Graph database vulnerability

Question

Are there any vulnerability to graph databases ( if to be specific, then especially Neo4j v2.0 ) like SQL-injection in SQL based databases and how to overcome them when implementing ?

Answer 1

There is no known vulnerability about Neo4j or other NoSQL database systems right now but I would like to say security holes usually related with application that work with database systems. I mean Neo4j can be secure by itself but SQL-Injection or other these kind of stuff are related with application.

For instance, if you don't check out user input is array or not than attackers manage to do sql injection via NoSQL Injection Techniques. Further information : https://www.owasp.org/index.php/Testing_for_NoSQL_injection

Also you should be sure about server side security, I mean you should answer these kind of questions; is Noe4j installed with right way ? Are credentials secure against brute force/guessing attacks or not ? and so on..

Answer 2

You haven't specified which API and driver you are using.

If you're building the Cypher queries on your own make sure you use Cypher parameters:

{
  "query" : "MATCH (x {name: {startName}})-[r]-(friend) WHERE friend.name = {name} RETURN TYPE(r)",
  "params" : {
    "startName" : "I",
    "name" : "you"
  }
}

If you're using a driver to build your Cypher queries I guess the driver will solve that for you but you may want to look into the specific documentation.

Answer 3

Just as with SQL, Cypher is vulnerable the same way if String concatenation is used. To get around this usage of parameters in Cypher is crucial.