GSOC 2021 - Security Issues Project - Final Presentation.

Project Title: Security Issues with OpenMRS

Primary mentor: @isears

Backup mentor: @sharif

Student: @jnsereko

Reach Me: LinkedIn , Reddit

Overview

OpenMRS began collaborating with researchers from North Carolina State University (NCSU) to better secure the OpenMRS Reference Application. NCSU researchers, using cutting-edge security assessment techniques, identified almost 300 distinct security issues.

The major goal of this project was to solve as many vulnerabilities as possible on the OpenMRS Vulnerability Issue Tracker.

The OpenMRS Vulnerability Sheet (requires permission), shows all the issues I have been able to accomplish, their description, and corresponding Pull Requests. However, if you don’t have permission to the document, I got you covered. :slight_smile: I am going to write about all the issues I have worked on.

In this season of Google Summer Code, the security team followed a Chronological order, where every intern picked up an issue from the Vulnerability Sheet, discussed with @isears and/or the OpenMRS Security Team to know its requirements pretty well. If an issue is merged, the corresponding issue on the Sheet is updated and the user picks on another issue based on his/her personal interests. However, I personally preferred being assigned issue(s) to work on by @isears each time I closed one. I was trying to avoid working on issues that are of a low priority to both the team and the community, and/or working on issues that might require a little more integrations and time. I also got a chance to work with @parth59 and @katebelson as workmates on this project.

Objectives

  1. Work on at least one issue from the vulnerability issue tracker per week — ACHIEVED
  2. Fix at least 10 issues on the vulnerability sheet for the whole coding period – ACHIEVED

Contributions

Below are some of the issues i have been able to work upon, their corresponding modules and their development state.

Pull requests

  1. MM-893 : Authentication Bypass — Solved Authentication Bypass to System Administration #MERGED
  2. EMPT-23: Authentication Bypass — Manage Service Type #MERGED
  3. EMPT-24: Authentication Bypass — Manage Provider Schedules #MERGED
  4. EMPT-25: Authentication Bypass — find patient record #MERGED
  5. EMPT-26: Authentication Bypass — Active visit #MERGED
  6. EMPT-27: Authentication Bypass — Patient note #MERGED
  7. EMPT-28: Authentication Bypass — Delete Patient #MERGED
  8. EMPT-29: Authentication Bypass — Merge Patient Electronic Records: #MERGED
  9. EMPT-30: Authentication Bypass — find patient record: Manage Appointments #MERGED
  10. EMPT-32: Authentication Bypass — Manage Appointments #MERGED
  11. EMPT-33: Authentication Bypass — Solved Authentication Bypass to System Administration #MERGED
  12. EMPT-34: Authentication Bypass — find patient record #MERGED
  13. EMPT-35: Authentication Bypass — Capture Vitals: Solved Authentication Bypass to System Administration #MERGED
  14. EMPT-36: Authentication Bypass: System Administration #MERGED
  15. EMPT-37: Authentication Bypass: create patient #MERGED
  16. EMPT-38: Authentication Bypass: Manage App: Patient vital #MERGED
  17. EMPT-39: Authentication Bypass: manage role: Module list page #MERGED
  18. EMPT-40: Authentication Bypass: Assign Role: Sys Info #MERGED
  19. EMPT-31 : Authentication Bypass: Patient ID in url #MERGED
  20. RA-1424: Removed escapeJs which is vulnerable to xss #MERGED
  1. MM-876: XSS vulnerability — Input Validation Relationship Name: XSS in relation name (input validation) #MERGED
  1. RA 1424: EscapeJs is vulnerable to XSS attacks #MERGED
  1. MM-875: Session Management — Persisting user session: Emphasized that the new password is different from the old pa… #MERGED
  2. MM-860: CSRF Protection — implement anti-csrf Tokens: Implemented anti-csrf tokens for OpenMRS protection against CSRF attacks #IN-PROGRESS(required more time)
  3. EMPT-174: JSESSIONID COOKIE — Made cookies more secure. #CLOSED
  1. MM-875: Password Management — password Visibility: Emphasized that the new password is different from the old password #MERGED
  2. EMPT-174: JSESSIONID COOKIE — Made cookies more secure. #CLOSED
  3. MM-860: CSRF Protection — implement anti-csrf Tokens: Implemented anti-csrf tokens for OpenMRS protection against CSRF attacks #IN-PROGRESS(required more time)
  1. MM-918 [WIP]: Session Management — Authentication bug after password change #ALMOST DONE
  2. RA-1424: EscapeJs vulnerable to XSS. #MERGED
  3. EMPT-75: 500 error — Beautified error thrown on getting unexisting privilege #MERGED
  1. MM-918: Session Management — user sessions: Close all user sessions after password change and on logout #ALMOST DONE

OpenMRS Talk Threads

Weekly Blog Posts

Resources

Below is a short demo showing the some issues I have tacked. I have tried to explain merged issues thoroughly but I have given little information about issues that have not been merged for security purposes.

Future Works

Currently, we have many issues on the OpenMRS Vulnerability Tracker that are in the Not Stated State. At the same time, security issues are reported nearly on a daily basis. As the security team, there is need to solve as many as possible so as to make our OMRS security vulnerability-free.

Thoughts on GSoC

Honestly, getting Google summer of Code was like a dream to me. Moreover, those kinds of dreams, that seemingly might never come true. It was just like a fantasy. That email reading “Your Proposal has been Accepted” was almost unreal. I remember reading it more than thrice to finally prove that it was all real.

Ten weeks seem too little, but the things I have learned would cost me more than a year if it wasn’t for GSoC 2021: from working with Linux remote servers, getting a better understanding of the OpenMRS modules workflow, getting some little knowledge about the implementation of OpenMRS, boosting my confidence and most especially, Hyping my knowledge about security in web applications.

It has been a fruitful summer owing to my awesome mentors, @isears and @sharif, OpenMRS Security Team, OpenMRS community members, more especially @ibacher, @dkayiwa, @herbert24, and many more (list is endless), who have reviewed many of my Pull Requests and provided suggestions in case of any blockers are encountered. Thank you for the good work. Your support is the only reason why I have reached this far.

6 Likes

Weldone @jnsereko for an amazing work completed. Thanks for your ethusiasm. Looking foward to continue work with you in the next quarter and security automation as well. :pizza: :ok_hand:

1 Like