An open tool architecture for security testing of NoSQL-based applications

Abdullah Algarni; Fawaz Alsolami; Fathy Eassa; Khalid Alsubhi; Kamal Jambi; Maher Khemakhem

doi:10.1109/AICCSA.2017.44

An open tool architecture for security testing of NoSQL-based applications

Abdullah Algarni
, Fawaz Alsolami
, Fathy Eassa
, Khalid Alsubhi
, Kamal Jambi
, Maher Khemakhem

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

Injection attacks remain yet one of the major challenges in non-relational data stores or NoSQL databases. Indeed, such databases are intended to store big data and are classified into four categories; Key-values Stores, Wide Column Stores, Document Stores, and Graph Databases. The different vulnerabilities of these NoSQL databases have attracted many researchers to attempt solving or mitigating this problem. Unfortunately, extensive experiments have revealed that all proposed approaches and techniques are away from the expectations. This is due mainly to their focusing only either on some parts of the problem or on a specific NoSQL engine. In this paper, we propose an open tool architecture which can take into consideration any NoSQL engines belonging to the four data stores categories whatever the programming language used. The proposed tool architecture is able to detect first vulnerable statements in the static mode on the developer side. Second, it detects also automatically injection attacks during run-time on the server side thanks to the added instrumenting statements during the first control (static mode). The easy expansion and adaptation of the proposed tool to any NoSQL engine and/or any kind of attacks and/or programming languages makes it very attractive compared the existing ones. Indeed nowadays, we observe the emergence of new kinds of attacks once a new security approach or framework or technique is proposed.

Original language	English
Title of host publication	Proceedings - 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications, AICCSA 2017
Publisher	IEEE Computer Society
Pages	220-225
Number of pages	6
ISBN (Electronic)	9781538635810
DOIs	https://doi.org/10.1109/AICCSA.2017.44
State	Published - 2 Jul 2017
Externally published	Yes
Event	14th IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2017 - Hammamet, Tunisia Duration: 30 Oct 2017 → 3 Nov 2017

Publication series

Name	Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA
Volume	2017-October
ISSN (Print)	2161-5322
ISSN (Electronic)	2161-5330

Conference

Conference	14th IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2017
Country/Territory	Tunisia
City	Hammamet
Period	30/10/17 → 3/11/17

Bibliographical note

Publisher Copyright:
© 2017 IEEE.

Keywords

Injection attacks
NoSQL databases
Security testing

ASJC Scopus subject areas

Control and Systems Engineering
Signal Processing
Hardware and Architecture
Computer Science Applications
Computer Networks and Communications
Electrical and Electronic Engineering

Access to Document

10.1109/AICCSA.2017.44

Cite this

Algarni, A., Alsolami, F., Eassa, F., Alsubhi, K., Jambi, K., & Khemakhem, M. (2017). An open tool architecture for security testing of NoSQL-based applications. In Proceedings - 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications, AICCSA 2017 (pp. 220-225). (Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA; Vol. 2017-October). IEEE Computer Society. https://doi.org/10.1109/AICCSA.2017.44

Algarni, Abdullah ; Alsolami, Fawaz ; Eassa, Fathy et al. / An open tool architecture for security testing of NoSQL-based applications. Proceedings - 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications, AICCSA 2017. IEEE Computer Society, 2017. pp. 220-225 (Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA).

@inproceedings{a719b880271748bbb8153cd64af29245,

title = "An open tool architecture for security testing of NoSQL-based applications",

abstract = "Injection attacks remain yet one of the major challenges in non-relational data stores or NoSQL databases. Indeed, such databases are intended to store big data and are classified into four categories; Key-values Stores, Wide Column Stores, Document Stores, and Graph Databases. The different vulnerabilities of these NoSQL databases have attracted many researchers to attempt solving or mitigating this problem. Unfortunately, extensive experiments have revealed that all proposed approaches and techniques are away from the expectations. This is due mainly to their focusing only either on some parts of the problem or on a specific NoSQL engine. In this paper, we propose an open tool architecture which can take into consideration any NoSQL engines belonging to the four data stores categories whatever the programming language used. The proposed tool architecture is able to detect first vulnerable statements in the static mode on the developer side. Second, it detects also automatically injection attacks during run-time on the server side thanks to the added instrumenting statements during the first control (static mode). The easy expansion and adaptation of the proposed tool to any NoSQL engine and/or any kind of attacks and/or programming languages makes it very attractive compared the existing ones. Indeed nowadays, we observe the emergence of new kinds of attacks once a new security approach or framework or technique is proposed.",

keywords = "Injection attacks, NoSQL databases, Security testing",

author = "Abdullah Algarni and Fawaz Alsolami and Fathy Eassa and Khalid Alsubhi and Kamal Jambi and Maher Khemakhem",

