WEBAPPPENTESTINGTOOLSOFTHETRADE

ISSAALLDAYTRAINING

SERGEBORSONOVEMBER2016

ABOUTME

• JurassicPark(1993)• Biometrics• BankingApplicationSecurity• ApplicationDevelopment• PenetrationTesting• SANSCommunityInstructor• Owner:SpyderSec(InformationSecurityConsulting)

ABOUTTHISTRAINING

• Whatyousignedupfor…• WebAppPenTestingToolsofTheTrade• Methodology,vulnerabilities,manualandautomatedexploitation• Talkabouttopic– thenexploretopicinteractively(LecturethenLab)• Hands-on• Focusontools• Learn&HAVEFUN!

HANDS-ONLABS

• Thereare5ofthem:• Browsers• Proxies• Nmap/bash• sqlmap• BeEF• Mygoal/intentisforyoutoleavewithknowledgeofthetopicscoveredandanunderstandingoftheirrelevancyforyouinyourcurrent/futurerole

PROGRESSIONOFTODAY8:00- 4:30

• Breakfast- Intro• Lecture– Lab#1• Lecture– Lab#2• Lecture– Lunch– Lab#3• Lecture– Lab#4• Lecture– Lab#5

CRITICALINFORMATION

• LocationofrestroomsJ• Networkconnectivityandyourlaptop(youhaveKaliright?)• Makesureyoucanaccesstheinternet• Incaseofemergency• Permissiontoengageinattackscenarios• Questions/AnythingImissed?

TELLMEABOUTYOU

• Name• Occupation• Experience

• Whatyouwanttogetoutofthisclass(anddon’tsayCPEsJ )

WEBAPPLICATIONS

• Whatarethey?• Appvswebsite• Howdotheywork?• CommonExamples…

PENETRATIONTESTING

• Whatisit?• Whattypesarethere?• Whatiswebapppentestingspecifically?• RedTeam,BlueTeam,whitebox,blackbox,greybox…• Whatitthegoal?• Scanningvspenetrationtesting

TOOLS

• Whatwouldatoolbeinthiscontext?• Software!• Scripts• Specifictotheweborapplicationsornetworkconnectivity

LETSBEGINWITHBROWSERS

• Abrowseristhe#1toolforaWebApplicationPenetrationTester;seriously• Butwhy?Andwhywouldwecareaboutthebrowser?• Wecarealotactually• Renderpages• Accessingsites(compatibilitymodesorRIA)• Makeourliveseasier(automation)• Visibilitybehindthescenes• Interactingwithapplications(HTML5support)

BROWSERCHOICES• Firefox• Chrome• Opera• Safari• Mobilebrowsers• Links(textbasedbrowser)• Andifyouhavenothingelse…IE• Donottakestatsatfacevalue(w3schools.com)

FIREFOX

• Yes,FireFox• FireFox isKingbecauseofit’sversatility(thisisallsubjective)• Versatilityasin:Add-ons!• Proxysupportisunmatched(lesssubjective)Note– grouppolicyatoffice*• ThisisNOTthemostsecure,orfastestoradvanced

• Usethebesttoolforthegivenjob– ThiswillbearecurringthemeJ

CHROME

• Anothergreatchoice(dependingonthesituation)• Stable,fast,modern(CSS3,HTML5– goodsupportforboth)• Webdevelopmenttoolsarequitegood• Moresecurethansome(sandboxing)• Notthemost“advanced”

ANDTHEREST…

• WejokeaboutIEbutEdgeisactuallynotbad• Howwillpagesrender?• Whatadd-onsaresupported?WhatOSdowehave?• SecurityandfeaturescomeintoplaywithXSSattacks

TRIVIA

• Q:Whichbrowsernowoffersfreebuilt-inVPNsupport?• Meaningyouopenyourbrowser,clickabuttonandconnecttoaVPN

• A:Operaasofabout2monthsabout…anditworkswell!

