Difference between revisions of "FLOSSHack Returns"

From OWASP
Jump to: navigation, search
 
(5 intermediate revisions by one user not shown)
Line 6: Line 6:
 
   git clone -b 1.9.x https://github.com/openmrs/openmrs-core.git
 
   git clone -b 1.9.x https://github.com/openmrs/openmrs-core.git
  
 +
You may find it easier to use a pre-built virtual machine.  Just [http://71.193.193.43/flosshack_openmrs.ova download] (631MB) the VM's .ova file and import it to your hypervisor (VirtualBox was used to build it).  The system is built on Debian Linux and has a host-only network device that should make the VM available at 192.168.56.101.  Both ssh and the OpenMRS web interface are exposed.  Note that to access the OpenMRS interface, use this URL: https://192.168.56.101/openmrs/.  The root password is "openmrs" and the admin user password is "Openmrs1".  The SHA1 hash of the .ova file is: 2d4dd7eeef28e851407c3dff2694fdb9f0ea243d.
  
=== Joining Remotely ===
 
For now, the only remote access to the event will be via IRC:
 
  Network: freenode
 
  Channel: #flosshack
 
  
 +
=== Tutorial Session ===
 +
A "How to (FLOSS)Hack" session will be held on Wednesday, January 9th.  This session is designed to help hacking novices learn the tools and techniques needed to be effective bug hunters in this competition.  See the Calagator [http://calagator.org/events/1250463314 entry] for more details.
  
=== Competition Notes ===
+
 
You are welcome to start looking for vulnerabilities '''right now'''.  If you do find any vulnerabilities in the application prior to the workshop, please email them to <code>tim . morgan |at| </code><code>owasp &#x2e; org</code>.  That way you get credit for them if you're the first to find a given flaw.  At the end of the workshop, there will be prizes for both finding the "best" vulnerability and for finding the most vulnerabilities. Also, be sure to keep any flaws you find under wraps so that way OpenMRS maintainers have some time to correct everything before they are made public.
+
=== Joining Remotely ===
 +
For now, the only remote access to the event will be via IRC:
 +
  Network: freenode (chat.freenode.net)
 +
  Channel: #OpenMRS
  
  
 
=== Technology Overview ===
 
=== Technology Overview ===
OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built.  OpenMRS is implemented in Java and generally is used under Tomcat.  It uses Hibernate to interact with a MySQL database for record storage.  For more information, see the [http://openmrs.org/about/faq/ FAQ].
+
"''OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built.''" OpenMRS is implemented in Java and generally is used under Tomcat.  It uses [http://www.hibernate.org/ Hibernate] to interact with a MySQL database for record storage.  For more information, see the [http://openmrs.org/about/faq/ FAQ].
  
  
Line 29: Line 31:
 
* REST web services API: this is a new interface that hasn't been tested as well
 
* REST web services API: this is a new interface that hasn't been tested as well
 
* SSL-related problems
 
* SSL-related problems
 +
* [[XML External Entity (XXE) Processing|XXE]]: Some XML-related processing goes on, so there are opportunities for external entities attacks.
 +
 +
 +
=== Suggested Tools ===
 +
Web attack proxies and scanners are probably going to be the most useful to begin with, such as [http://www.portswigger.net/burp/proxy.html Burp], [[ZAP]] and [http://w3af.sourceforge.net/ w3af].  Static code analysis tools, such as [http://findbugs.sourceforge.net/ FindBugs], may also be useful.
 +
 +
 +
=== Competition Notes ===
 +
* You are welcome to start looking for vulnerabilities '''right now'''.  If you do find any vulnerabilities in the application prior to the workshop, please email them to <code>tim . morgan |at| </code><code>owasp &#x2e; org</code>.  That way you get credit for them if you're the first to find a given flaw. 
 +
* At the end of the workshop, there will be prizes for both finding the "best" vulnerability and for finding the most vulnerabilities. 
 +
* Be sure to keep any flaws you find under wraps so that way OpenMRS maintainers have some time to correct everything before they are made public.
 +
* Please submit '''quality''' bug reports.  See the "[[FLOSSHack for Participants]]" page for more info.

Latest revision as of 15:32, 12 January 2013

FLOSSHack is back! The next workshop will be held on January 13th, 2013 from 2pm to 6pm at Free Geek. The workshop's target is OpenMRS, an open source medical records system and platform. An overview of the FLOSSHack workflow can be found on the "FLOSSHack for Participants" page.


Contents

Getting Started

The OpenMRS developers recommend that we use version 1.9.2 "Standalone", which is available here. The source code for the 1.9.x branch can get checked out using git with the command:

 git clone -b 1.9.x https://github.com/openmrs/openmrs-core.git

You may find it easier to use a pre-built virtual machine. Just download (631MB) the VM's .ova file and import it to your hypervisor (VirtualBox was used to build it). The system is built on Debian Linux and has a host-only network device that should make the VM available at 192.168.56.101. Both ssh and the OpenMRS web interface are exposed. Note that to access the OpenMRS interface, use this URL: https://192.168.56.101/openmrs/. The root password is "openmrs" and the admin user password is "Openmrs1". The SHA1 hash of the .ova file is: 2d4dd7eeef28e851407c3dff2694fdb9f0ea243d.


Tutorial Session

A "How to (FLOSS)Hack" session will be held on Wednesday, January 9th. This session is designed to help hacking novices learn the tools and techniques needed to be effective bug hunters in this competition. See the Calagator entry for more details.


Joining Remotely

For now, the only remote access to the event will be via IRC:

 Network: freenode (chat.freenode.net)
 Channel: #OpenMRS


Technology Overview

"OpenMRS is an application which enables design of a customized medical records system with no programming knowledge (although medical and systems analysis knowledge is required). It is a common framework upon which medical informatics efforts in developing countries can be built." OpenMRS is implemented in Java and generally is used under Tomcat. It uses Hibernate to interact with a MySQL database for record storage. For more information, see the FAQ.


Ideas for Attacks

Based on observations and conversations with the OpenMRS team, the following vulnerability classes and attack scenarios seem relevant:

  • Cross-site Scripting (XSS)
  • SQL Injection: While they use Hibernate, HQL injection is worth keeping an eye out for
  • Authorization: The app supports a very flexible role/privilege system that is configurable per deployment.
  • Platform deployment issues: the standalone installer supports Linux, Mac OS X, and Windows, so some platform-specific weaknesses could crop up.
  • REST web services API: this is a new interface that hasn't been tested as well
  • SSL-related problems
  • XXE: Some XML-related processing goes on, so there are opportunities for external entities attacks.


Suggested Tools

Web attack proxies and scanners are probably going to be the most useful to begin with, such as Burp, ZAP and w3af. Static code analysis tools, such as FindBugs, may also be useful.


Competition Notes

  • You are welcome to start looking for vulnerabilities right now. If you do find any vulnerabilities in the application prior to the workshop, please email them to tim . morgan |at| owasp . org. That way you get credit for them if you're the first to find a given flaw.
  • At the end of the workshop, there will be prizes for both finding the "best" vulnerability and for finding the most vulnerabilities.
  • Be sure to keep any flaws you find under wraps so that way OpenMRS maintainers have some time to correct everything before they are made public.
  • Please submit quality bug reports. See the "FLOSSHack for Participants" page for more info.