From 7945ffc407b36cad3076a980730a31f8d63fa4c5 Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Sun, 26 Apr 2020 03:19:30 +0530 Subject: [PATCH 1/2] Adding XSS image tag vulnerability --- .../utility/annotations/ResponseType.java | 7 ++++ .../annotations/VulnerabilityLevel.java | 8 +++++ .../xss/UrlParamBasedImgTagAttrInjection.java | 32 +++++++++--------- src/main/resources/static/images/OWASP.png | Bin 0 -> 36453 bytes .../XXSInImgTagAttribute/LEVEL_1/XSS.css | 0 .../XXSInImgTagAttribute/LEVEL_1/XSS.html | 9 +++++ .../XXSInImgTagAttribute/LEVEL_1/XSS.js | 14 ++++++++ 7 files changed, 54 insertions(+), 16 deletions(-) create mode 100644 src/main/java/org/sasanlabs/internal/utility/annotations/ResponseType.java create mode 100644 src/main/resources/static/images/OWASP.png create mode 100644 src/main/resources/static/templates/XXSInImgTagAttribute/LEVEL_1/XSS.css create mode 100644 src/main/resources/static/templates/XXSInImgTagAttribute/LEVEL_1/XSS.html create mode 100644 src/main/resources/static/templates/XXSInImgTagAttribute/LEVEL_1/XSS.js diff --git a/src/main/java/org/sasanlabs/internal/utility/annotations/ResponseType.java b/src/main/java/org/sasanlabs/internal/utility/annotations/ResponseType.java new file mode 100644 index 00000000..c7f5e04f --- /dev/null +++ b/src/main/java/org/sasanlabs/internal/utility/annotations/ResponseType.java @@ -0,0 +1,7 @@ +package org.sasanlabs.internal.utility.annotations; + +public enum ResponseType { + ENTIRE_HTML_PAGE, + JSON, + HTML_TAGS_ONLY +} diff --git a/src/main/java/org/sasanlabs/internal/utility/annotations/VulnerabilityLevel.java b/src/main/java/org/sasanlabs/internal/utility/annotations/VulnerabilityLevel.java index 3fdc05da..ae5e2e56 100644 --- a/src/main/java/org/sasanlabs/internal/utility/annotations/VulnerabilityLevel.java +++ b/src/main/java/org/sasanlabs/internal/utility/annotations/VulnerabilityLevel.java @@ -40,4 +40,12 @@ * @return template name */ String htmlTemplate() default "sasan"; + + /** + * ResponseType helps the implementer to know what is the type of response returned from the + * rest/http api call. This is important for vulnerabilities which returns entire html or tags + * like XSS vulnerability. The default responseType is {@link ResponseType#JSON}. + * @return ResonseType for the vulnerability level. + */ + ResponseType responseType() default ResponseType.JSON; } diff --git a/src/main/java/org/sasanlabs/service/vulnerability/xss/UrlParamBasedImgTagAttrInjection.java b/src/main/java/org/sasanlabs/service/vulnerability/xss/UrlParamBasedImgTagAttrInjection.java index e4760122..a2680e97 100644 --- a/src/main/java/org/sasanlabs/service/vulnerability/xss/UrlParamBasedImgTagAttrInjection.java +++ b/src/main/java/org/sasanlabs/service/vulnerability/xss/UrlParamBasedImgTagAttrInjection.java @@ -7,6 +7,7 @@ import org.apache.commons.text.StringEscapeUtils; import org.sasanlabs.internal.utility.GenericUtils; import org.sasanlabs.internal.utility.LevelEnum; +import org.sasanlabs.internal.utility.annotations.ResponseType; import org.sasanlabs.internal.utility.annotations.VulnerabilityLevel; import org.sasanlabs.internal.utility.annotations.VulnerableServiceRestEndPoint; import org.sasanlabs.service.bean.ResponseBean; @@ -31,59 +32,58 @@ public void setParameterBean(ParameterBean urlParamBean) { // Just adding User defined input(Untrusted Data) into Src tag is not secure. // Can be broken by various ways - @VulnerabilityLevel(value = LevelEnum.LEVEL_1, descriptionLabel = "XSS_DIRECT_INPUT_SRC_ATTRIBUTE_IMG_TAG") - public ResponseBean getVulnerablePayloadLevelUnsecure() { + @VulnerabilityLevel(value = LevelEnum.LEVEL_1, descriptionLabel = "XSS_DIRECT_INPUT_SRC_ATTRIBUTE_IMG_TAG", htmlTemplate = "LEVEL_1/XSS", responseType = ResponseType.HTML_TAGS_ONLY) + public ResponseBean getVulnerablePayloadLevel1() { String vulnerablePayloadWithPlaceHolder = ""; StringBuilder payload = new StringBuilder(); for (Map.Entry map : this.parameterBean.getQueryParamKeyValueMap().entrySet()) { payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue())); } - return new ResponseBean(GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString())); + return new ResponseBean(payload.toString()); } // Adding Untrusted Data into Src tag between quotes is beneficial but not // without escaping the input - @VulnerabilityLevel(value = LevelEnum.LEVEL_2, descriptionLabel = "XSS_QUOTES_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG") - public ResponseBean getVulnerablePayloadLevelLow() { + @VulnerabilityLevel(value = LevelEnum.LEVEL_2, descriptionLabel = "XSS_QUOTES_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG", htmlTemplate = "LEVEL_1/XSS", responseType = ResponseType.HTML_TAGS_ONLY) + public ResponseBean getVulnerablePayloadLevel2() { String vulnerablePayloadWithPlaceHolder = ""; StringBuilder payload = new StringBuilder(); for (Map.Entry map : this.parameterBean.getQueryParamKeyValueMap().entrySet()) { payload.append(String.format(vulnerablePayloadWithPlaceHolder, map.getValue())); } - return new ResponseBean(GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString())); + return new ResponseBean(payload.toString()); } // Good way for HTML escapes so hacker cannot close the tags but can use event // handlers like onerror etc. eg:- ''onerror='alert(1);' - @VulnerabilityLevel(value = LevelEnum.LEVEL_3, descriptionLabel = "XSS_HTML_ESCAPE_ON_DIRECT_INPUT_SRC_ATTRIBUTE_IMG_TAG") - public ResponseBean getVulnerablePayloadLevelMedium() { + @VulnerabilityLevel(value = LevelEnum.LEVEL_3, descriptionLabel = "XSS_HTML_ESCAPE_ON_DIRECT_INPUT_SRC_ATTRIBUTE_IMG_TAG", htmlTemplate = "LEVEL_1/XSS", responseType = ResponseType.HTML_TAGS_ONLY) + public ResponseBean getVulnerablePayloadLevelMedium() { String vulnerablePayloadWithPlaceHolder = ""; StringBuilder payload = new StringBuilder(); for (Map.Entry map : this.parameterBean.getQueryParamKeyValueMap().entrySet()) { payload.append( String.format(vulnerablePayloadWithPlaceHolder, StringEscapeUtils.escapeHtml4(map.getValue()))); } - return new ResponseBean(GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString())); + return new ResponseBean(payload.toString()); } - // Good way and can protect against attacks but it is better to have check on // the input values provided if possible. - @VulnerabilityLevel(value = LevelEnum.LEVEL_4, descriptionLabel = "XSS_QUOTES_AND_WITH_HTML_ESCAPE_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG") - public ResponseBean getVulnerablePayloadLevelHigh() { + @VulnerabilityLevel(value = LevelEnum.LEVEL_4, descriptionLabel = "XSS_QUOTES_AND_WITH_HTML_ESCAPE_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG", htmlTemplate = "LEVEL_1/XSS", responseType = ResponseType.HTML_TAGS_ONLY) + public ResponseBean getVulnerablePayloadLevelHigh() { String vulnerablePayloadWithPlaceHolder = ""; StringBuilder payload = new StringBuilder(); for (Map.Entry map : this.parameterBean.getQueryParamKeyValueMap().entrySet()) { payload.append( String.format(vulnerablePayloadWithPlaceHolder, StringEscapeUtils.escapeHtml4(map.getValue()))); } - return new ResponseBean(GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString())); + return new ResponseBean(payload.toString()); } // Good way and can protect against attacks but it is better to have check on // the input values provided if possible. - @VulnerabilityLevel(value = LevelEnum.SECURE, descriptionLabel = "XSS_QUOTES_AND_WITH_HTML_ESCAPE_PLUS_FILTERING_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG") - public ResponseBean getVulnerablePayloadLevelSecure() { + @VulnerabilityLevel(value = LevelEnum.SECURE, descriptionLabel = "XSS_QUOTES_AND_WITH_HTML_ESCAPE_PLUS_FILTERING_ON_INPUT_SRC_ATTRIBUTE_IMG_TAG", htmlTemplate = "LEVEL_1/XSS", responseType = ResponseType.HTML_TAGS_ONLY) + public ResponseBean getVulnerablePayloadLevelSecure() { String vulnerablePayloadWithPlaceHolder = ""; Set allowedValues = new HashSet<>(); allowedValues.add("image.png"); @@ -94,7 +94,7 @@ public ResponseBean getVulnerablePayloadLevelSecure() { String.format(vulnerablePayloadWithPlaceHolder, StringEscapeUtils.escapeHtml4(map.getValue()))); } } - return new ResponseBean(GenericUtils.wrapPayloadInGenericVulnerableAppTemplate(payload.toString())); + return new ResponseBean(payload.toString()); } } diff --git a/src/main/resources/static/images/OWASP.png b/src/main/resources/static/images/OWASP.png new file mode 100644 index 0000000000000000000000000000000000000000..ab628291360fef409e0325028d2e1841c7ce4490 GIT binary patch literal 36453 zcmdS9Ra9G1*Df5SIECU`C=~Znyaadm;>Fz^g1fuBJ1xbX;-2De#T|kMDJOlucl=}g zH|OHJJGn?kR@R(rKF@sCTytmdNM%JSOf(WS004j~BQ3590H8nt00c@D1lWje^n5Pt zqfuF2T>|#`|J+N}N2M7Sw1BIsq8b1J7yb76;SBkTaMPErIE<>fI?m*X3(J0$FKDNN zoN2!S+$kYs>8$$eYt$mg?BH062T6VwtAUKdcc++fCjcOpMn+sj-E-yiSKvP)0t#L# z2`l0M_ndsY+YN+;_OejS;mH;N7-bdc~<%6XP77JlS(gjI=x#5DT$5~S{3f= zFAOYli-VCWT|?MPuIovv-Uirv*V*pNHqa9Z{&~DdWB_1p#t}Py1_nESzrFpj@nkD7eC^K*?Wlq9pV=%t2ka@ zy8{^Poc{igir2IG$$Waks_D-*eKvB|9sr;>Ts8g5{9->4Z$AC!koF9VJ5yOc9H3W< zeO|G(n&{v&_W`~oBK_?ZY-~en zI%~@0os5b;fmlnt6F>P+$Q#(GG_fM`i9v}L;n>L|x)hBcEY|$YNyo)lQ_RKIjR|b` z8C^HeLt+5nInLO6){QE}X>|RX+E4rkaYdHQ3ydr+hJFz}$%R2J@b`zS{o3KTXRyT# zRI^@W_K#lW?!Vy9DApl0f<5le-RSH97zpgjI=?DSD2-DYoUwn4ARrRm{JpTz8UKR?J&vmjPyk>gytlZRDXOMj>Nu%qRELJ6#Umw0S)2nB*!H%L zeaT9n8NOI6+Rym{D5ZjyO?v7!u45{EJnVh$eUD$JOxX>w2a+$+@JDBbO z)xF)01uzwNbXrz|65ih0YrqGvovzCzX9?ql8MSd01plElz{Zy#S03&#k$-)CP0grM zr%9Dil_B}4a4cDqoFr(`&(-rR?Y1nd9&F ziH1Be4w2<|2i-K3{p>>**EKE}Sx3yQ9hkJuY`8^O06=PS?gHkAaU<wf;thT!G1 zQr13^w=Y?