KEEPINGINMIND

• Theapplication/engagementmightdictatethebrowserweuse• Doweneedcustomproxysupport?That’sFireFox• ActiveX?That’sgoingtobeIEforsure• AdvancedHTML5andjs supportrequired?Chromeisagoodchoice• Arewerestrictedtoaterminalforsomeoddreason?Linkstotherescue• Goesbacktothebesttoolforthejob• Whichbrowserareyoumostcomfortablewith?• It’sprobablygoingtobeIceWeasel todayJ

THEGOALOFGETTINGTOKNOWYOURBROWSER

• Learnitssecrets• Strengths,weaknesses• Allaboutwieldingatoollikeaprofessional• Youwouldn’tusegoogletosearchthecontentsofasitewithout“site:”right?

• Whatdoesthatmean?• Ifyouaregoingtodosomething,doitwell

LAB#1BROWSERS

• #1SpinupKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/BrowserLab1.php• #4Followinstructionsonpage• Alreadycompleted/seekingsomethingmoreadvanced?Goto/BLA.php

BROWSERRECAP

• CircumventingHSTS*• Viewingheaders• Modifyandexportcookies• Easyproxychanges• Tamperwithrequests• AssessApplications– easytofindvulnerabilitiesQuestionsonthisLab?

INTERCEPTIONPROXIES

• Twothatwewilltalkabout:• OWASP’sZAP• Burp(Freeversion)• Severalothersavailable

WHATISANINTERCEPTIONPROXY• Anothertool– thisoneallowsustoviewandmodifyrawHTTPrequests• Softwarethatsitslogicallybetweenthebrowserandwebapplication• Browsersendsallrequeststotheproxy• Proxyforwardstheserequeststotheintendedwebapplication• Webapplicationresponds,responsegoesbackthroughproxy• Proxysendsresponsebacktobrowserandthepageloadsinbrowser• Lookslikethis…

PROXYVIEW

PROXYVIEW

INTERCEPTIONPROXYSPECIFICS• Potenttoolforourarsenal• Youcangetbywithabrowserandaproxyformajorityofthetesting(dependingonscope)

• Theproxyiswhereautomationcomesintoplay• Andattacks:• Malicioustraffic• Fuzzing• Identifyingvulnerabilities

VULNERABILITIESWECANEXPECTTOFIND

• Usingaproxyasapassiveoractivescanner• Essentiallywatchesyourrequestsaswellasserverresponses• Determinesifthereareissuessuchas:• XSS• SQLi• XSRF(CSRF)• Harvesting• Insecureconfigurations&more

SPEAKINGOFVULNERABILITIES

• Weakness• Attacksurface• SecurityBug• WithanOSorsoftwarewetypicallyhaveapatchforremediation• Awebappvulnerabilityfixmightentailacodechangeanddeployment• Afteritmakesittothebacklogandafterthoroughtestingandapprovals• Manyvulnerabilitieswillnotbefixed*really*

VULNERABILITIESREMAIN

• Andtheylingerforyearssometimes• Usuallyduetolowriskorlowprobabilityofexploitation• InMANYcasesbecausesecuritypeopledon’texplaintheriskwellenough• Othertimesit’s3rd partycodeandwedon’thavedirectcontrol/influence• Alotoftheriskcomesdownontheclientoruseroftheapplication• Riskisthecriticalelementthough,evenSQLi mightnotgetfixed*

HOWDOWEFINDTHESEVULNERABILITIES?

