The document discusses the top 10 web attacks, including URL misinterpretation, directory browsing, retrieving non-web files, reverse proxying, Java decompilation, and source code disclosure. It explains how each attack works and potential countermeasures to prevent the attacks. The overall message is that firewalls cannot prevent web application attacks that exploit vulnerabilities like improper input validation, SQL injection flaws, and session hijacking issues.
Why Load Testing from the Cloud Doesn't WorkCompuware APM
You might think that with web applications in the cloud, that load testing from the cloud provides all the testing you need. You might think that testing from the cloud can tell you if your website can handle peak traffic loads, driven by marketing campaigns, or seasonal events. Unfortunately you may be wrong. In the Web 2.0 world; applications are combined on the fly inside the browser, from third-party and shared services both in the cloud and from behind the firewall. Imad Mouline, CTO of Gomez will tell you — the cloud is not the answer.
Join Imad Mouline, on Wednesday September 8th for this provocative session around today’s highly complex, distributed Web applications and how to test them. Imad is a veteran of software architecture, research & development and an expert in Web application development, testing and performance management.
In this session, Mouline will discuss:
* The evolution architecture and structure of Web applications
* The current state of load testing approaches and how they apply to a variety of architectures
* How existing and emerging testing techniques are applied to different types of applications
* The future architecture of Web applications and what it means to the future of testing
Learn how to use hybrid technologies like PhoneGap and NimbleKit to hook into native device capabilities, and then distribute your mobile applications into app stores and marketplaces.
Aditya Bansod is Sencha’s senior director of product management and is responsible for the product planning and strategy for Sencha’s product lines. Prior to Sencha, Aditya held various senior product management roles at Adobe and Microsoft, focusing on developers and media in the mobile and consumer electronics space.
James Pearce heads developer relations at Sencha. He is a technologist, writer, developer and practitioner, who has been working with the mobile web for over a decade. Previously he was the CTO at dotMobi and has a background in mobile startups, telecoms infrastructure and management consultancy. James is the creator of tinySrc, the WordPress Mobile Pack, WhitherApps, modernizr-server and confess.js, and has written books on mobile web development for both Wiley and Wrox.
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Peter Moskovits
HTML5 WebSockets offers secure, high-performance, bidirectional network communication over the Web and in the cloud, making applications more responsive while using less bandwidth: live dashboards, financial quotes and transactions, real-time auctions and betting, gaming, equipment monitoring . . . the list is endless. In this session, see how to extend the Java Message Service (JMS) API to Web devices over HTML5 WebSockets to enrich and accelerate your applications. Discover through concrete code examples and a live customer application how to develop highly interactive UIs showing real-time data from any middleware supporting JMS, such as Tibco EMS or Informatica UMQ. Demos include JavaFX and JavaScript running in a Web browser and on a mobile device.
Adversity is a fact of software security–bad things happen both intentionally and accidentally. In the InfoSec field there is a growing undercurrent of belief that we need to build code that is Rugged meaning code that is survivable, long-lasting and persistent in the face of adversity. When paired with DevOps the Rugged Software movement really begins to hit a nerve. The pairing, aptly called Rugged DevOps is where security becomes an asset to the organization and no longer a drag on innovation.
Why Load Testing from the Cloud Doesn't WorkCompuware APM
You might think that with web applications in the cloud, that load testing from the cloud provides all the testing you need. You might think that testing from the cloud can tell you if your website can handle peak traffic loads, driven by marketing campaigns, or seasonal events. Unfortunately you may be wrong. In the Web 2.0 world; applications are combined on the fly inside the browser, from third-party and shared services both in the cloud and from behind the firewall. Imad Mouline, CTO of Gomez will tell you — the cloud is not the answer.
Join Imad Mouline, on Wednesday September 8th for this provocative session around today’s highly complex, distributed Web applications and how to test them. Imad is a veteran of software architecture, research & development and an expert in Web application development, testing and performance management.
In this session, Mouline will discuss:
* The evolution architecture and structure of Web applications
* The current state of load testing approaches and how they apply to a variety of architectures
* How existing and emerging testing techniques are applied to different types of applications
* The future architecture of Web applications and what it means to the future of testing
Learn how to use hybrid technologies like PhoneGap and NimbleKit to hook into native device capabilities, and then distribute your mobile applications into app stores and marketplaces.