(&UYv+hZ(~_!Cs;-EF2uRB^2$Tk3D4HuRVG;)G{$YiwSu}+b%!qO)>Nz zMI9mlgw2SSr>m!=wFnO#%VJ3cD?NRGe1rS(*Laq?)?r22w?n8%f_iq&$JP{ zFbW_!7PrWY`niDg1Jiw6>O!N}r2xXT)Wk6ebb=*lbZy@6A>?`TnE!ZZt`u_K0RUrr;v!-M9~Hs%>S}3{>bHK_My+cy5X{_WoV4A%fex@HX)R#M#vffC?L!7UmJmM4Ss%J zsMSdC(NVI9OgPRg_WJ&B;cpXck?K=x^1+JgUB+PWXEqeFTDu@FS4!<>1+%T`B~_@1nO0v-?`YWep=eF>xH(s|Fx zRPcgN_bi5xK!u*2^*(Vw5CFjIjda#xG|s%T(e$6=UR3%#{6I9NC&x%-90tp}GI(Sz z_MsK(_*Wc(Ig8^chg3DSbx%l491&13c03%I5GAjL`{Lyc&NYuAWHDPFwwHpXupnVE zsuaig_e7@!*~Q?It*amP3;-Yu$LN8pJL-}?T8N0Sg3gAn0e3vA2s zdRN8VMWa(&DiGe8Lt2g;)(?l=V7bVl{#?5%Sn~o?A8@1F(TwWnpA*13gbjtB`+3!% zQ!kz^fx5DzX}>>XlI{&mzM`mrUQ*(gB2r7{>o4q{`4mTr?RPArTPv$&Fti&5`>`pM z9_|XoCp;$Ywb5lj3ph-el;YC4k7a*%))!CTrX+9Vt;)tNqrzGv#}Z5BrW7I%qI-si z=U#Yr9M?HqvmAi|8@v5<=b>5Mw7P6A>(Mqsah-ZYeMYGTL9o8A^R_i z_~du4thM@zCW?zM)766^%CLU1dDXLsr@XE&3UX^k?;V_>2J7d5GY;xCpC#*OSB$c_ zA0aPS8*l)?Ma_wzO115I+tJT5e=cmUi?lnK4mYd}-Nb8WyFNU8Rrih&XW=yvfQ80( zZc1t0FuxM0aDGV?rP*r74;#d6pm=&Dq;Z-L)Th-qFPgVWkcI z8q#Vgwa~c%7h!&#vQ6wRE4$eFQg~V@LW`2gztRGPx7%LK=ox=;3LNt|X0M8?KQHIO zu>pjqQ>8L19uR`S#Clr!D!P%)3TaRQfbg$Oqe-pvG9|?P*~jAWIm==ttE|YV#bX#1 zco}VmmcdxBgn7T@1yW6_z)I^`cd49Q1b_f48+&+_HaRbT=P+kH>EA5c56(ZS7;{nS zTmb=p7;AB+FXM6^at3Y15;sP8bxy+DD#R;cC#p!Qp?Q(0#$x7Lzn*xJja2RD8Hs#H zpKZXy=tdV!IVPeC(R)-$(Xel}lxt)$zm^gJ-GEvpAYv{UmFNaZipGgfgkKi0m=%wCS`!-*_mxaJ3<2;X8l&zR<#K7 zrZYf*ESm3b|Ih(rSE9PB+Wlq=@NZlsK0sL{c0(HO7=7bG&&)%=WR?K@UUbKeoi2zU+vB-TR&f`FSnlvw+m7DBYFHfC0>Altg0PLl^M+Y35^E36?vZ;3I zyVRfRP6qf8imU+wW^A5q$828)w{Z8%_VzqBaR|q6xYJV|l*j>q(lpoePuh0g&*1m; z+W0f4YmU>;K+~Vc*CKEL8lDWipCnxnU9BG%E({b4dY@zW2FFLf`@;k(TjS)HpaEPK z2+4Y1`uIICnhvTn&UoT{0S`#|3OO^-Tn>B@Mm(xkk6$I!5r{R_aQyen(zlH9 zp5^|jXOUr*f4#cBDXa!w1+wlfvDOQw{U~J8P#|oA{L<v{$M^F z$97ZfC;1biVYS4ie*3cICI~2vQDKx`h6j2}Nx)_XT}ofh!2^qZRW739P`wGM-)D1KkTD0UhuOSHDDV)e{-E)+LHk`0a%Z~>T9!rQ(D=~UwoOlL&jP< zutaThFe5M$ICR&|xv{r@TR{HZ(-B1tWN#f=BYF?06)H~I&P3NsadSFw{f9mtFjF#u_yn`PKn6|})fe50#xZl%+8H!6C8opF8~kQSzxjdv!V-hcka?8 zacPysJv_fS*@zoW=b_8sC>PmyedmlE=~B6skS~{s=pNs25ePdd4WG!0F5eXUSJ(g| zP#*c$xS#QZnX+_=d&jBd7jV$N;JpG_)rqP@uw@wS$jZ%$lA(U>?33Quhb7FDDK=g-*abg(FaRB(CBJS|wwz zST%uZXu8+{!BlG3nF%EJAYXGi^yHX3;HRWE(Qt2YyO+b`x75bc*l7~*-K4>%ieVK) z^BYW1Shtbvq4)5*@k$OkEtsoPVPNm;L&a{6k;fMsckj_&7qMuL$Nh2q;YXEcbq=3g z=y)x$8HZH;EF zDKMHxWRTt6h^y_{imM}<_J z$426e9hB|jY;ZD{u5fiKiW}uCc(n5WPZN&;LDig zg|XVNg;s8CB9^Q#?I!s{c zX&RB42zhv~*!bpM<5xG@$qmZiEU_xm;G@8~TDsX~)joPRL1LgfhqAe>#zTU!c_s+y z6G;3VJB7Pu;q6~z?8B%bO2HJXG;($C$x&L5dtvz)rv|MnQMp9ol3=SS{P~tWuf@@V zdz#d3b9w>3JwXMP8kJ3b@)nupd0K4)cHa&DO?R|MmljS2mcy(Amh~_?y4Y=Rpaq zh_JNq+s6(Ukn&#AkfVn40jG*i4!;zOO>paj(lzI-)F%UPrR@ln5rX*}&yyCippAE< z2U){1z_V?+dGy)|xwzP(a>%cdU*0-Zvv%j2%}Gbt%I2ZBgSOgzhivhgAirYuX4m_r z?3Ns|=X)#(S)$9O{nKS3jagvtalnR4GvHe-$0K}k;V&&K1KPr*Q?9LdO_1pmHQn4? zLTwCtvGd{B!OlB-W^qW{`MV^nBX@U$3guQ*YYDdozJbHE9IsoV6OuK6#_2a*KZZh& z_g|nn9OH5E<`z_aV6e(C_azD)wDr|&2OBPipV8X_iU@e2mCUCWeA6Abk|}Svo`J#p z+W>Xlz^6ObEw+z^gXX46Kj<&^=t0$!5>T-L=iWirS-xItG&;mSM1Df82i;!ky~M4v zoJ0>kH8h7^BA#@w4n;`FUBv{1tABkxMU60p7I4mem@5MS++p~>ZP7#9EL0z2lqEG7 z!s8v_!Rji#YQ*6fL7R$X*G7*8A@A=k;$rw;2xvb@iaiYU04P|8F4jfA?%5p_l~+(UX$e+z zL|Z;iCVxY0`_*USuqJ6i1=Vxf94&9$d_%DNW?t~RH1-qC`Mmj2$s5IA6-+)HxdQ;M_?@Y0_ zs;gNkkruq8SXRJlidK<-du=97u9zxmovERR{Y>N$frAvCJX z9Guz4_3}rrMRSYG<$-{i3MV?T=1TQ^F$`zuk*wYRd%!M-WDn{a;()VI?42Ew0nrx> z*{@s%^w+5Ef=Sidj>DEt7JsxL&~%vNI)3z46KbtJdX={@<~`~KG6&2dS=3N5aNFM*;=fRgJyx0SI7&7q-Z zGXeme^u>HXevj>@*ep_1UiMG!t{b|sr6zAXOI_TBdE>6l#ER)96ZDxSb`+WIWqCc{ z`NngICZq-3Bkwt`m{RV!WE8nV)l%rRpI647b3y!R$DW#ME{YVt*ndeLP{8+aqqE;n z$8|&PCh~#x!)__9!KKjtIr&0$m*L=+A4xSOc2*JxO2-D|w*llAOdP9JZWq z9L|p#Z4W~TKTfp3-x?U0=@G$m1ilaW3=6q0PI5pLEy5I*s%JwvP3(+=-)v$hU$1{1 z(m7zT{`fS_Hz6~1Wc70dzUT{+JnArg-6W#%*UCfl9|ksMJMTfg`@YYz!2A++Xu^tb zXFVSV|E964U505>BN-gO%SZz)1)wd}r`A)VsLqfk-$hgmksnqC2(jRG?oRQAYIr1s zwsg@5vAZxHLoALJE2%jjga;MD7wANT#Y2o%U_Do+uaoXG&RD>Lux zDiAPNb$HnBIF(E(h+*itvWsB*8Pslc5`9X5O};L4gP!78Hxi)zT9L;;x$_4XngbGM zx}*qSVbJTVNL1qJWtjYkB$cAdYdpg&G{+HzFwFQkvWL=Mw3=$`(Z`mo>Dd_KzoWhow_de;gh(<*>ABO-(YwRZp7TmdrJ1|BCJ^| zGI`sWZV5&_RuLb!o4`&p!Yt_z!h2JldPEnPndGnZ+&=xDUG|SzqOQfjc1)L?xQ%@w z<^FA$z{_1}C<+s@Li2F>E1g^=teI#O6e%iZe&=&T0bJHt`U$Od)`UgLXz|@8(mzQ6 z%zDm$+mHjNF1p_vF^dM=uJBIpB0%_q&;j%jSpP?_>qw?;90LwN<6vS>(O#x#zEIRGD|p-+BWrPxW!i zo7u!%Y4Fzrlx;-OrUx%mL4Gn?knL50_1bOSnnkI_zG077l6?Q>#jA1!V0hMI^&(x4 zJCCNv@DAa;qrV7TFTdfXGu`l0bQG}jOi61k&HwdYr4@r*L1y)c@$@0woXsZt;aVuM zo)n!J-d45Q4R7B4?X(*by_Y9Xuw3NN1@)NB`4jhRgMuxrDYNlk2PeKQtv_hPW)e-& z2#eMqnV=wP4aoKjpI$^%QW<^2a?