GSoC with OpenMRS — Week 1 Update
Last week was the first week of the Coding Period of Google Summer of Code. As mentioned in my last blog, during the Community Bonding Period I set up the SDK and had a look at reproducing an XSS (Cross Site Scripting) attack. This week, I started to look at a real issue that needs to be fixed.
The Issue:
In OpenMRS there is an XSS vulnerability in the Appointment Scheduling part of the application. This is the first issue that I will be focusing on. I ran the vulnerability to see how it worked, by simply adding a piece of JavaScript code to the URL: </script><script>alert(1)</script>
This code gives a popup alert showing the number 1, however if this code was malicious it could retrieve data or cookies from the site, which would be dangerous.
My Plan:
I plan over the next week to set up the coding environment and attempt to first make a change to the page as a test, then look into editing the program in order to protect against the vulnerability. I will first try to escape special characters; if this does not work I will do some research into what else I can try.
I am enjoying programming so far and I will be publishing another update next week.
