Grab a moment and catch Wallarm CEO Ivan Novikov at SyScan 360 which is about to start in hot Singapore. His talk on Key-value injections here! will be on the second day of the conference.
This paper is continuation of memcached injections research presented at BlackHat USA 2014.
The paper presents two main areas of research: input validation vulnerabilities at different key-value clients for popular platforms (c, java, lua, node.js, php, perl, python and ruby) and vulnerabilities inside their engines. Special attention is paid for to the sandboxes inside services.
As a result author found a way to do something like “SQL Injection attacks”, but for key-value storages. Such an attack in practice leads to different effects from authentication bypass to execution of arbitrary interpreter’s code. It’s real world problem found on security audits and existing at different popular web applications
