Web Application Security Workshop TYPO3 Developer Days 2014
-
Upload
helmut-hummel -
Category
Internet
-
view
490 -
download
0
Transcript of Web Application Security Workshop TYPO3 Developer Days 2014
![Page 1: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/1.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
T3DD14 Security Workshop
Helmut Hummel <[email protected]>
20.06.2014
Security Pitfalls vs. Best Practices
1
![Page 2: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/2.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
T3DD14 Security Workshop
Agenda• Prequel: trusted hosts pattern explained
• What does Security mean?
• Knowing the enemy
• Pitfalls
• Best Practice
• TYPO3 Security Team
2
![Page 3: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/3.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Trusted Hosts Pattern?
3
![Page 4: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/4.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 4
<?php!!$hostName = $_SERVER['HTTP_HOST'];!echo $hostName;
![Page 5: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/5.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 5
curl 'http://t3dd14.dev/host.php' ! -H 'Host: google.de'
![Page 6: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/6.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 6
curl 'http://localhost/t3dd14/host.php' ! -H 'Host: google.de'
![Page 7: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/7.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 7
telnet t3dd14.dev 80!!
GET http://t3dd14.dev/host.php HTTP/1.1!User-Agent: curl/7.33.0!Accept: */*!Host: google.de
![Page 8: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/8.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
What does Security mean?
8
![Page 9: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/9.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Absence of potential Damage
9
![Page 10: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/10.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Protecting Information
10
![Page 11: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/11.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Unauthorized access
11
![Page 12: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/12.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Unauthorized modification
12
![Page 13: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/13.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Loss
13
![Page 14: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/14.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
CIA Triad
14
![Page 15: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/15.jpg)
Availability
CIA Triad
Integrity
Confidentiality
Information
15
![Page 16: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/16.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is Security?
Security is relative• Security depends on your needs/ kind of Information
• Security depends on a certain point in time
• Security needs to be constantly adapted and improved
16
![Page 17: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/17.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is Security?
Characteristics of Security• There is no absolute Security
• An evironment is only as secure as it‘s weakest point
• Security is an investment
• The efforts for Security must be proportianal to the potential damage
• A system can be called secure, if the effort of compromising it are way higher than the possible gains
17
![Page 18: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/18.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Security is a process, not a product.(Bruce Schneier)
18
![Page 19: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/19.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
General Security Priciples• Least privilege
• Minimize Exposure
• Do not rely on „security by obscurity“
• Defense in depth
19
![Page 20: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/20.jpg)
Defense in Depth
OS
PHP-application
DBMS
Webserver
Server Firewall Proxy
mod_security
suhosinPHP
Harding
security layer(s)
SQL Proxy
20
![Page 21: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/21.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Knowing the enemy
21
![Page 22: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/22.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
Different Motivations
22
• Money
• Influence
• Fame
• Fun
![Page 23: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/23.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Knowing the enemy
Different Proceedings
23
• Automated attacks
• Targeted attacks
![Page 24: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/24.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Pitfalls
24
![Page 25: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/25.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop 25
![Page 26: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/26.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Security Problems
26
![Page 27: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/27.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
XSS
27
![Page 28: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/28.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
HTML Contexts• HTML-Element
• HTML-Attribute Value
• JS-Values
• URL Parameter
28
![Page 29: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/29.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
CSRF
29
![Page 30: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/30.jpg)
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0">
CSRF
30
![Page 31: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/31.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Avoid CSRF• Secret random token in the request
• Save token in session
• One-Time Token may have usability impacts
31
![Page 32: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/32.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
SQLi
32
![Page 33: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/33.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
File Handling
33
![Page 34: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/34.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Header Injection
34
![Page 35: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/35.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Code Injection
35
![Page 36: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/36.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Insecure Unserialize
36
![Page 37: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/37.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Extbase Security
37
![Page 38: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/38.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
XSS
38
![Page 39: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/39.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Extbase
XSS• Flash Messages
• Context
• Custom View Helpers
39
![Page 40: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/40.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
SQLi
40
![Page 41: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/41.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Mass Assignment
41
![Page 42: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/42.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Access Violation
42
![Page 43: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/43.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
TypoScript
43
![Page 44: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/44.jpg)
page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.wrap = pid=|
44
![Page 45: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/45.jpg)
page.10 = CONTENT page.10.table = tt_content page.10.where = colPos=0 page.10.andWhere.data = GP:page_id page.10.andWhere.intval = 1 page.10.andWhere.wrap = pid=|
45
![Page 46: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/46.jpg)
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1 DB : be_users:1:password
46
![Page 47: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/47.jpg)
page.10 = TEXT page.10.field = title page.10.wrap = <h1 class="c-{field:layout}">|</h1> page.10.insertData = 1
47
![Page 48: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/48.jpg)
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1>
48
![Page 49: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/49.jpg)
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
49
![Page 50: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/50.jpg)
page.10 = TEXT page.10.field = title page.10.dataWrap = <h1 class="c-{field:layout}">|</h1> page.10.htmlSpecialChars = 1
50
![Page 51: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/51.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
Best Practice
51
![Page 52: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/52.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
Best Practice• Every request is an attack as long the opposite is proven
• User input is untrustable
• User input needs to be validated and encoded and escaped right before output
• Encoding and escaping depends on the context
• Separation of Concerns
52
![Page 53: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/53.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
What is User Input?• $_REQUEST ($_GET, $_POST, $_COOKIE)
• $_FILES
• $_SERVER
• Filenames
• External Services
• Editors are users
53
![Page 54: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/54.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Validation
• Filtering
• Escaping
• Encoding
54
![Page 55: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/55.jpg)
How to treat User Input
Escaping/ Encoding
User Input
Output
Validate/ Filter
evil™
stop execution?
context!
55
![Page 56: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/56.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Filter Input
!
!
!
• Escape Output
56
![Page 57: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/57.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
How to treat User Input• Filter Input
• Check Type
• Check Format
• Check length
• Escape Output
• Context!
• DB, HTML, JS
• Directly before output
57
![Page 58: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/58.jpg)
Separation of Concerns• Security issues are bugs
• Clean code leads to less bugs
• Test Driven Development
• Leave Security to Security Code
58
![Page 59: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/59.jpg)
Inspiring people toshare
TYPO3 Developer Days - Eindhoven 2014
Security Workshop
TYPO3 Security Team
59
![Page 60: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/60.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
TYPO3 Security Team• Responsible Disclosure Policy
• One communication channel ([email protected])
• Pre-Announcements for critical issues only
• You can support us with sober and precise communication and reading the Security Bulletins carefully
60
![Page 61: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/61.jpg)
Inspiring people toshare
TYPO3 Developer Days - Hamburg 2013
Security Workshop
TYPO3 Security Team
CVSS2 Score• It is a calculation to help you to identify the severity of a
Security Issue
• The result are 4 different Scores
• Base Score
• Temporal Score
• Environmental Score
• Overall Score
61
![Page 62: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/62.jpg)
62
![Page 63: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/63.jpg)
63
![Page 64: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/64.jpg)
64
![Page 65: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/65.jpg)
65
![Page 66: Web Application Security Workshop TYPO3 Developer Days 2014](https://reader038.fdocuments.us/reader038/viewer/2022110308/5575a1b6d8b42aff598b4ccf/html5/thumbnails/66.jpg)
Questions?
66