#RR-4`$uA=1HfJ)z}UN7tZj(Pu815=UaEP02+O zYcxGLT$z3vKqqvxTm&CApvA2bOMF)AKL38lfus4 z4@e0#7}y9-Jx&dguekg2Pga&$nY%hGvLhV3>YS~vZkMTEqido zmC_dhO=J*W8+_1p(OYbOn%zp_L?CunG|URTyGmJY%U+?>{n`>0{Wf^1gb9=UayzE) zO$B$R$MuObwLk?Q>Eilw;Ny+_We0-T;yQ1WNbz><{b1;aUo@62vH3jEfZMD~G!tTr zbbD^UC=;d_nt*;sfk!oa2{>U0$KyA)E$KVAn^-+uR&iK)4VY|b9_x8raP$8~S%6Qi zq_OG}VgIK{JU7mZxn_Bshs;CEp;}HP{;r)`F(LugIYF@IVW*2mB|>66NejX!qXKyc zVz56v^6utrtmfmSK14LZBiR=x{AAr>-J$5dt|lHa2)iND$wfPQ?2T#BaH8dM3~|Im zdEMsyHZi(AoW0*@jm4vAqLDL-o&1F$j~Dt|;+1O~e_#9l7y?!8_}Klb=XX~{0nq&D z4-(xT`QdfA&h*EI0G(T8lT!CW@QElC7|DA;Cu%w>bRnHXOJVhi(Q8>&fAG-x(e(gN zQ=*z-h&UKTlb?L^k)k_$po(RGyjx(hVEoE#{kChtvS|9S7U-Zwe3d}?sf@g?J**+y zpfw$y=cIqdvnyWf^{DmZuifGrh>W#cbaANJXBs4q)Uxk~*VKl=BfI5C6c>cc9D5*H z?>Hp5JtMuA;C{#0&)k8z} z=!a3Q+L-o3rNqIOO9sBM5a&MTk7V!fl=)C%C+)v;eJcQ^jj z9l(z1n7UxL@(x)OE^ATsE=EOGC|_w@MvC;bTfzaMGx z18ll@FuRRhn_Foxc^@w|gFI%!K#LOnTgJBMbDU%^(iJzK0SR3dT3slK4EQM(dn85Q zlI9^#@KUI~1Fl^~?`p5LuSc1nWTmvw!#Dyv6}N8pDt;-{Em8m9I+hqzzr)D%>9tCx z3I4=xcqh+#!T0nSjDx8ObO&u|+jeI~TLSprRoT1GXInBqx<@HZ$2mvxj-$9f_X@b@ zPW!%rH?H>W{>8+E=6{38?%DES-WARJNiT4Qsnv+vGLwLS$`TU~bwdZ6c=d$7WHJmtbe!Vg&0`Ow=R7jdD&SpNj>M z_%oN;WAZ}HlfoUc@#;iJFGNi-eOunwR@0L-U`#Uzq!j2yi+(NAcwa?E6DyyaB>I7w zVcc-^fSzVF977yME{pJ#MiRCE_;`xeyWbolkM?bDg6+vSf-DnZ1!wp z;(9*jI8*K4z(Ejf!+``ZD_$n@fsx<8pPr#FDwLegzyY@|kf2D?Kn}+Zqp<27VPu ze4*xBN=g)5VT6lT?_pZ&u@X_pOb)D@MJ=I*&iPZ-1y#{9(7_>Z@L!zn|;hkS01TwKK&amZB4K9>#q zHr$W|<5mtSbwR^N=umbaCOObh2tup1PnD_WxMJ%w8AVX1JFsPk$BkTVOm*=-V0Z}| zj3O7hexx|1$A-77Q;4yTS=7bBY+317v2DW%5fL!MFJ7g3F>XbmeCi9Pp$KWyc`K;H z;a}#y7V(2l45jd*F~fy*_pyJhK*iudu4~$ei9{x8H-P>p^&{7vVoLl+nVFbnQ|^n~ zs9MklX}a&QQ;WM``crD)Z#z>Y62!wbpoV9e7urRIZ7kNUy}i z--8N%{^|Nq(!7Phgp#>Erpg~aa{qU-DbBbyT+Sf3wBYcX!souQoE|3xt`lWFAcB|! zi*_i0FLnX;pZ3|>%YNTEnVAnI%kV3v``~s%d({dtC!QH1?Z-am4$p9?MzA`4@RL2? zp~B=BD4riiq6z^TU<2TO1E%^?`Y0~ZYl4htlhCP|pYABKwU!%A5jt`p> z@RDTI;({s?{GGN$+%5z|=3L$Dc_FVO2s{wt>KV-A7hyorYGY|JXv?v)1LNCo$d%GWt_K^p zpHa?sOHJM&JJ1&wN5!k;F!^`>uOkwxolN8-hDOlG`bkP9pirkUgzqMiTh>Lcj^u_& zb;%$US;6+>(R>`L)ilY6nf+vD*hL1{*B!wyhlHoFnRi0oM%O$K%etd`8NeYSbdhfI zIPRUlpEBIu=9Oh)uYv`8hEJHPF)g&{rW9F*zFitkZDZb# z{zUpGzib`|U_c4glafB}vPmcsT^5~L@_KlR|H$2*mGJ)il33FGm^lQF4dv?X-}la& z>D zC94}5rJ^*Lg{$z&!52`}Ji7dJX`n}lU9oO}I-f5&!-7;$OVbJq=FH~`Qt7JdWqDu$ z5_MRk5u9_+j4Xc?q0+G}QjeW@BxD>u`tTh8Z)1Kp)2zA~mx;ZJCPmH(^j6+k>;_*6)cSjH2B!Sz;4y%8tU66A{16AYjJwqUIc$#OzV=0oJ z!>($Y$yn;g1W7U8$KcA4Mqw$Ha}SG-F^QETuu=x8eb}&fy<3}NZZLdb<7oFq@n>!Y z=@Fx;LET;?Y=PuDIT9b#1xE<9A(2O@|08@on`*3X<1K4en*6EdOeELJwzy z8p&WwjAncbKOnE2Si4X|FEV<7+%$H?gm?W9P`Paa)+6AfawXL-JIm2dRZNDkutrv? zzR_`eh{`>ZsvZN7zRlAoE@;WJw6`UvRNO*1CkLAW%Y5+Kl)DJbCj` zQkR6@x+^FnQ|s}*1&=15f|VP`UNH{@6M8~9%AH1>R9ue8PJ9zDo9M?i)qIAB^G5ChHT`=q}yV&*FV2~C#%4OWxD5w&9?HIQ^ND|$z#CK!QTrU`kfa6 zfGb@c3GD%@y^jQJm+fRU6anzdL;}|Pqf&o&P2v*SzXap)yL?PRr=0rOaqA|-h&q+n zZS=8!R4NlHtv#NoLSqd4G4wk&!?Gg9C*w_*SLITM0ys6OiUC_he@+yAwy~Q&Ax9*& znDYHo5^k-H(dQoO@pzKQAP$o(ItplVe8Zq+4G6$M7DtBb$=yg*4hi|VPQB70(adYX z3+*kOO58$ro}=3<)MvixuM?Rozhv!)Q)X@@oeJ-GDZ(Z8$GhFZJI)~Sxey7$D@yyD zLe=UqSDEJ{vmxq1j-z+IOYIN&5S_aqpY+4-{N-a<#~gprmw3IBcrMAEab`LSml??* zgYjgr5WYLc8)7qDD$7N#;hJwkj^|qG(bt6q)@7Bw-|?=`EKe|Id)G#v-lOpK1FaeR0Q5w-*Reci+{z~2) z!yhm&OrR5K)c6Q1vNLoPkorv-HFG@`?bVFHR&)H~TM|mtGjdcOuJKVRo6Gb}Kw=2r z4*dwfHTIYzsjNf^X!3Ccx48=khn4c&Bzn3TH(_wT*K)@Nh9zfJ`jX8H0`2&P zDsiiWhMgjskZGQu&pyPmXo!^_ZN9ga`C9SBEcqb+Ou(B5A6czF=(9zKO*iONxzG?L zzG>q;;yyQ;9Dh10wQT%ZKdYZLfTrJ)WiQdMNz3XQ&T@)lr7Zbqw>WA2P*SC6GYrSF zPGznc;qygtnMs&azk`EAxv|Ng4F6bz)d%sK_340w71?|bOk-0;jF^FNNF#KuUZ;*{ z^4|gn!b4h-tcaG496E~#MuG9uV-V2MNZZ{s*X*d2b{o;;%ILL~jIb^deZ=~G5(m@Z zqQ14~>p6u0*`!Bp8In+iK$y~i2P1Y8nWp!?%~FoG`u9?GAxl~5R@nZy+uf<*!0C{w z?}cK)E`JDP@QEeSg-MR{I%~hojv}L(geA7hgKZw)>a+SSy}4)jJe0}$^gMbTTQzKN zGPAUWTYu10!)JoWl_eb0D3}O}2~{60uQ6%V&I6e$0do_&izP@>fs!XZfj>S;URzLN z{v2GiHxqz*&TWzb(+_M_;T^c}++G#dbjqJqc{2VIuGu*(5&#qbcBV)FY*bF5IB`vv z^sV)6Ln0j6Yr&*Z0w&Q>SWBS!q#xc0uNpOOqlL^Hmj5E22#ro$Gj2|fmwZ9~(e#mY zc#oaDkkSU(L+x#>f+T6K+VFx>j(L{ttp3jFnQM&ccvDT#+V`0m$S$=Pqzz|OD&3;- zB%D=pRbC{;y=W#yoMnUd)~RjXmX4wU_fyQ=iSYUN5?dM{fwDWN$ITR9W7=5)jk1{D-S71f@BM%5QJ@E0tlg;>&uy(eO3qMV8%BDah{Z zp;5_3xI9>IOV!uoiZ1`Bc&y^@Wn~L|oif4ltU^;1N|`*L8nINj769gbHlMpFoOMm8nK>veDz8kv+_q7^Z6#Wbf^9yXD@f|KJl zOZE-N6P~F2mge6IXOLj%PYg!b5nQULQj3Xnzz;~$G@IzkWp0Q9QvLEk0hB(F4`VsZ zDU49&6{6AB0e>$Exw74BQXh}@6khC5qX*YJfYG$DsTAd@4WbJ8Wpj~NZc<&r=*KYa zZ14SZ(^&227g2uSpcYa#3Wq<=jMdVYa&xBIvq+=YX{GoZcPhh~<}cVS+K$>Y-qK^c zRpsV~$Bk(3+}ydx=u+?YsI%sAb;ldMb1s{}l{L!UAf$3&sp6~aFY;G*_*_S-%!