I had some time last night (the whole family had gone to bed early), so I spent some to look at the XPages integration into Bluemix. I found the Greenwell Travel Expenses Demo:
But after clicking a link, the page returned an error:
Hmm…But I wanted to see the application!
That’s why I checked, if the datasources are protected. I recommend this for years. Fredrik Norling wrote a little snippet for this. Or better use the „ignoreRequestParam„. Then all your problems are gone.
I now was able to see a little bit more of the application and to check the underlying environment. But then came the moment where my brain forced me to try out some things:
First, I had to look again on the IP address in the error page: „188.8.131.52„. This is not an internal address. Let’s check it:
Not reachable. Whois for „184.108.40.206“ ? „Fasthosts Internet Limited„. A provider in UK.
A ping to „greenwellexpenses.mybluemix.net“ returned „220.127.116.11″, which belongs to Softlayer. The server is allowed access other servers? Maybe the application can call me?
Yes, the application can:
Now I can try to DoS the application. Because the outgoing connection from the application waits for a response (think about „telnet www.example.com 80„), I can create a bunch of requests, and the server will quickly reach it’s limit.
That’s why I created a simple bash script which makes HTTP request to the Bluemix instance. The script runs on a Raspberry Pi, to demonstrate the low demand of hardware requirements and to show how easy it is do make a DoS attack against a XPage application (if it is was not developed under security aspects).
Here is a short video (the source of the bash script is NOT shown, but it has fewer then 10 lines of code):
This was a „friendly“ attack. I have not done anything harmfull. And this is a demo app; if it is not secure, this is not a real problem. The application is available again ten minutes later.
But last night I searched for some XPages servers in the WWW, and I found a lot of misconfigured systems: Error Page enabled, the „Ignore request parameter“ is not set to „true“ or at least the hack from Fredrik running. And the servers are allowed to access the whole internet… Dev’s and Admins should do their jobs better!
If you plan to migrate your apps to the cloud, please learn more about security. Or hire some specialists with the knowledge and experience in this sector. It is worth the time and the money.
Hi Sven. Interesting article. I guess I am one of those XPages developers who do not know enough about securing their applications as throughly as I should do… Fortunately my applications are not exposed to the Internet.
Would love to read more about that 😉 – of course I will start doing my research now.
Warm greetings from Ecuador.
I’m trying to upload a nsf with XPage to Bluemix, but can not find how.
There is some guidance to achieve this. This article very interesting thoughts about me, go ahead.
This is not only for XPages, try to run apache JMater and run some „DoS“ attack or just loading test of your app. It’s normal issue for Virtualized environment and the problem of all PaaS-es, not only Bluemix.
Also, it’s not a crash 😉 It is the load ballancer under the app which is not accepting your requests, and if you check the response is something like 502 or the security under it just stops responding to you for a while by IP address, because of the overload of requests, Bluemix has anti DDoS, DoS mechanism
No, it’s a crash. And you can be sure that I have tested this from different IPs.
No, this is a special problem with XPages applications. It has nothing to do with the environment used. Even a normal server can be crashed this way in some minutes.