ITEN
WebThesis Logo Politecnico di Torino

CouchDB Injection Active Scan Rules for OWASP ZAP

Matteo Pappada'

CouchDB Injection Active Scan Rules for OWASP ZAP.

Rel. Riccardo Sisto. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2021

[thumbnail of Tesi_di_laurea]
Preview
 PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.
Download (3MB) | Preview

Abstract

This thesis consists in the development of an add-on for the OWASP ZAP program, useful for performing a vulnerability analysis of the NoSQL database called CouchDB. CouchDB is a NoSQL database, document type, with documents based on the JSON language and it is written in Erlang. Its main known vulnerabilities are: •??Query injection, which can lead to a password bypass in a login page, if executed in a certain way, but also to the exposure of secret database documents. •??The creation of users with admin privileges, where, thanks to the difference between the JSON parser of Erlang and the one of Javascript, any user can create an administrator profile for the database, leading to the exposure of the whole infrastructure.

OWASP ZAP was chosen as the program to develop the analysis of these vulnerabilities, because it is one of the most used programs in the world of cybersecurity regarding the analysis of web applications

Relatori

Riccardo Sisto

Tipo di pubblicazione

Elettronica

URI

https://webthesis.biblio.polito.it/id/eprint/21248
Modifica (riservato agli operatori) Modifica (riservato agli operatori)
Logo Politecnico di Torino