*EImPVoRb4)LYekp$vqS`QFBk#^j3Mt8CvkK`Ay$pb!2G1u zhLVLqb@t$J{N|?;ZL8)af5OvUp2q@^GLS+TMik0kaRLg2K3|D=tS7=Dfkb6(ja_fV z1XoA`RnB>zo+1S-r3{39#ETZiK%hDG<4OBSl@Pr2I@=BwD+DZ6HqHUL~;Pi>Rbxq%<%x?Vq(mpZXOa*QHmV((2MhvqFvkEr< zHA}%N{AYH8r>*KQ&FBR#zN49PY^jR=yXDl9OPDlm^eHA?gbs4Jo~Ge+z#l83*!H%h zI{g2?rVYl|8CJ@s&V%q@5*XJ%$%lVdLGQO1&gDiexg*nabFS`-_e~<>W-YfL8nwdr zT50~V%lkho)90TmJTec*RZDND5YZ=WE$&F7fOu z{#bdd9oNJIBPJi~AJ}6e)bgJyuy6U2ZfUbwUL^*2JZ{;R+gd#in_iu(>paPqm;5y> z<4TF;?j+Lu)piMfCH}xCmVXI|6NA0seX=-F4>o_hhj7uEH152>ksC^QLD)U{8gBx% zZ%PL*YQ0Q)>$G(^#L>o5;)o{THEjJP(Nr0RaNuO`)sX&UfrFlc3YI0R7J02ZW#Hx1 zQhkYg`qThu*-3rUu>{MgSomsVJIM)pbGY=5x*4~j~<&%qY*5E1vOjH@7bqJCwIvVWtASC}nu|KS-f03G&?4`ZnSOWvh` z%QGOWAZJ(izEj%Ss!5A|hoL~aLyRK=cq(1-o@%^ep91mdBc>ZX7}GHVYSM$X3t#wpY~PdHJQts zN^DU$7h4^cL9Bn9%~4cEh+@OfOkO*VSR-A6BJx(B-KL7mzL(`iagP)Kmws5d7ORCP zVURY_9fI*pq!i-B=;Yxq`N0~*si9F09G=7%$klllmsoxd9P43RYMl$v@ha4#Q8GRl z=yc&6}$={3=BXBZrzH?5U`VZ0I9R(cgL2$!Ib8Lv4AQ-AL>Di(H%!{m#q5Pel`Chui&C@kRbbKFpp76$NP%m zaT5AL121);I&fGSN^bxZqfqjZhn}&*jENuVLy=iQEc@<@*ATVO&B}TBf_g@Fa~+{X z4udhrEKO{dImgIzhs0=e2#+w`Tg#{Ww2nty5lF#?8 zS9{vQbwfnK)!(9TCkEJz)48)m$J;krRH9Px|BEMujRJ-G%dpZl`f4Rewfv+QkJBH^ z3TzNu{jO~{aR<{0Gwm~Tojw%uYkL!Z8E<55JWn?VDjBr3T4|WQ@-J7-><^1UFfggp(E)e zqbx`Czd*t(Kyz#qg3%UN--;I2ivKOZS6xaJjAuCeg=IE7>p@2IigSAINF!~hUT(x&PR~PK}4`As|qIKSf0;0RIW* z{zq=4YK@K#@;zTBgvO&i==S-YnTAyKV99%82MU=vti{lB`tumya_i-0qpY0k^jB=G zEpFFkp6;f6;(z4AyeRj8*6{s4`Z`-r{>P^W$};AZ$r}nf5PH#->Gqo#6_+2?MI{w* z6XTfIY6!1?G|KIWb6nPjSuC2XzW6wjdK=4y=}G^0Ps7;%n(diKj5XUv95hB}_sJxs z&!SF;X*~9DwYN8VfONV_+R%uJ6YzWe$Nk(;vTaZ6m?n2}+1nPXM*`XUg`j^x0jXf} z6eYVbir(@)b^E(QhzxOBvfzq_DpdJNsCa&u)?kRlYpZEN0@ut{^dZu#?XuA2S+4C} z`g_Lgp@!@$#I*z>b(N^x`AS%s*eHTPx8IIgsIXrlwBp~MZ{M(`f?s2~$Wn}JRC#N_ z&J93=ny&}|j!HHY^v#`tAp_>lFBHtUQ~3tx-cB8Yalz|V?B6j+YGVRcO$u+e3Sqfi zmfE`xe%zx*dg~X{Q&VCuhnT7~_CrM1y+fA&Vkb{s?){as-y6RfmuznwQqPgR*o9!g zCP_HP-%FjRZ@nKw&XSA6$x$tAspXoz%Kiky8xa(%y0ZFO z1L{2Ksu(xyXUZnJ=M@C}MkCw&fomot;8(}_>A_X>pD+T(4p_&eLVgY#t>hXf)rK^M z>bNAqGA;F($gFt(%1B`+IAl{Vc{#T7OHgwAFz>qA*anL3YgLSK?(yaylJ|`HPxKTc zDGJXaPEK>HVNH6R#Yff(ij4WMX=ywk7wZ~ffcLLno*41@ z9ame^LX7i}f4kDB0<@(#CgmzXCN%75UbnEnmPWg+M8|Jj!-o&|vpZg@&@Q zG&+lVg9(?ZU-O>0tY1N$&rlmOM(^C%+iLn!!IJ-x0K&Zru;9MR6V6^McdAZrQ{GuY zfl$6SQ+Dq5B>z)Q zr1o5}Vmh6ba2-o?qYPv*@As49v zzu8+85e@M!vJ^LgPi^PtKdWt!ep3f-PIwL|hp0piZSD4OM!Us*NKzr!oQ@|R);V|&mBOfQ6W_zlgutiLpWpMk|J=Q2&Rlby zGc)I&nJZZ0Izj&b3}h05q3uP6yfHOwj#{wreU_snV8+UuwUws>6tmL=UU^8^1YRxkCkN~qhdjgO)tjQ5TWy}5dA?8yOU zOF(&=z_={RYZ~tRzhe3Gv?<28jzkXY=$0-BED-35?4M;Env zOs|sED<}nt5pN^IHxkqiU1kf?5crqpufy_|15Fw-z)DRz>sjD_wB-8OfP`gg&aKwB zeJYuH9ShFg^o3N!J?)rJ&@!-szb6sQl@dN!FMaY2xxcYgn~SDAk^N@?bc=*+cQ(e* zc?)C0>QBkTf~wd1M|1_Cytn(rqnu$s6yF;hq-0~_XS)oRbG;V4D4UWXboehI{eUpJ z!qBi+`(*z{YtP$vDFgQAUM-QW!pGrM$7cBb%kniK*VRtY)Cg{$8e5Ot=c*07e0(Yd z>YbaA#(n>9PKt zhm$6DU34j=g@~P|<6#*p%cjWvwjMw8-3*np&BfZ#X#K`Z@stLKLK8^Ef@RF{wL^y< z>&dfUyf{2{|39`mKvPl^nQPr83Ox9JVwa})yRcEh+GN{qdUsi7si(mP=~ifj>@u0Y`3-O`&q}mVmz1T5}Ri=nB>%4-b+9C8fQEJIYwy$$&gId0|I`075Wih zBh#w*c+jb12$hBIc&A*TeqquD%4i`?%Sr4X=sC%BUaHAjR~pVjmE911eKN0|bd_Vz zN1S)8_~b}#NJpB6qqyALD#U*Qqpfh>T{mv3I6!49-P)liZ;sHRgQrjUv5xa`i{!rn z&4AaGl;wix>o?a>6mAsal57wsxiU|YBM8FO21EOMawQj2x0Y~Gv)h}Inj9OS^-u-6 zd1_u)$=7Hz@2zdbKc-Vgd&k~zNcK94Jx6lgYfq#hNK?F12vVV6JB#=d(cOwzZXK7H zieToRvbe`~TC_(cAmCe2h?%zxB?fT6@r2R8x)-ZHz`^VOck+3Qy~ckf(8PTgN1#iO zx2a^)E8TG~pJi0NoQ03`H(!B{f95{CPZinI6_?>20+$bNaU0R%{G?B6VD>3&KM4 z30GtnuNH#v|AZRtrp#zy(WqRNdEP-}{XctyYp;(oRMil7gpE3Vs=KA=nb571=h_3I ze0!b)r-3Rs@aUUoDPu%Wk>=Y@%GgU{TO>T6h({dXvE57iF7Ud?5cFq)2BQoR#P-*e zmAQu7Lt@DBsAeE9YW7DbR@@JYY}<7SdnhlJ%IU{pMf1MNM!ZV&%?-1DVXeIWhi)cf0I+z zbw;dCW*v&<-gWRi|6oTVaZE+N*n*(_tWHaCMn~ulYwG?pSsADd4~In}iTHK0N-+tl z$-!TyV}_|@6FQni->TGlpzeQ<>kk&1PN60*TdnjS8zWD4oX7ZjKTcIdsvC{^4p!~! zpL%A9rG(3us3z`imh49qF9yjoW=HjwxUV^h9V!WupPpF5e~@r7=}OPkrFx09HB@PUu8`1iVFhxE?(y4HST%~Wy%)@?eryhdzolOlsr*VM$mH`U(aVWN+0Q`Tz2yRs@{{q^|vYdX_TA8y!U%B>T*N^&^wIpKP1uF!K;Zw21i~W z{p&e}F+==5cT8-gjIBK@og*^V(LX^ZzVTfKWYE4Djw{Q%v6&IN1vFXZU^Ov!VYW9v z{|`yjlrfbeJF(c5dMoq&n=s{L{@c!}*Bzi6CCt*O>fXCm(DU~4`^knvl_0KH1MMwB z;V)ErBeJ3@4k+)S!JXPV{z_#sum3^pO2oT77H zxmWjFXbT%9|F$?TbCC-zp46Ab#1rXm{R_))XvY1(=gHby1(OiDv}3Bqq-yAlfX|jY z0{)L8bT5;}z;`ScSYsPAv$G`TQR=??!*+XUDY5)+ECp`G=p?P612nYJb6Pr{m(@7= ziwW^fL=uT6Ax*#kk0L)DU}v|7DWx7$>KAolPD{Dc>zEmr8_BW!Mv|m>A_Fx@BaW!o zqC^|za4p3`y{E{mk4gV)0g~e%{wNP$ZY^&O6~~d?z7(}XNZpcr!wvJZ9Z06SPKg~S zve#`*YIP56cBzUZ-y*|$xnpkoAas@-`<15_R0CS+hRcP+&YUKM>%b-s`--I@5$7NQfpv=VL)=f@ZFEMeKTBRoaNfv05!~lFl!+vHOg3FK z`@J?U{KG=5E^zN|I#98KEAIfO6C-)dItvviGwF);$F$tToSsG^#-Gx5lFhtDbR>M+ z9PD6CU7(H!W(wrHglBmx!W%Z}6oy+@+Kk;+3iAAn$JYGAm(<1T{q5WA1=F~|m;$|T z{7>~FT?>MiMDQkJ;fT|HD1!f%KpSY~!Ou%eU(7bs_Y+MSmX9@2A^xM-6WUE7ERuj; zDD)OyC}?u`Pl6K@3Er5nF0ix)^fEPJMJ7C|_f#?|b|xDWXdxX!^id#*pd4xfgjhb$ ztd+@l%i>5&NaS!HGYfx1uy^?%YQ0aWB}j=1gva5P+r(-B_gbzri{jF5=^jt~xdt;~ zeDRO@lvCs<(qsu^mCuW~>MA7n@!t@%4Im9i0H915$tn@*0{abPLw-^4@w{zB3SJ16 zjYhf_@tuDoZA#@iEdP>f%^}0nX2b&ThmCYH!>Ayaf8m?|S-x8XnlMBa-B%~ug$_n3 zi{UqLN^%l=H9QvDi*s7eLkBb4y60Iv2CR-G=zQZCMq{-{=WCw*4{&!