DeepSec 2022 Talk: Cypher Query Injection – The New “SQL Injection” We Aren’t Aware Of – Noy Pearl
How often do you hear about injections? Probably a lot. And probably most of them are familiar to you and chances are that you are tired of hearing about another SQL injection that was recently found. Graph Databases (e.g. Neo4j, RedisGraph, Amazon Neptune) which are becoming increasingly popular don’t use SQL, but you can still achieve an injection and even go beyond that.
We are going to learn how by manipulating legitimate database functionalities we are able to leverage an injection in Cypher Query to attack the database (DoS), leak sensitive files (RFI) , access protected endpoints (SSRF) and leverage our attack to perform lateral movement and escalate to other machines as well. We’ll sum up with remediation & mitigation steps and show a ready-to-use open-source playground that was created so you could exploit Graph Databases yourself.
We asked Noy Pearl a few more questions about her talk.
Please tell us the top 5 facts about your talk.
- This talk is intended for all audiences – no pre-knowledge is required
- We will understand what is Cypher (it’s not about crypto and it’s not about SQL injection)
- You won’t find a lot of articles about this topic
- After this talk you’ll be able to escalate a simple Cypher injection to cause a lot more damage by combining techniques such as DoS, SSRF, RFI and more
- I will share an open-source app that’ll be vulnerable to Cypher injections as a playground for you to understand it practically – in case you fell asleep during my talk
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I discovered Cypher which is a Query Language in my day-to-day work, but when I found out that you can actually have an injection in Cypher similarly to an injection in SQL – I wondered what else a potential attacker could do besides tampering with the database.
I barely found any articles about it so I thought – if a lot of security researchers are not aware of this potential – probably the developers are not aware of this as well, and it might exist in a lot of products nowadays.
Why do you think this is an important topic?
Graph Databases are becoming more and more popular nowadays, so I meet more people that tell me they know Cypher language. However, I barely met people who knew that you can have an injection in Cypher, including security researchers and security-aware developers that work daily with Graph Databases and are familiar with writing queries in Cypher language.
Is there something you want everybody to know – some good advice for our readers maybe?
After my talk, you will know how to find an injection in Cypher in any product that you’ll research and go beyond this simple injection. I’m providing a playground that you can use and my aim is that a few months from my talk there’ll be write-ups about Cypher query injections and most of them will come from you – the people who [hopefully] will watch my talk.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I discover more and more new Graph Databases nowadays that support Cypher. Since it becomes a trend and there’s not a lot of information available about the potential in injections in Cypher – I think we’ll see a gradual increase in the amount of vendors that support Cypher with a gradual increase in the amount of vendors that adapt to the potential in the injections and provide the required configurations that can help to mitigate a potential Cypher injection attack.
Moreover – I think that gradually – injections in Cypher query language will be a topic that will often be discussed when it comes to security meetings similarly to how SQL Injections are discussed.
Noy is a Security Researcher @ Moon Active. She previously worked as a penetration tester with the focus on web and mobile security. Her main interest is exploring the uncharted territories of less-known attacks & exploitation techniques. She started her speaker journey at BSides (Tel-Aviv), has contributed to the OWASP AppSec IL CTF team as a challenge creator and is interested in everything that the security world has to offer.