note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 14th IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2017 ; Conference date: 30-10-2017 Through 03-11-2017",

year = "2017",

month = jul,

day = "2",

doi = "10.1109/AICCSA.2017.44",

language = "English",

series = "Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA",

publisher = "IEEE Computer Society",

pages = "220--225",

booktitle = "Proceedings - 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications, AICCSA 2017",

address = "United States",

}

Algarni, A, Alsolami, F, Eassa, F, Alsubhi, K, Jambi, K & Khemakhem, M 2017, An open tool architecture for security testing of NoSQL-based applications. in Proceedings - 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications, AICCSA 2017. Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA, vol. 2017-October, IEEE Computer Society, pp. 220-225, 14th IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2017, Hammamet, Tunisia, 30/10/17. https://doi.org/10.1109/AICCSA.2017.44

An open tool architecture for security testing of NoSQL-based applications. / Algarni, Abdullah; Alsolami, Fawaz; Eassa, Fathy et al.
Proceedings - 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications, AICCSA 2017. IEEE Computer Society, 2017. p. 220-225 (Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA; Vol. 2017-October).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - An open tool architecture for security testing of NoSQL-based applications

AU - Algarni, Abdullah

AU - Alsolami, Fawaz

AU - Eassa, Fathy

AU - Alsubhi, Khalid

AU - Jambi, Kamal

AU - Khemakhem, Maher

PY - 2017/7/2

Y1 - 2017/7/2

N2 - Injection attacks remain yet one of the major challenges in non-relational data stores or NoSQL databases. Indeed, such databases are intended to store big data and are classified into four categories; Key-values Stores, Wide Column Stores, Document Stores, and Graph Databases. The different vulnerabilities of these NoSQL databases have attracted many researchers to attempt solving or mitigating this problem. Unfortunately, extensive experiments have revealed that all proposed approaches and techniques are away from the expectations. This is due mainly to their focusing only either on some parts of the problem or on a specific NoSQL engine. In this paper, we propose an open tool architecture which can take into consideration any NoSQL engines belonging to the four data stores categories whatever the programming language used. The proposed tool architecture is able to detect first vulnerable statements in the static mode on the developer side. Second, it detects also automatically injection attacks during run-time on the server side thanks to the added instrumenting statements during the first control (static mode). The easy expansion and adaptation of the proposed tool to any NoSQL engine and/or any kind of attacks and/or programming languages makes it very attractive compared the existing ones. Indeed nowadays, we observe the emergence of new kinds of attacks once a new security approach or framework or technique is proposed.

AB - Injection attacks remain yet one of the major challenges in non-relational data stores or NoSQL databases. Indeed, such databases are intended to store big data and are classified into four categories; Key-values Stores, Wide Column Stores, Document Stores, and Graph Databases. The different vulnerabilities of these NoSQL databases have attracted many researchers to attempt solving or mitigating this problem. Unfortunately, extensive experiments have revealed that all proposed approaches and techniques are away from the expectations. This is due mainly to their focusing only either on some parts of the problem or on a specific NoSQL engine. In this paper, we propose an open tool architecture which can take into consideration any NoSQL engines belonging to the four data stores categories whatever the programming language used. The proposed tool architecture is able to detect first vulnerable statements in the static mode on the developer side. Second, it detects also automatically injection attacks during run-time on the server side thanks to the added instrumenting statements during the first control (static mode). The easy expansion and adaptation of the proposed tool to any NoSQL engine and/or any kind of attacks and/or programming languages makes it very attractive compared the existing ones. Indeed nowadays, we observe the emergence of new kinds of attacks once a new security approach or framework or technique is proposed.

KW - Injection attacks

KW - NoSQL databases

KW - Security testing

UR - https://www.scopus.com/pages/publications/85046104209

U2 - 10.1109/AICCSA.2017.44

DO - 10.1109/AICCSA.2017.44

M3 - Conference contribution

AN - SCOPUS:85046104209

T3 - Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA

SP - 220

EP - 225

BT - Proceedings - 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications, AICCSA 2017

PB - IEEE Computer Society

T2 - 14th IEEE/ACS International Conference on Computer Systems and Applications, AICCSA 2017

Y2 - 30 October 2017 through 3 November 2017

ER -

Algarni A, Alsolami F, Eassa F, Alsubhi K, Jambi K, Khemakhem M. An open tool architecture for security testing of NoSQL-based applications. In Proceedings - 2017 IEEE/ACS 14th International Conference on Computer Systems and Applications, AICCSA 2017. IEEE Computer Society. 2017. p. 220-225. (Proceedings of IEEE/ACS International Conference on Computer Systems and Applications, AICCSA). doi: 10.1109/AICCSA.2017.44

An open tool architecture for security testing of NoSQL-based applications

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this