Introducing Mongoaudit

An automated pentesting tool that lets you know if your MongoDB instances are properly secured

Companies of all sizes use MongoDB, Stampery included. Why? It’s schema-less, fast, scalable. We all love its deep query-ability.

But it’s no secret that MongoDB pays more attention to scalability, performance and ease of use than to security. There are quite a few holes in its default configuration settings.

This, combined with lazy admins and devs led to what the press has dubbed the MongoDB apocalypse. More than 25,000 MongoDB instances were targeted by hackers. Information was encrypted and money was asked for the decryption keys. In some cases information was wiped with no way to recover it.

Mongoaudit tackles this problem and more. It not only detects misconfigurations, known vulnerabilities and bugs. It also gives advice on how to fix problems and recommends best security practices.

Among other tests, it checks if:

• MongoDB listens on a port different to default one
• MongoDB HTTP status interface is disabled
• TLS/SSL encryption is enabled
• Authentication is enabled
• SCRAM-SHA-1 authentication method is enabled
• Server-side Javascript is forbidden
• Roles granted to the user only permit CRUD operations
• The user has permissions over a single database
• The server is vulnerable to a dozen of different known security bugs

Once the tests are run Mongoaudit can either display a basic report on screen or send a detailed one via email. This personalized report links to a series of guides on how to fix every specific issue and how to harden the targeted MongoDB deployment.

We have also published the Mongoaudit guides in our Medium publication — be sure to check them!