~pl#x0PY`>I zKPQYRE}&QQ@G^D}n;J*3a;uJDyr0Zo`93N$kCEoxF-SirL}5T&W(tHZsu`Hakzq`sLz16@(Is#en8i9o}lCSb|&OhEaO8Q)P?S1(E7-K4LVouiC% zgwK4m^pyD#Gz&m{S6<{9s?b<~n5TLwo-+g&;B|P8yh00qTb|UzJuW{GvyZY}fU} z6|91vY`Ry%VOuzLii3Yp?+AsJ98{jBpAnF4q9hfbsihG1E9F*5arPXK*FS~mm?5}a zblWgburPu9%Pb!2)^o|Bc>UUntg%`JG$QGzH-nL1VUkqToQmTLCpk3`LkxHx_a6&k zsA11CtVDHPHNLQl)7Oe@uJAVE>$OwV0|MZ28zVeVvkwYZnt>8fg!-?9xOE@xJouN` zhO&K?%vsi)DeL6dgA1C$%FsD8#ECRDZwKG=4~wjI8P@+>vmjqfxZh9bglGU0ifaoA z97d)HED(w-haz!F(df~e=UMfc*I%EdZK3e3Zo6Sh7T7C4*^11L^RR;R+CAP#`l}|x ze~u4C6!Ja>EqKofmT4!)`kDkG&oY(G&GS@~8rD*YiG7v&A2!Gqnq{I`?7Wv(2X@T# zmat8}-K)i7o^DN=ER-=oc_p3tUZH(FL~-&x-)kDKpRhASvnNZ7OF-m&?VzuW(dDm| z7R&^z`aD(=SS1nPOL+MAoBzHA@t_c24TqVfx}khVG#;Ip-3^2&cBE3oUTL6^*KPdQ ztGRHqqLi`2msPJgaoctWWLv6k_7ZbIy|?`XvhRDz0={`!uQ#J;W(Ldrq~S(qnmtGj zrHCEeiF}$VZsR76G1Wth#lDqGBtVKiQ}lp6&0OH&ac4?*+5+SQ);p9@Dw!89@->Iz`=OU4U%9jq_B-iQ6F zVP~EOq8mv?tOjem7a3Zgzq@A({sfTU;eKi$pC&L$4MALjP#u61PDD1v+7A}+nem=` zF4mdN>$iH4xf3S5{d-aL_Ib_rDK*5|a8nSNn zCTA!aq2U}*j7juYs^CXo%{6nV$lj0Lln`K=Bs z(j1y&_mG#rI@N^w4x1=^UCS7K^Nm1JEGwn~HnS*L;|ZF4_HIwl?Lv6Zu7 zT`knHtfZom(INNDkyNP10>ogK6ww42uPnp z)!KT@1u+s(M<1CuJ2@R;c7oYgHuM6PUTf`0k9DQ10HoVrd4Nrt(*UTR)tn*^m+Z9Q zT@JqVh}v@0V#oiM$T3eP(JUh8Z=lH%!5dXKszPFcT~z}PY!qq5!?YcuE&!@86i38b z^;_ly8ejT`d5Wip{gWT2JVoc!LzvsxcgxS`|Ee10QV{RO3^;8F5791l(g`=;^MIN! zbJkJiJ;?rBHs&F_*Q_Z;C4~@LkuvwAtd@a3N(B2O7UG}qtD|AQ&)reli*n+pN5oHY z44FkTIatQ_T;P5YxPIzXPmD_5`x0W+jeVQWebuFNHQULl{x(#|c3W6HV>bBAAbzkL z)(7ijFUQvk2+1l{Nk^2KoSl*mxDhmb$Rg}CPVqF=9zEh&$|dHRtu;Flxq1!RO0<0 zupMR8mN>^p?NHRlwT_ULoHMBAL!|1+UO&==Gd50|H8=_Q~NKqJh5}*p4M#Et+1iBgmF-h7Cfd?eX_L}DsyKWCyM>DdM zy}$opIL?zNz2&2=s91p7&dMWjUo`+T1z5mFQpF(1dt#i`R@#0Tnjw&;o`3JS85fK+4KDxqoCv$!GdM*Hv}OwPf7#SDPAB5Uwk6JUs} zynrpzU>UCF2u5+kec;DF%!@j-8zD(eVyb6dj22ze(vrw#ved%op_o9Y@-3+KB#J#m zQXW>n1xGxGCA@0^1$GFI(Q6VZ{utwRSKa`O*scD;-(h>^bdPaMYtb>Lrc~Fc0aW`j zAx)mcWuR7hHIg#MjAoxqPyA~!kaE-J3wniQ2KqOAo;rd(O!a3VI;SBW7s8>DJ|sveDL4v zYCB5g5+_B)MP*k(r*kM7Y=A5(zvX3a`upYS?tm;zW~z} z!lt3Z_-g&tYHiQZ62k?U!ETh_B>Z3-B4j`RxGTBQ4NdhW$-#!RJBBN(%00RG=OHx`}y<3Y89L5G{9F2 z!duj1eszHXCld`r@*D+iEMrGu7cT;N3lMm#i6$ zh*xFhpS%Jey?59Hv5Idz4H3u~(IBY=fuYmi>WLkwP^B!sn!EM1KK1uX5m2(!F@zfpo zPVaOZi=CkAf@q2%mc#P3U!B_AZs?Ra*eK$&5T!=K`!v5336@08t00b*aoJoO0z)94 zD$GHRoyq+~qwO(0xdk+5{e_wYftLf}`_Nybt2f}%xP^IPXv1LwYNpE1Yq#C+5=f6< zIEp`NAH5*8Ep6}2Gm%XbuK5j>B$hYgq{*_sB8uS14#GXo%u#h7fc15zN|%%65?T%1WD;btQJ(qP!w(h$Z6AZO1;z57?=_oWUnS zkZ`}vmSQH3G0HJd%b%m0ghY$Kq$H{-NX!4jiYA6ZlC3;SFA6F zjH8YNsS{p9h$&5F@0iQ~VZ}mai$SkMi5Dl*_5xnX7mt5I)Ktrt3>~Yt)jx2q6xxV$ zmspyH>BOpPsH4R5UNH1BrcOBL>z=0l{Rl4JBxQ2NshgDi*_hiFivp4Iz^XWD`*Gl7 z#Ys~M_gTrAtHIW^a3qGNAbqIZjc^)W3TzMFv=MJf)9Q)q<(4wS${7+QQyU-0(73eU zb@ms+@?TO2{H)@qI$QRZS^G;5PIILC`tKP6`izUjKc6{iy1s8>$I0Wv=^sv5Pjl3iC(#)QM zK_nwQ@)-LJb8GD;Sj@ztu1~=327expf=KLl#=JZZgofYmI-(wP*^U4 zZuXAK#8nYlt+v2D{kk-cp0Lp_{ru?9J$yT<_^K86&$KiB6Ya;SYiP5H(TMjvsGd0R zrJ0%3sZ?<-E+!hU35fw^^L~CFPOe+Q>W5|G>Ldr@*UwTZ+1Q$k>ir%<5U3D(Qlz(RR zid010FN*M_G!W~ram#_nR0RBo7BG+g_HU9~-Tajps6?m3WlimgQK!J3Jm!}42E7noow)nd}crNI)Q_Y z>fPv<#4w^_(9m?!iX>!k(gRKku8M@Syrl?ngDh_}N4`j~U5Y`UkY>U)-yeGuFtuvQ zH}Z*5a#t8KiqJi;^~9|gG>tr0?KQNG6I|FJ$LM-Kl*#DNvz1K>BPs{2HQg!=R2e%a zez1Kqcm4e9V?9Yj{SWMuVKZi0$A;LhIIwvYeLe{qLtPeg1&5$~sPSu3f4X*!yPS{g zeA(f@#(y@4#J_W=A5ou{m4TCHA`37OHpBj_BkugL}JBiAY-chRB?QvCppr z@YH27`3I~k;3s&TX*BH3TpuGsMO-dKq7oSnIb^Ygb6!9fWnNLb#eMqXYKpI&(;z7M z;~^M{K{d$EIx%h2v_K{F{_Qneh$V76$NjU1e5+{0{M=4*T3zsyapPfekBgNU> zU2_ju2D>2-g!9O%r8fP+#5~hqpy!RzG^a&ygJYCRz;MsPZ>&A0UMG=HT8<&=8sKiX z@tjy*2azEs;nrGLT8+YvDwh|LXlbrOVW2#^Z+W19Nd)MakWdcPvBFB+#8NM0*MTI_ zw~qZ2TQ2j=6=C-V*quo!@b&0BT-a?yHs8u5r|c^#%endB;+HEixwsjEFJebEbS$6IIp?9;E!YXg0%JTFGO14sq9n zTUltd$7bsmgq_19ysOb)Qm_lpC((-#w!ZryPvQ9e2RlErc_%Kdq-3EFoB$62Kikq^+c67>#50>#*E2bZkLP$W==Ye*UVh75a{#G=V~;6 zKG>;!((wv*Ju(BRNOJm#%HvTbfV$)^2wqtf66 zAU|{EOFY#d=Iv2t3#szCGK{5hT6(%?Y7iR*tN7gQJObA=Zt2M}-iYVFg5};2g_M7Oj*P7ioc_rbARR5H&lfX$%*Znqdlww)v9y zIfL?>;s+j1^xHjg#+^k{SZ@w97#-$T@fqFsSZMh8_O~e9!#rtZ>SwtnWIlSsR6$cU|MTVAHNv-Hj$S9swjN= z%{Ll|3L*+Wj;&EhQo0GNG#@Wa?PRz2&53TFrwh+ZzVQxb>lnfs?hq{{^|Et{0o808 z?1HGj`!TthKAsWqpUEolAI>*Ze%ID9Hj&hW&vY9#k@P{UT`L(95e+b10*8|EYW70$ zVqadTwI{|dhZyRGmarz=znFhH z_@jGlvlw*Fw;6Gh>M)ZR2lUiH6N$b z$OiRw@Kk)#7&hEO^rKc4!AlC2aq}&!DnitG`c2opeRjBX$wxY6X!oacSEddwy3bjT zF{h{FD|F}+9~-iv^v9AM5GFmuhx(z}rtuT>AX(aT{`Z11?hH@SGsIX)v!Bt2eAmr^ zH)?cAD-8AZZwj-Q8bgE=e5%vS!R%AUA7p+Q;E7zW>^mRuZ4tDfDP=h44@2fgV2gbBzWI zcJUj-;l$2cQeJ&iUS+_5aoMFC^5w0+GtWeDm9&A2B1WJPmVgJqHrJ<`o}JX%)+-UL zIt`pl4V^;lInPhD6xLyCrw?__VFe|#OACtHdYtmyev68oi^dJ*lfc36H&|+kD!uTa zc*u~zWR|u+j-D&&t!0|I1x(;n5E71WH{-H=bhC2kNQgc=Q^6;u={v3E7O-*)5YI?