Wiki Spaces
Documentation
Projects
Resources
Get Help from Others
Q&A: Ask OpenMRS
Discussion: OpenMRS Talk
Real-Time: IRC Chat | Slack
Primary mentor | |
Backup mentor | |
Assigned to | NA |
Abstract
Late last year, OpenMRS began collaborating with researchers from North Carolina State University (NCSU) to better secure the OpenMRS Reference Application. NCSU researchers, using cutting-edge security assessment techniques, have identified almost 300 distinct security issues. Many of those issues are relatively low-complexity, requiring one-line patches. This is a great opportunity for students who are interested in software security to get first-hand experience in the field.
Project Champions
Objectives
- (First priority) Patch up to 50 XSS vulnerabilities
- (Second priority) Implement up to 25 authorization checks where they are lacking
- (Third priority) Implement safe exception handling for up to 10 HTTP 500 errors
Extra Credits
- Take on responsibility for patching more complex security issues
Skills Required
- Javascript, HTML
- Java
Skills Recommended
- Experience with .jsp and/or .gsp frontend templating languages
- Basic knowledge of common web application security vulnerabilities
Examples to Look Through While Preparing Your Proposal
1) Understand XSS vulnerabilities
- https://owasp.org/www-community/attacks/xss/ - Description of XSS vulnerabilities
2) Review some recent fix examples
For security reasons we can't publicly release the full NCSU report; however, you can check out these PRs for recent examples of the kinds of bugs that are being patched (and the kind of work the patches in this GSOC project entail):
- https://github.com/openmrs/openmrs-module-reporting/pull/207 - Example of a PR patching one of the vulnerabilities identified in the report
- https://github.com/openmrs/openmrs-module-legacyui/pull/140
- https://github.com/openmrs/openmrs-module-legacyui/pull/139
- https://github.com/openmrs/openmrs-module-legacyui/pull/137
- https://github.com/openmrs/openmrs-module-calculation/pull/10
- https://github.com/openmrs/openmrs-module-providermanagement/pull/43
Once you are accepted into the project, you will be added to the security team and a more detailed backlog of issues will be shared with you.
A successful proposal
A successful proposal could include a general approach to patching XSS vulnerabilities based on the examples above.
Overview
Content Tools
Feedback on this page? Questions?
Copyright © 2004-2016 OpenMRS Inc. By using this site, you agree to the OpenMRS Privacy Policy.
Text is available under the Creative Commons 4.0 International Attribution License (CC BY 4.0).
Software is available under the Mozilla Public License 2.0 with Healthcare Disclaimer (MPL 2.0 HD).
"OpenMRS" is a registered trademark and the OpenMRS graphic logo is a trademark of OpenMRS Inc.