{"id":1974,"date":"2015-01-28T15:44:51","date_gmt":"2015-01-28T13:44:51","guid":{"rendered":"http:\/\/hasselba.ch\/blog\/?p=1974"},"modified":"2015-01-28T16:30:36","modified_gmt":"2015-01-28T14:30:36","slug":"raspberry-pi-vs-ibm-bluemix-10","status":"publish","type":"post","link":"https:\/\/hasselba.ch\/blog\/?p=1974","title":{"rendered":"Raspberry Pi vs. IBM Bluemix – 1:0"},"content":{"rendered":"

I had some time last night (the whole family had gone to bed early), so I spent some to look at the XPages integration into Bluemix. I found the Greenwell Travel Expenses Demo:<\/a><\/p>\n

\"Bildschirmfoto<\/a><\/p>\n

But after clicking a link, the page returned an error:<\/p>\n

\"Bildschirmfoto<\/a><\/p>\n

Hmm…But I wanted to see the application!<\/p>\n

That’s why I checked, if the datasources are protected. I recommend this for years.<\/a> Fredrik Norling wrote a little snippet<\/a> for this. Or better use the „ignoreRequestParam<\/em>„. Then all your problems are gone.<\/p>\n

http:\/\/greenwellexpenses.mybluemix.net\/bluemix\/Expense-App-Design.nsf\/teamExpenses.xsp?databaseName=homepage.nsf<\/code><\/pre>\n
Bingo! Unprotected!<\/p>\n
\"Bildschirmfoto<\/a><\/p>\n
I now was able to see a little bit more of the application and to check the underlying environment. But then came the moment where my brain forced me to try out some things:<\/p>\n
First, I had to look again on the IP address in the error page: „109.228.14.66<\/em>„. This is not an\u00a0 internal address. Let’s check it:<\/p>\n
\"Bildschirmfoto<\/a><\/p>\n
Not reachable. Whois for „109.228.14.66<\/em>“ ? „Fasthosts Internet Limited<\/em>„. A provider in UK.<\/p>\n
A ping to „greenwellexpenses.mybluemix.net<\/em>“ returned „75.126.81.6″<\/em>, which belongs to Softlayer. The server is allowed access other servers? Maybe the application can call me?<\/p>\n
\"Bildschirmfoto<\/a><\/p>\n
Yes, the application can:<\/p>\n
\"Bildschirmfoto<\/a><\/p>\n
\"Unbenannt\"<\/a><\/p>\n
Now I can try to DoS the application.\u00a0 Because the outgoing connection from the application waits for a response (think about „telnet www.example.com 80<\/em>„), I can create a bunch of requests, and the server will quickly reach it’s limit.<\/p>\n
That’s why I created a simple bash script which makes HTTP request to the Bluemix instance. The script runs on a Raspberry Pi, to demonstrate the\u00a0low demand<\/span><\/span> of hardware requirements and to show how easy it is do make a DoS attack against a XPage application (if it is was not developed under security aspects).<\/p>\n
Here is a short video (the source of the bash script is NOT shown, but it has fewer then 10 lines of code):<\/p>\n