Written by Pete Corey on Mar 21, 2016.

Last month I was lucky enough to be able to attend and speak at the first ever Crater Remote Conference!

I gave a talk entitled “NoSQL Injection in Modern Web Applications”. The talk was heavily focused on exploiting NoSQL injection vulnerabilities in applications using MongoDB. The bulk of the talk was spent in a hands-on demo showing how a malicious user could approach and attack a Meteor application vulnerable to these types of attacks.

Check out a recording of the presentation below, and be sure to watch a few of these highlights!

02:41 - Why security?
04:57 - What is “NoSQL Injection”?
12:25 - Grabbing all products by exploiting a publication.
17:36 - Getting all carts by exploiting a publication.
20:20 - Getting all carts through a .findOne query.
23:42 - Removing all user carts in the system.
25:26 - Modifying product prices.
29:40 - Escalating myself to admin level permissions.
34:55 - MongoDB denial of service through a .find query.
38:55 - How do we fix it?
42:30 - Why pick on MongoDB?
44:10 - Are other NoSQL databases safe?
47:40 - Q&A with Josh Owens.

At the end of the talk, I linked to Rob Conery’s Meteor Shop. You may also be interested in his fantastic PluralSight course on building the application from the ground up.

I also linked to my own package, Check Checker (east5th:check-checker), which helps you find methods and publications within your Meteor application that aren’t being thoroughly checked.

I had a blast watching the Crater Conf talks this year, and I’m looking forward to the next conference!