( z6$6#tyE}Z++cxCdJ~}9N*L_xy9FLL{b5A=AHPr$c`t?moyJBp1U8taDLIqEHHhMwC5|w0uBlfu2z>NJpQq|tm3#Pzc0bG<}9zR(r zQ$zhSzH#_Yt#zOO5E%pHpy3Tk{P8aIR5YA1f$XXy$4W*CX6^@uAu7mC+w@vfk|a z+o|0}c&&uisbf}n6uUEOgp`LzBcpjn!Bc*sF(xTlf$cYi6mbo-b-f?~>|@V{+OYzfKaDL9E*OJuq$cKe4cF_&_g z)LLQl(&=-unp^qsI%X2|{0=IxTXDGHT?wP7PC}+iSxS~E%1pz4b%3{>lP4zMeS~SQ zCMiYr>e}X9ygCIno`rD{SH!AJ9VS@jVFV}*K$+UOkg!;X2nf(d+o&qpm21mL@rsM@avD_>}?lH=0=VN5%l^r>g!m(cbl9mY=$dDw1coERcjcKL0S3E6p zGBYFY77BPDY*!dG-DyNnK5JWIPIcFa2`&T`71@$EiN3mkTB5C{Wei(1FFH0uVdwGy zcIvJt zTWQX2RjrvATL79m_A0IKbL{wHe6f{ff3k(JhnCsKY`nPU+WQcrU0-nlrs>cwp0LlR zoXoN}HFVgHRM7w~Yq@D1YO#jq-13Qe5a6G0G&?fqKa>3R$@+oPKPW-_QfL2FSG!EMO-vE0y^qz8!~Q+2_!yT072?L@|u$#e#8f5B&zpNpsNNTXW@GMa8#eXqY6w;8&b zH-2^A*0cHo>>Ec4Z!$|IyN^LL`724|W?uh78d0DHbOBADUYQ@izb=58)BV%DRRz-D zEk^ZTk@C~I#vD6=i$VQ=WVG6gd(JA3Cs>?Fz`bWv5{iMbZ)l|a`lh=6aiHq4ju_tE zJCLEO=TkfU!Tu!>SUr@Jl94hE7DP^g>|kgQGzZH%=5?RQ!`8i+(MrhGYIPjuUikSu zJU;5jx2!ViCEzjkwzy^;^nAr44if$YARX)&Pqz2{3oo?+_?AAW5#^qs689L~;TZl0 zs0hPZyZ!*{tMX3E6>`!5T}D5q>Rr8?Wl^sD7O`I{`Y}u&77=}of7C@gNx;uQ(Ig%gH zccBG1+DIfQRHibsB})4j5B+*yH)nf5uvOSbHLEfB68p`p24S-2?U#SZTZ=|*#ss=3 z26uES1u)Tb92I?`#Pt4A4jJ)q#56qD{J3*MR(N`+2g>ASMk`_O9KHQWbso@B+=cLM z0}q{Z>;9IpK~Vj+ELhiA_^cHXFq;(MX{P`E#OxiNPaZA%bZpK-!M}s-iSR4Kw6A)* zZ@d3IceI`G+mZ=H;VNu3mqXmSB5H2sX&m{A2RXo>vAXB(RDrJnj!r_XfeFJqv1;2F zK8^|)HL;Iyimc4=6GNF(?z3xjfr&|~{Oe&1Jh8RNQv}Xgx&cr!%Si?N;mYk5e}&+E z=kgDF<1&7waoGutgUL)1`#~gfs~q6&9OxG&P5Q+=Sxzu!;O{~B7XUefz6an$fN1>> z4_1xiI24}~sE(*94EkHg_&b=y8XS=A$2s6+E|w9zhkeS=;*zAvvdVABX&A65ODc@j%1z8;zO}aBiOYRl*9{c1|h5oO)KVRj7K!Ab3 zf|Twrm{G>HQFyfee_6&*aDTUi$`qJL+f1hxNysT+kd-V^Hd+!!yy?E&z2yQgX-n%4 zXcv9j*{X9Rpf_I1C?H=(nnOAxrG%fOUW7HV=NkGOJVP8F5`g%s!pJ0l^`iCx zSBzWuSq;CVq{;QK<1(uY%QnIpNP$*=e+?#l`)Y%@U&>L@Eh-+~Dvdz5 z@M7;iuX{AL#u7qSs%Qncd)YC$hr*37bu$6@E2siY+~)^WR})zZ296`Q0A$w^rVHed z*D!S5bz0?m&W-jEXd0nFn6z{VliTKaA|ga|2Y|(!_Dd9LLd&CVE#e|V-&&Qym-G%$~s@YCxDmkQP=TPyF{1 zk!ip+nv9eJJ}vzan-(3N9;<{KKCz&W?OKP7n=_68OQeTj)hxw;39u5iSAm8_-Pf=2 zg-4MalbG#zC661-MXI9q5Q@4IyYayKL|B7l6>;ZS(!7TbGlN@FdU?no%G&vE)&+JT zPp&xU7z+DMRLL*7=WjuqXuGY>7gTp-5k;D-qP6LBh!PVq~i>)*QP`X*i zBim4OPHbS4CbaEezBnH`+N1+VVt%2>uaDkH}DS4A_+?PDWlQY`{tSj>*7bJhA|k#|{>U zaOm<$N@unlX7M_&a3m$Fm~wZz2q|-*FthnikGgi3ECi;nj%UElnwSG7%vMcruEzer=ta>p|x00Z|5=Qa;+rsJD%i!qfxn z>LX;CE{PE+@6;>u9xl4I&?33xoi=8_D!L2#o$f$JP12=Us;_c%`&%Bu^bd}mI3me- z?Dc`Jh;{dO5%19Oxw1MiXyG@U1)#d;-jvPiJ&?heg+~II4`-v%rwAT9H+wI;dp)18 z=w%A*T!sHE!t8}co__O*zfH3mD_y`GJY>=DGjM- z7?OE+UX2%ZVp{6EIGnzs0AbpL3npNdZ_UXq;?U*3@|@ZB>M%rK_)tr`I^!w(sgn*iI9qz6f1E8;f~N9;0Cw zn44`*);J_*b^2x>J>Mc&*}_np9cJ44;PT2nY~)n3oo}BbJcRfj)0W%tvVC-n41%xk zAat-z?oVuq(Dl*+wto^}%(!3I@D#BR75&#MTRppIbs0jM9~lo9G=WS?`pTA}t!dn3 z7}lbkC`CRr2>>=RzB=v5Y$gSrWYSAZo3z@WhPRGF6wqeX2WvgOe9GzCPXj~qpz2j7 z^PE<@F^++v{YzmT5w}^QA{yPF>UULvjIyZ6vH-UKuhsY}pFUgXi!zO~cDz`Xe7Q zH!@1I5o(h3nYpX7CM)s?SLCf|YPgcm z?Yi~Ol^1<$ogq;_?)@wj%MQW(GjpY$!6c6>zG5b(#+WDkRgafIX=@v~)_NP=UVesF^4-YF~ z!OkR;m?a~@-jJBW&Xp2jGfFcr)W788!Y~rRL($BfQ^PB2$a%OupeEF)d~w+E%eOt_ z61PBZ#(H56uweqdh_giSXT@1qqhR#~)2*6++9Bs%**(?AFnCmegpZZTb`0_$LC3)s zi$)sNEd!slFO<2mULVadL49zp$KyuO3-m zP@YnI-wQ5e2P`P-NP4L*R>GVQ9v)9+@ba^;{_6QNg9!nhg=5rsfDSBn8dke!Dn8vT zYU`ccq}j81*9X=uy)to#5tGdR^FS(QtOC!j0CG#z#UtqvUq)`hbNfnHar_;WTorGV zO2ocz_4fS+cS0$dGR=%#aZq4G-)Di7c zH}{TLvV(Kr4JEq{DhIvt#j|&dO^su7o`2hn_8b0GT!w#CkiUG;`m#2GG&#;xB;Q;Rh;H&_E{dFzK zW}>AF(bDUyepCm_b}%%%jT=;;`}yqnC@l6!@u(2AcOGMi-hFo78idjvFvREc>j#_7 zg|N?ri2m)oXtK&k56P?Fn*0*rP2&PaC6iTJ^WKO|mohXy zI14|Y-Rp1q2o0$9a#pfM|41HYt!G7miB7lOFV#bY^NhS_^Y-zPO>6jDV2|d-@3vp< zV+^wnBRb1`%LKK!oWJk^C#RjF3K29*F(=0H&aHh`wFN#-VRcq^EzDbCBO*8{b$d$~ zN9OLb#+Ymm06-j;Nb<^J;gPPG&n%l11AOK+eC5}D~Sad z3Q8y}aNqTOi~N5-wRS86UJM_iHh$8K&*XT|OPS(3Q!$?e`B{yL}tqW3dGQ_?&og+}1DtG?ars_nI62 z1fMjlv>g8H`xZ@1Z}PY#|!lj zhH;y2jd9;-rc2LI01?NwZxVVs`kHD?qBbWDef9bU&f5S0h8I(u78C#cXRFpro(&h* zMOYFlF(Z(wO=kS3btRm73!VA1DIeV_+Hf(v=+pYyNT*Q&@^4B#EO;F?(C5appr)_d zaHj*L>P{kykcwKwdmLPm-@ndQITumB%ld0sY<=kXwGAmFo!D>1nsA=>b+&19R9*Df zGb5|uOHIaUjWBX#c^kX3T8t*nt+%z6U(?PuC#j)Uqe$%oaUb+6x3ufuk$vSZ8Y3R? z(#+p8@dT3@NUL4p^zm{RnM7X<+z#9_LBSb84l-g$IVT1yaay}jEf&*j_}feDoDS{C>2uIst%Znt7At1rtB zz9}#OT#u}Da4_IYnGq}FF3VwR($Ui4ex{;QwGfw{dPJTn)f6#|X_SrBtm~A0Mpm)c z=ai`EZk$36yIbx3mCa^_kV;5P80kUkO^6S_)A?62M)sX^QX*N!HB)&0&n!~!uFy>^ zCAwTCb?fI>AW#6;F5ay4 z;L~*2uM_We939}e@2171;Ad$9fU3NjaPrU9?ZmTR$h(0nLGdPTO!=ZQ0%!pFvUykD zvgThX#zrt{HgJLlS3UwwI1MS7C1gA_G!lT}on#mrp#|*IQj*zq<~%|H$V0yl=|Ki6 z@Y?4`41YqliwL2t=DvJ@oc7*jG(E)PF97BGMTt0!sM4=aev!%tl2*-;h9CMfWeg~qXg!? zE`nnZKA(?%b>M*lDElm$lD41aMsoA}S`oYsKSmg@Pn#=Q?M5)!pa7Bx-^=j2)xY08 zbJ%u^1Oji9$4KyLG|~|DeMk{$$OoTuUbhRZiS2o_rVcoEhM30u^w|79DnRqohhfWY z(t@%2&Aj?X_%5gUd?6dYJqm!8L8uHm%2m}uc3#lBq>VUW7gn}93YwBmkIL;c79 z@k-w3XIUtVmLWsNLl@RxiH;o&QKSHExcs8#JA4OkipfK1IN2~Qr}vt#q?