Aditya Bansod is Sencha’s senior director of product management and is responsible for the product planning and strategy for Sencha’s product lines. Prior to Sencha, Aditya held various senior product management roles at Adobe and Microsoft, focusing on developers and media in the mobile and consumer electronics space.
James Pearce heads developer relations at Sencha. He is a technologist, writer, developer and practitioner, who has been working with the mobile web for over a decade. Previously he was the CTO at dotMobi and has a background in mobile startups, telecoms infrastructure and management consultancy. James is the creator of tinySrc, the WordPress Mobile Pack, WhitherApps, modernizr-server and confess.js, and has written books on mobile web development for both Wiley and Wrox.
Extending JMS to Web Devices over HTML5 WebSockets - JavaOne 2011Peter Moskovits
HTML5 WebSockets offers secure, high-performance, bidirectional network communication over the Web and in the cloud, making applications more responsive while using less bandwidth: live dashboards, financial quotes and transactions, real-time auctions and betting, gaming, equipment monitoring . . . the list is endless. In this session, see how to extend the Java Message Service (JMS) API to Web devices over HTML5 WebSockets to enrich and accelerate your applications. Discover through concrete code examples and a live customer application how to develop highly interactive UIs showing real-time data from any middleware supporting JMS, such as Tibco EMS or Informatica UMQ. Demos include JavaFX and JavaScript running in a Web browser and on a mobile device.
Adversity is a fact of software security–bad things happen both intentionally and accidentally. In the InfoSec field there is a growing undercurrent of belief that we need to build code that is Rugged meaning code that is survivable, long-lasting and persistent in the face of adversity. When paired with DevOps the Rugged Software movement really begins to hit a nerve. The pairing, aptly called Rugged DevOps is where security becomes an asset to the organization and no longer a drag on innovation.
Creating a separate mobile website is a great idea until someone changes a data source on you. Your users don’t care if your LDAP is down or why they can’t pull up next the class schedule for next semester. In this session you will learn how to plan for the worst; network outages, slow response times and unorganized data. The mobile Web isn’t very useful without content and often that content is gathered from many sources that are out of the developers control. Gathering, protecting and organizing that data is the job of a smart developer and a successful mobile Web presence. This is accomplished by adding an API layer to everything you do. This session will walk you through the ins and outs of creating and maintaining a Web API that can extend far beyond your mobile presence.
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
Application DoS In Microservice ArchitecturesScott Behrens
We’d like to introduce you to one of the most devastating ways to cause service instability in modern micro-service architectures: application DDoS.
A specially crafted application DDoS attack can cause cascading system failures often for a fraction of the resources needed to conduct a more traditional DDoS attack.
By Scott Behrens and Jeremy Heffner
Working with Data and Web Services in Microsoft Silverlight 2goodfriday
Learn how easy it is to utilize POX, REST, RSS, ATOM, JSON, and SOAP in your Microsoft Silverlight mashup applications. Also learn how to easily access and display data with Silverlight using LINQ and databinding.
Live Identity Services presentation at Microsoft's MIX09 Conference.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Creating a separate mobile website is a great idea until someone changes a data source on you. Your users don’t care if your LDAP is down or why they can’t pull up next the class schedule for next semester. In this session you will learn how to plan for the worst; network outages, slow response times and unorganized data. The mobile Web isn’t very useful without content and often that content is gathered from many sources that are out of the developers control. Gathering, protecting and organizing that data is the job of a smart developer and a successful mobile Web presence. This is accomplished by adding an API layer to everything you do. This session will walk you through the ins and outs of creating and maintaining a Web API that can extend far beyond your mobile presence.
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
Application DoS In Microservice ArchitecturesScott Behrens
We’d like to introduce you to one of the most devastating ways to cause service instability in modern micro-service architectures: application DDoS.
A specially crafted application DDoS attack can cause cascading system failures often for a fraction of the resources needed to conduct a more traditional DDoS attack.
By Scott Behrens and Jeremy Heffner
Working with Data and Web Services in Microsoft Silverlight 2goodfriday
Learn how easy it is to utilize POX, REST, RSS, ATOM, JSON, and SOAP in your Microsoft Silverlight mashup applications. Also learn how to easily access and display data with Silverlight using LINQ and databinding.
Live Identity Services presentation at Microsoft's MIX09 Conference.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
Will Web 2.0 applications break the cloud?Flaskdata.io
Computing in the cloud is fashionable and in many cases extremely cost-effective. But - considering a flawed execution model of rich Web 2.0 applications - will Web applications in the cloud fail to live up to the promise due to performance and security issues?
