代 Web 应用的 NoSQL 注入」。视频中以一个 Meteor 应用为例,演示了黑客可能从哪些途径注入应用,获得未授权的信息,讲解了 Meteor 应用安全性相关的问题。
02:41 - Why security?
04:57 - What is “NoSQL Injection”?
12:25 - Grabbing all products by exploiting a publication.
17:36 - Getting all carts by exploiting a publication.
20:20 - Getting all carts through a .findOne query.
23:42 - Removing all user carts in the system.
25:26 - Modifying product prices.
29:40 - Escalating myself to admin level permissions.
34:55 - MongoDB denial of service through a .find query.
38:55 - How do we fix it?
42:30 - Why pick on MongoDB?
44:10 - Are other NoSQL databases safe?
47:40 - Q&A with Josh Owens.
最后,作者给出了一个他创建的扩展包 Check Checker (east5th:check-checker),这个扩展帮助你找到应用中没有被仔细检查的方法和发布。
