GSoC with OpenMRS — Week 7 Update
For week 7, I submitted a PR that partially fixed the XSS attack I have been working on.
The Solution:
First I ran the XSS attack, which involved editing the page’s URL by changing a variable to contain a JavaScript popup. I then used Inspect Element to view the source code of the page, in which I located the specific variable that now had the XSS code saved to it. Next, I went to the code for that page, and surrounded the variable with ui.encodeJavaScript(), which escapes special characters found in JavaScript, so characters can still be read by the URL but cannot actually be executed. This function uses org.owasp.encoder.Encode, which is imported into OpenMRS. I ran this code, attempted the attack, and it was successful — the JavaScript didn’t execute!
The PR:
I used Git to submit a PR with my changes to the code. However, when my mentor had a look, he noticed that some of the page’s functionality had been lost — this is something I will need to look at next week as the fix was not entirely successful.
Next week I will look at fixing this issue and at other XSS vulnerabilities.