In this presentation - I discuss security and performance issues of Web 2.0 apps in the cloud and talk about the kind of mistakes people make.
I wrap up with some thoughts on the game changers
Vaadin - Rich Web Applications in Server-side Java without Plug-ins or JavaSc...Joonas Lehtinen
The Vaadin provides a desktop-like programming model on the server for creating Rich Internet Applications (RIAs) in plain Java - without the need for HTML, XML, plug-ins or JavaScript.
Session explains the key concepts of the server-side RIA development model and compares it to client-side RIA. To demonstrate the use of framework, an example application is developed during the session step-by-step. The presentation is concluded with pointers on how to start developing your own applications with Apache-licensed Vaadin-framework.
You'll learn:
* How to create a desktop like web application in Java
* Difference between page oriented, client-side RIA and server-side RIA architectures
* How Vaadin can be extended with Google Web Toolkit
More information and materials about the presentation:
http://vaadin.com/web/joonas/wiki/-/wiki/Main/Server-side%20RIA
Vaadin, Rich Web Apps in Server-Side Java without Plug-ins or JavaScript: Joo...jaxconf
Get introduced to the Vaadin framework by one of its core developers. Vaadin provides a desktop-like programming model on the server for creating Rich Internet Applications (RIAs) in plain Java - without the need for HTML, XML, plug-ins or JavaScript. In this session, Joonas lays out the key concepts of the server-side RIA development model and compares it to client-side RIA. To demonstrate the use of framework, an example application is developed during the session step-by-step. The presentation is concluded with pointers on how to start developing your own applications with Apache-licensed Vaadin-framework. You'll learn: * How to create a desktop like web application in Java * Difference between page oriented, client-side RIA and server-side RIA architectures * How Vaadin can be extended with Google Web Toolkit
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
Building tomorrow's web with today's toolsJames Pearce
Few have the chance to create web-based mobile services from scratch. After years of investment in existing platforms (such as content management systems), how can you re-use your content, your servers, and your knowledge and evolve them to meet the mobile challenge?
Windows Azure is jam packed with features to choose from for building web applications and services that scale - but there are a core set of choices and features that are applicable to most scenarios. This session will get you up to speed on the essential features developers should be aware of, and how to apply them in practical scenarios. You’ll learn why cloud services are the typical choice for feature-rich applications, and learn what you can’t live without in terms of startup tasks, SMTP services, blob storage, message queuing options, diagnostics, monitoring and security features.
Can you teach coding to kids in a mobile game app in local languages. Do you need to be good in English to learn coding in R or Python?
How young can we train people in coding-
something we worked on for six months but now we are giving up due to lack of funds is this idea.
Feel free to use it, it is licensed cc-by-sa
1. Top Ten Web Attacks
Saumil Shah
Net-Square
BlackHat Asia 2002, Singapore
2. TodayÕs battleground Ð the Web
¥ Web sites and web applications rapidly
growing.
¥ Complex business applications are now
delivered over the web (HTTP).
¥ Increased Òweb hackingÓ activity.
¥ Worms on the web.
¥ How much damage can be done?
¥ Firewalls?
3. Typical Web Application set-up
HTTP Firewall SQL
request Database
(cleartext
or SSL) Web app
Web app
DB
Web Web
Client Server Web app
DB
Web app
HTTP reply
(HTML,
Javascript, ¥Apache Plugins: Database
VBscript, ¥IIS ¥Perl connection:
etc) ¥Netscape ¥C/C++ ¥ADO,
etcÉ ¥JSP, etc ¥ODBC, etc.
4. Traditional HackingÉLimitations
¥ Modern network architectures are getting
more robust and secure.
¥ Firewalls being used in almost all network
roll-outs.
¥ OS vendors learning from past mistakes (?)
and coming out with patches rapidly.
¥ Increased maturity in coding practices.
5. Utility of Firewalls
¥ Hacks on OS
network services
prevented by
firewalls. Web app
Web app
DB
Web
Server Web app
DB
wu-ftpd Web app
X
Sun RPC
X
NT ipc$
X
6. Utility of Firewalls
¥ Internal back-end
application servers
are on a non-
routable IP network. Web app
(private addresses) Web app
DB
Web
Server Web app
DB
Web app
X
7. Utility of Firewalls
¥ Outbound access
restricted. Why
would a web server
telnet out? Web app
Web app
DB
Web
Server Web app
DB
Web app
X
8. Futility of Firewalls
¥ E-commerce / Web hacking is unfettered.
