Comparing NoSQL and SQL Database Systems Based on Vulnerability to Injection and Adequacy of Countermeasures

摘要

Databases are an integral part of the internet since storage of data is important for applications or websites. Hence, it is of the highest priority that these databases are kept as secure as possible. SQL Injections (SQLi) [11] involve the permeation of SQL databases, such as MySQL, with the use of strings containing SQL keywords being injected into queries, usually through an online form. NoSQL Injections (NoSQLi) are similar, but they are used to permeate NoSQL databases such as MongoDB To fully understand the threat that SQLi and NoSQLi pose to their respective databases, two identical websites were created, one using a MySQL database and the other using a MongoDB. Attacks were made using an online login form to these websites. Different injection techniques were used on both websites and relative ease at which the attack took place were documented. Without proper measures, i.e. the sanitization of strings, both were equally susceptible and that simple countermeasures could be used to prevent a wide array of attacks.