I had some time last night (the whole family had gone to bed early), so I spent some to look at the XPages integration into Bluemix. I found the Greenwell Travel Expenses Demo:
But after clicking a link, the page returned an error:
Hmm…But I wanted to see the application!
That’s why I checked, if the datasources are protected. I recommend this for years. Fredrik Norling wrote a little snippet for this. Or better use the „ignoreRequestParam„. Then all your problems are gone.
I now was able to see a little bit more of the application and to check the underlying environment. But then came the moment where my brain forced me to try out some things:
First, I had to look again on the IP address in the error page: „22.214.171.124„. This is not an internal address. Let’s check it:
Not reachable. Whois for „126.96.36.199“ ? „Fasthosts Internet Limited„. A provider in UK.
A ping to „greenwellexpenses.mybluemix.net“ returned „188.8.131.52″, which belongs to Softlayer. The server is allowed access other servers? Maybe the application can call me?
Yes, the application can:
Now I can try to DoS the application. Because the outgoing connection from the application waits for a response (think about „telnet www.example.com 80„), I can create a bunch of requests, and the server will quickly reach it’s limit.
That’s why I created a simple bash script which makes HTTP request to the Bluemix instance. The script runs on a Raspberry Pi, to demonstrate the low demand of hardware requirements and to show how easy it is do make a DoS attack against a XPage application (if it is was not developed under security aspects).
Here is a short video (the source of the bash script is NOT shown, but it has fewer then 10 lines of code):
This was a „friendly“ attack. I have not done anything harmfull. And this is a demo app; if it is not secure, this is not a real problem. The application is available again ten minutes later.
But last night I searched for some XPages servers in the WWW, and I found a lot of misconfigured systems: Error Page enabled, the „Ignore request parameter“ is not set to „true“ or at least the hack from Fredrik running. And the servers are allowed to access the whole internet… Dev’s and Admins should do their jobs better!
If you plan to migrate your apps to the cloud, please learn more about security. Or hire some specialists with the knowledge and experience in this sector. It is worth the time and the money.