Date: Tuesday, June 18, 2013 8:51 AM
To: user@cassandra.apache.org user@cassandra.apache.org
Subject: Re: SQL Injection C* (via CQL Thrift)
If you're not careful, then CQL injection is possible.
Say you naively build you query with
UPDATE foo SET col=' + user_input + ' WHERE key = 'k
On Thu, Jun 20, 2013 at 2:15 AM, aaron morton aa...@thelastpickle.com wrote:
As for the thrift side (i.e. using Hector or Astyanax), anyone have a crafty
way to inject something?
The only thing I've ever heard of coming close was a thrift bug that allowed
a malformed request to crash the
My first interaction with cassandra: ../nodeprobe -p 9160 ...
Hum I can't seem to reach it :) Ow its no longer running...
You've come along way baby.
On Thu, Jun 20, 2013 at 12:59 PM, Robert Coli rc...@eventbrite.com wrote:
On Thu, Jun 20, 2013 at 2:15 AM, aaron morton aa...@thelastpickle.com
Mostly for fun, I wanted to throw this out there...
We are undergoing a security audit for our platform (C* + Elastic Search +
Storm). One component of that audit is susceptibility to SQL injection. I
was wondering if anyone has attempted to construct a SQL injection attack
against Cassandra?
If you're not careful, then CQL injection is possible.
Say you naively build you query with
UPDATE foo SET col=' + user_input + ' WHERE key = 'k'
then if user_input is foo' AND col2='bar, your user will have overwritten
a column it shouldn't have been able to. And something equivalent in a
.
From: Sylvain Lebresne sylv...@datastax.com
Reply-To: user@cassandra.apache.org
Date: Tuesday, June 18, 2013 8:51 AM
To: user@cassandra.apache.org user@cassandra.apache.org
Subject: Re: SQL Injection C* (via CQL Thrift)
If you're not careful, then CQL injection is possible.
Say you naively
