Difference between revisions of "FLOSSHack Returns"

From OWASP
Jump to: navigation, search
Line 5: Line 5:
 
The OpenMRS developers recommend that we use version 1.9.2 "Standalone", which is available [http://openmrs.org/download/ here].  The source code for the 1.9.x branch can get checked out using git with the command:
 
The OpenMRS developers recommend that we use version 1.9.2 "Standalone", which is available [http://openmrs.org/download/ here].  The source code for the 1.9.x branch can get checked out using git with the command:
 
   git clone -b 1.9.x https://github.com/openmrs/openmrs-core.git
 
   git clone -b 1.9.x https://github.com/openmrs/openmrs-core.git
 +
 +
 +
=== Tutorial Session ===
 +
A "How to (FLOSS)Hack" session will be held on Wednesday, January 9th.  This session is designed to help hacking novices learn the tools and techniques needed to be effective bug hunters in this competition.  See the Calagator [http://calagator.org/events/1250463314 entry] for more details.
  
  
Line 11: Line 15:
 
   Network: freenode
 
   Network: freenode
 
   Channel: #flosshack
 
   Channel: #flosshack
 
 
=== Competition Notes ===
 
You are welcome to start looking for vulnerabilities '''right now'''.  If you do find any vulnerabilities in the application prior to the workshop, please email them to <code>tim . morgan |at| </code><code>owasp &#x2e; org</code>.  That way you get credit for them if you're the first to find a given flaw.  At the end of the workshop, there will be prizes for both finding the "best" vulnerability and for finding the most vulnerabilities.  Also, be sure to keep any flaws you find under wraps so that way OpenMRS maintainers have some time to correct everything before they are made public.
 
  
  
 
=== Technology Overview ===
 
=== Technology Overview ===
OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built.  OpenMRS is implemented in Java and generally is used under Tomcat.  It uses Hibernate to interact with a MySQL database for record storage.  For more information, see the [http://openmrs.org/about/faq/ FAQ].
+
OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built.  OpenMRS is implemented in Java and generally is used under Tomcat.  It uses [http://www.hibernate.org/ Hibernate] to interact with a MySQL database for record storage.  For more information, see the [http://openmrs.org/about/faq/ FAQ].
  
  
Line 29: Line 29:
 
* REST web services API: this is a new interface that hasn't been tested as well
 
* REST web services API: this is a new interface that hasn't been tested as well
 
* SSL-related problems
 
* SSL-related problems
 +
* [[XML External Entity (XXE) Processing|XXE]]: Some XML-related processing goes on, so there are opportunities for external entities attacks.
 +
 +
 +
=== Competition Notes ===
 +
You are welcome to start looking for vulnerabilities '''right now'''.  If you do find any vulnerabilities in the application prior to the workshop, please email them to <code>tim . morgan |at| </code><code>owasp &#x2e; org</code>.  That way you get credit for them if you're the first to find a given flaw.  At the end of the workshop, there will be prizes for both finding the "best" vulnerability and for finding the most vulnerabilities.  Also, be sure to keep any flaws you find under wraps so that way OpenMRS maintainers have some time to correct everything before they are made public.

Revision as of 13:13, 5 January 2013

FLOSSHack is back! The next workshop will be held on January 13th, 2013 from 2pm to 6pm at Free Geek. The workshop's target is OpenMRS, an open source medical records system and platform. An overview of the FLOSSHack workflow can be found on the "FLOSSHack for Participants" page.


Getting Started

The OpenMRS developers recommend that we use version 1.9.2 "Standalone", which is available here. The source code for the 1.9.x branch can get checked out using git with the command:

 git clone -b 1.9.x https://github.com/openmrs/openmrs-core.git


Tutorial Session

A "How to (FLOSS)Hack" session will be held on Wednesday, January 9th. This session is designed to help hacking novices learn the tools and techniques needed to be effective bug hunters in this competition. See the Calagator entry for more details.


Joining Remotely

For now, the only remote access to the event will be via IRC:

 Network: freenode
 Channel: #flosshack


Technology Overview

OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built. OpenMRS is implemented in Java and generally is used under Tomcat. It uses Hibernate to interact with a MySQL database for record storage. For more information, see the FAQ.


Ideas for Attacks

Based on observations and conversations with the OpenMRS team, the following vulnerability classes and attack scenarios seem relevant:

  • Cross-site Scripting (XSS)
  • SQL Injection: While they use Hibernate, HQL injection is worth keeping an eye out for
  • Authorization: The app supports a very flexible role/privilege system that is configurable per deployment.
  • Platform deployment issues: the standalone installer supports Linux, Mac OS X, and Windows, so some platform-specific weaknesses could crop up.
  • REST web services API: this is a new interface that hasn't been tested as well
  • SSL-related problems
  • XXE: Some XML-related processing goes on, so there are opportunities for external entities attacks.


Competition Notes

You are welcome to start looking for vulnerabilities right now. If you do find any vulnerabilities in the application prior to the workshop, please email them to tim . morgan |at| owasp . org. That way you get credit for them if you're the first to find a given flaw. At the end of the workshop, there will be prizes for both finding the "best" vulnerability and for finding the most vulnerabilities. Also, be sure to keep any flaws you find under wraps so that way OpenMRS maintainers have some time to correct everything before they are made public.