¥ Web traffic is the most commonly allowed of
protocols through Internet firewalls.
¥ Why fight the wall when youÕve got an open
door?
¥ HTTP is perceived as ÒfriendlyÓ traffic.
¥ Content/Application based attacks are still
perceived as rare.
9. The Web HackerÕs Toolbox
Essentially, all a web hacker needs is É
¥ a web browser,
¥ an Internet connection,
¥ É and a clear mind.
10. Classifying Web Hacks
Web Hacks fall under the following categories:
¥ URL Interpretation attacks
¥ Input Validation attacks
¥ SQL Injection attacks
¥ Impersonation attacks
¥ Buffer Overflow attacks
12. Firewalls cannot preventÉ
Web app
Web app
Web Web
Client Server Web app
Web app
¥ Input Validation
attacks.
URL poor
Interpretation checking
attacks of user
inputs
13. Firewalls cannot preventÉ
Web app
Web app
DB
Web Web
Client Server Web app
DB
Web app
¥ SQL Query
Poisoning
URL Input Extend SQL
Interpretation Validation statements
attacks attacks
14. Firewalls cannot preventÉ
Reverse-
engineering
HTTP cookies.
Web app
Web app
DB
Web Web
Client Server Web app
DB
Web app
¥ HTTP session
hijacking.
¥ Impersonation. URL Input SQL query
Interpretation Validation poisoning
attacks attacks
15. Why is Web Hacking so deadly?
¥ Ports 80 and 443 are usually allowed
through firewalls.
¥ A single URL works its way into may
components.
¥ And in most cases, the only defense is
Òsecure codingÓ.
16. The URL as a cruise missile
http: // 10.0.0.1 / catalogue / display.asp ? pg = 1 & product = 7
Web app
Web app
DB
Web
Server Web app
DB
Web app
17. Web Hacks - net effects
Web Hacks cause three types of effects:
¥ Extra information disclosure. (paths, etc.)
¥ Source code and arbitrary file content
disclosure.
¥ Extra data disclosure (e.g. return all rows)
¥ Arbitrary command execution.
18. The Web HackerÕs Toolbox
Some desired accessories would be É
¥ a port scanner,
¥ netcat,
¥ vulnerability checker (e.g. whisker),
¥ OpenSSL, É etc.
19. Hacking over SSL
¥ SSL Myth: ÒStrong 128 bit crypto stops
hackers dead in their tracksÓ
¥ Using netcat and OpenSSL, it is possible to
create a simple two-line SSL Proxy!
¥ Listen on port 80 on a host and redirect
requests to port 443 on a remote host
through SSL.
web nc SSL
client web
openssl server
20. The Top 10 Web Hacking Techniques
1. URL Misinterpretation
2. Directory Browsing
3. Retrieving Ònon-webÓ Files
4. Reverse Proxying
5. Java Decompilation
21. The Top 10 Web Hacking Techniques
6. Source Code Disclosure
7. Input Validation
8. SQL Query Poisoning
9. Session Hijacking
10. Buffer Overflows
22. 1. URL Misinterpretation
¥ The web server fails to parse the URL
properly.
¥ e.g. the Unicode / Superfluous decode
attack.
¥ Mismatched resource mappings in the
configuration.
¥ e.g. +.htr, .JSP, Java remote command
execution, etc.
24. 2. Directory Browsing
¥ Ability to retrieve complete directory listing
within directories on the web server.
¥ Usually happens when the default document
is missing.
¥ Not-so-strict Web server configuration.
25. 2. Directory Browsing
Countermeasures:
¥ Web server configuration lock-down.
¥ Disable serving of directory listings.
¥ Sometimes the error may require a vendor
supplied fix.
26. 3. Retrieving Ònon-webÓ Files
¥ ÒNon-webÓ files can be:
¥ Archive files (.zip, .tar.gz, etc)
¥ Backup files (.bak, ~, etc)
¥ Header / Include files (.inc, .asa, etc)
¥ Text files (readme.txt, etc)
¥ Can be retrieved with some guess work.
¥ e.g. if there is a directory called /reports/,
look for Òreports.zipÓ.
27. 3. Retrieving Ònon-webÓ Files
Countermeasures:
¥ Eliminate careless presence of such files.
¥ Disable serving certain file types by creating
a resource mapping.
¥ Strict change control measures.