*f!EE@7R zyXsu0zDSCx)Polg4>?iJ57!k^=I@zmQ3351Onl=m6*uG>+1rm^BgO9yBW2zp_j3Z) zO5w4EB_b{}gBD!5h9v%x&+&k4212cj9IjrrSB?y)!KZ_!mbuxSPt7IC+n9&8a3 zQBp9Sh14N8KP||M299-B)Afsmx&E#xDIze?-^_d2z>93bEM(G9b7|=IW?~{moU{C0 z1xxUVekrrYUdHirq-5vud@L$g(%;)H&)as-M-jx_fITa#Q|r}(DpDoBiRZcWZ>^$E zS+IRIYjxe{mv(%FSxZ-;IDl@fMLqj`m4H1T466-b-18-0>+^r3ZwRv*7LY==-Th~s zHu+<{$KgSTw|ihlu(ue#6w~$6S{zcslLj)4yePQg&jY^OB%tixJKw**juf-BSy7f^fw%YX+q#!Bm)pC0 zP8SjtGGH7cMNzkEccq5kUjbLCSvg(`GTE^_%A0c&SFX=&=OSN}Y6tJ;k5wF=32tw5 zDUW`~tUXeny)tYF^N>fve;tw)E9KaF;S=V+I)wc0V;5%W`bmn-=i>HS5CE`t_w!fV zClKlUsJS5H$_m#1%>+)*BYk~@i_~YWE611S@IAfGJUi>iEc;X0sx?FTL;r-E2dU>N zr5!89;h=oy&+07}PXz7gXw@kI62BK%q(sWY4lF9r`j&fIiD)@(yE;s@UYL7BTD1QijTkzsfuI2G#=R!l4ZPBE%DY*PH6bmr@~0>B{&@&j_6T z3i)BZXRQ1`ZE9{YdytZ?U1wPD>0hy$GZi<7$BOwC{wdu#{uFzU zP4tY)$Sg)=?p{nY9RnN|O{8X4>?Uwq0RS*_QWoa*76_9OtUdTEbw<)Wmmck5d_mH5 zXcL0$;O$f!X&USzPW<|k8GHChpT|#Yk1XAWU;+)~JcT)@kktQR&+T$(FlP8by)!0oYr0aw- z1R2CVAx}S8L-*dRHI&g9Qdyr`n>Dr9J*bp}Z}2wtbsUD0PE+1t5@vK3}GUpb_F zI?-s6wq~05Ql)PdD;}8t=Z^f50Xh;Z_t0>HpdFlllh(44e3hd`)>1kkb|R!%s%P!x z-+A3;(^>`o(zWYlu9&g>dKZnHtd+RiFy?XSdjYRRi6Jm8l0X1x`oT|kD^NI_ixzG4A;cG#0v7Nn=|~n$u5r^6qINq zP?@FGq=WLv7f}k5NZ%+Pibx$lKI+78i&$7PVAza4pn0!Xv=wtA<(9|NEa`Sv-8`r7 z#ddB%qcnuJf6J?oK^|b!%}*cs?!}_CukUWq$bmkPYC;_Sz7RQK0_fMcyhtFu;0{>E z>v#Gvo8b59sQ%H5<0W!*{kpg!vO`jT=xxCN*V%Q2HMK3_c+WwK zctKE#f*>G8DH;$6;Sk_bMT&5#A{=_J(xeMYmtN)24lRZrL4*(xLOB!xfgqtsQ$h_T z6e%Hh#kc$FdfVS#^RJm%GqYwr?EUwc0>n{X(*4x3e$5uB^~OT%u7ko~sltb%fMOb= ze7BG@UB)M&XXO7jEX6NA=7$X(zzet|&NHTF_Bm(vd)jJJ2A>hj*GoAw&{1hMqdSxZY~M1`1?WP4k20*1)48-0U+*|7PF!VL zp2#}q2yiQQ>Ql>7>V;?4$>yW_8q5&Hl>ktPYPyF{IY1Q4mp<3s4wvb>~#*gb6y9+c5E zb@XOP+!F3u25@xb%I>Gz!dulRc4w2v4V>h?^FQToZFNhMFVlQ|ft>Q-!AHh~P9Iml z9BUK44YTy{$fg3cb8~Pl`cM6_upRClt7T{qHD@De#hg1WaK2$d$u%2t^c{t zC5&H{b`6QVYv=Y@`rGQ3Jv8X~M3lI9D?RjC@ zS0@Bow(4?eQ9f6CW~VH{ZfKFstBDQ9gmetekG-u5x9uniU$Dw`!ovt&(N^y8?93<& zVU2w5C}6&rNeo1SV;!)$!PUi1 zGxN1fLYRQtu73Ry)F7m!+09$)2TB-Ia0Hi5XiP>CZ1CR@Wpn0=nc|=@>GDM(>6~~F zvJbnrurX{@+>n9`2-3`iFfQSkZk)jO1QO7{qu*A}TqY3j3p`qRg#Ha;pf`PIew0Lp zP@f0VUZN`ArU;qm-XK7C z@poqr*&G|^6)wzyS`{wT6kNJDu%x+a5->v)1O3*HwAgB;uC0~Msk7}WVMLNP%SwcM zASjKoXyFfE9_O5Fq3MrI;~gZKf+ zci8>o*%pL+*Uyblu?X-SCrU|h&=wQ>=bc~6E^751OIRKbx-n7Jg1ZHx*ZbjE>r{EP zBh~qBtbPfR;Cx)43ll#81&zfalwDaA@Q=VehrWb83lCqZh@>YSHh&l>TW_2sfu+f!1j7*z{Y^k_5 z+s4jyX+-#*Y(DAE-0;%US|Z$&F2QD05vcipqa9685ANomx}Mj)E=K+GxU<>$;wNw_ z)lCrj%P=UW5O4mUINzw#48IP88oS8@8V(4A;e +
+
+ + +
+
+
+ \ No newline at end of file diff --git a/src/main/resources/static/templates/XXSInImgTagAttribute/LEVEL_1/XSS.js b/src/main/resources/static/templates/XXSInImgTagAttribute/LEVEL_1/XSS.js new file mode 100644 index 00000000..c41c7117 --- /dev/null +++ b/src/main/resources/static/templates/XXSInImgTagAttribute/LEVEL_1/XSS.js @@ -0,0 +1,14 @@ +function addingEventListenerToLoadImageButton() { + document.getElementById("loadImage").addEventListener('click', + function () { + let url = getUrlForVulnerabilityLevel(); + doGetAjaxCall(appendResponseCallback, url + "?value=images/" + document.getElementById("imageInputSrc").value, false); + }); +}; +addingEventListenerToLoadImageButton(); + +function appendResponseCallback(data) { + let div = document.createElement("div"); + document.getElementById("image").appendChild(div); + div.innerHTML = data; +} \ No newline at end of file From 87b1f76c637f1874ac40c2bd5d6189dfd222ab01 Mon Sep 17 00:00:00 2001 From: karan preet singh sasan Date: Sun, 26 Apr 2020 03:26:44 +0530 Subject: [PATCH 2/2] Adding some comments --- .../internal/utility/annotations/ResponseType.java | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/main/java/org/sasanlabs/internal/utility/annotations/ResponseType.java b/src/main/java/org/sasanlabs/internal/utility/annotations/ResponseType.java index c7f5e04f..9ced1401 100644 --- a/src/main/java/org/sasanlabs/internal/utility/annotations/ResponseType.java +++ b/src/main/java/org/sasanlabs/internal/utility/annotations/ResponseType.java @@ -1,5 +1,17 @@ package org.sasanlabs.internal.utility.annotations; +/** + * Usage of this is to distinguish what is the response type from the VulnerableRestEndpoint. + * Actually we want backend to provide entire information to frontend so that frontend + * is not tightly coupled with backend. This is done with an intent that the backend can + * be consumer by any application without the use of frontend like say a CTF hosting + * platform need not to use the UserInterface provided by vulnerableApp. + * + * So this information will be returned with the response of /allEndPoints and /allEndPointsJson + * so that consumer can write the code as per the provided information by these endpoints. + * + * @author KSASAN preetkaran20@gmail.com + */ public enum ResponseType { ENTIRE_HTML_PAGE, JSON,