GSoC Community Bonding Period with OpenMRS
Recently I was lucky enough to be accepted onto Google Summer of Code. I will be working on tackling security issues with OpenMRS, an online medical record system with an aim to improve healthcare delivery worldwide.
The project will run for ten weeks, in which I aim to patch ten security issues on the platform. This will be my first time working with open source code and I am excited to get involved. My mentors are Isaac Sears and Sharif Magembe, and I will be working with two GSoC students as well.
The last two weeks have been focused on a Community Bonding Period, during which I have met my mentors and team, set up the SDK, and attempted to reproduce a security issue that has already been flagged. I will give more detail on this below. I have enjoyed working with OpenMRS so far and I am ready to start programming.
Reproducing a Security Issue:
I reproduced an XSS (Cross Site Scripting) attack on one of the forms. XSS attacks are one of the most popular attacks against web applications.
A non-persistent XSS attack is where a user is sent a link for a query form. When they click on the link, which is malicious, the webpage executes the malicious JavaScript in the background.
A persistent XSS attack is where the attacker inserts malicious JavaScript code into an article comment, for example, which is stored in a database, and when the user selects the article the malicious JavaScript is loaded and executed.
Counter measures for XSS include always using HTTPOnly cookies, input validation (watch out for unexpected input, be strict in validation), and escaping text input (escape special characters which are unexpected, e.g., using htmlspecialchars in PHP). All of these options together provide a much securer system which is not vulnerable to XSS attacks.
I look forward to posting my next blog when the coding period begins!