28. 4. Reverse Proxying
¥ Web proxy servers may work both ways!
¥ Typically meant to allow users from within a
network to access external web sites.
¥ May end up proxying HTTP requests from
the outside world to the internal network.
¥ e.g. Compaq Insight Manager
¥ Usually happens when the front end web
server proxies requests to back end app
servers.
29. 4. Reverse Proxying
Countermeasures:
¥ Check the web server proxy configuration
thoroughly.
¥ Be careful when creating URL mappings to
internal servers.
30. 5. Java Decompilation
¥ Java Bytecode can be decompiled quite
effectively.
¥ May disclose sensitive information such as
passwords, application paths, etc.
¥ May also disclose application logic Ð such as
generation of session IDs, encryption, etc.
¥ Java Archive files (.jar files) may contain files
other than bytecode, such as configuration
files.
31. 5. Java Decompilation
Countermeasures:
¥ Java bytecode obfuscation.
¥ Elimination of sensitive configuration
information within bytecode.
¥ Elimination of unnecessary files within .jar
files.
32. 6. Source Code Disclosure
¥ Ability to retrieve application files in an
unparsed manner.
¥ Attackers can recover the source code of the
web application itself.
¥ The code can then be used to find further
loopholes / trophies.
¥ May be caused my many ways:
¥ Misconfiguration or vendor errors
¥ Poor application design, etc.
33. 6. Source Code Disclosure
Countermeasures:
¥ Vendor supplied fixes.
¥ Locking down the web server configuration.
¥ Secure coding practices.
34. 7. Input Validation
¥ Root cause of most web hacks.
¥ All inputs received should be validated:
¥ data types
¥ data ranges (e.g. -ve or fractional numbers)
¥ buffer sizes and bounds
¥ metacharacters
¥ Tampering with hidden fields.
¥ Bypassing client side checking (e.g.
javascript).
36. 8. SQL Query Poisoning
¥ Parameters from the URL or input fields get
used in SQL queries.
¥ An instance of Input Validation attacks.
¥ Data can be altered to extend the SQL
query.
¥ e.g. http://server/query.asp?item=3+OR+1=1
¥ Execution of stored procedures.
¥ May even lead to back-end database server
compromise.
37. 8. SQL Query Poisoning
Countermeasures:
¥ Again, no easy fix.
¥ Thorough source code review.
¥ Following the principle of least privilege for
the database application.
¥ Elimination of unnecessary database users
and stored procedures.
38. 9. Session Hijacking
¥ HTTP is inherently a ÒstatelessÓ protocol.
¥ Many web applications are stateful.
¥ Poor mechanisms of state tracking.
¥ Hidden fields carrying a session ID
¥ Client side cookies
¥ É with no server side session tracking.
¥ Reverse engineering of the session ID leads
to access of other usersÕ data.
39. 9. Session Hijacking
Countermeasures:
¥ Use server side session ID tracking.
¥ Match connections with time stamps, IP
addresses, etc.
¥ Cryptographically generated session IDs.
¥ hard to sequence.
¥ Use web application server session
management APIs when possible.
40. 10. Buffer Overflows
¥ Poor bounds checking.
¥ Web server HTTP requests.
¥ e.g. ASP buffer overflow, .printer, etc.
¥ Application Input fields.
¥ e.g. ColdFusion DoS, etc.
¥ Can cause:
¥ Denial of service (crashing the app / service)
¥ Remote command execution (shellcode)
42. Hacking Web enabled Devices
¥ Network equipment, printers, etc. becoming
Òweb enabledÓ.
¥ e.g. Cisco IOS HTTP hack, HP
WebJetAdmin hack, etc.
¥ May leak sensitive information about a
network.
¥ May allow proxying of web attacks.
43. Beating the IDS
¥ ÒSecure HackingÓ Ð hacking over SSL.
¥ Many ways of writing the same URL.
¥ Defeats signature based pattern matching.
¥ Spurious parameters.
¥ Intentionally generating false positives.
44. Closing Thoughts
¥ Far harder to secure web sites and web
applications.
¥ Need to create a heightened levels of
security awareness.
¥ Use of formal software engineering methods
for developing web applications.
¥ Use of secure coding practices.
¥ Thorough application testing.
45. Closing Thoughts
¥ ÒThere is no patch for carelessnessÓ.
¥ Web Hacking: Attacks and Defense
Saumil Shah, Shreeraj Shah, Stuart McClure
Addison Wesley Ð 2002.