• Wellwehaveamethodology:• Recon• Mapping• Scanning• Exploitation• Toolslikeaproxyhelpinsomephasesmorethanothers

RECON• OSINT• Googlesearches• Sourcecode(HTML)orrepository• Whois• DNS• Etc• Proxieshelpwithautomatingsomeofthisbutnotmuch

MAPPING

• Thisisthedomainoftheproxysotospeak• Mappingiswhereaproxyexcels• Basicallythisisspidering theside• Morespecificallywearelookingforallpages,allfeatures/functions,businesslogic,andtherelationshipsbetweenapplicationcomponents

• Aproxywillautomatethisandmakeusawareofeverythingitcanfind

SCANNINGANDFUZZING

• NotsprayingtheheapandlookingforRCE• Mentionedpassivevsactivescanning• Oncewehaveasolidmapoftheapplicationwecanstartactivelyscanning• Thisiswhereweleverageawebappvulnerabilityscanner• ZAPhasonebuilt-inaspartofthetool• WithBurpwehavetopayforproversiontogetscanningfeatures$350

LASTSTEP(S):EXPLOITATIONANDSTARTOVER

• Exploitationismoreoramanualprocessinasense• Oncewefindanissueweexploitit• Findnewattacksurfaceandstartthecycleoveragain• Supposewesuccessfulgainadminrightstoanapplication• Nowwemapnewfeaturesoftheappwedidn’tknowaboutbefore• It’saniterative/cyclicalmethodology…

BACKTOTHEPROXY

ZAPVIEW

LEVERAGINGAPROXY

• Starttheproxy• Configureit(defaultsworkfineforawhile)• Configureyourbrowsertouseit• Learnaboutthefeatures• Seehowitcanbeusedtomakeyourlifeeasier• Seehowitcanbeusedtomakeyourtestingmoreefficient• Let’sdoademothenalab

PROXYDEMO:SCANNINGANDFUZZING

• Goalistoshowhowtouseabrowser&proxytoscanandfuzzatarget

LAB#2PROXY• #1LogintoKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/ProxyLab1.php• #4Followinstructionsonpage• Alreadycompleted/seekingsomethingmoreadvanced?Goto/PLA.php• Takeabreak

PROXYRECAP

• Whatdidwelearn?• That“intercept”buttonisannoying• Youwillbepromptedtosubmitpopulatedforms• Thisisnotavulnerabilityscanner,takeslotsofmanual“driving”• Greatatautomatingsometasks• Yougetwhatyoupayfor(throttling)

LET’STALKNMAP ANDBASH

• Webapplicationpenetrationtestingisnot100%webappfocused…ever• Wehavetolookforplatformvulnerabilities• BepreparedtoidentifyandexploitSSLissues(heartbleed)• AswellasinjectionvulnerabilitieswhichcanleadtoOSaccess• Onceashellisgainedandevenduringpursuitweshiftawayfromtheapp• Thereforewewieldmultifunctionaltools,likeaSwissarmyknifeperhaps

NMAP

• Thefirstoneofthesetoolsisnmap• Thehighestqualitynetworkmappingtool• Usuallyusedtofindopenports• Identifyrunningservices• OSchecks• Traceroute• Troubleshootnetworkingissues• AndhelpTrinity

NOTJUSTAPORTSCANNERHOWEVER

• Justusingnmap forportscanning…comeoutofthestoneage• NSE– thenmap scriptingengine• Extensibility• Lua basedprogramminglanguageallowsustocreateourownscripts• ls/usr/share/nmap/scripts|wc -l• Severalhundredsuchscriptsarecurrentlyavailablebydefault

NSE

• Methodologyonceagain:Recon,mapping,scanning,exploitation• Reconscripts• Mapping/spidering script(s)• Scanningoptions• Exploitationaswell

SOMENMAP EXAMPLES

SOMENSE EXAMPLES

NSE HTTPSCRIPTS

• Quiterelevanttopenetrationtestingawebapp…• HTTPheader,HTTPgrep,HTTPbruteforce,referrercheck• Spider,robots.txt,slowloris check,sql injection• XSS,title,methods,formfuzzer,shellshock,trace• Vhosts,anddozen+knownvulnerabilitychecks• 100+NSEHTTPscriptsatourdisposal

ANOTHERMULTIFUNCTIONTOOL:BASH

• Extremelycapableshell• Allowsustoautomateattacks• Createinput/fuzzinglists• Leverageothercommandlinetools• Interactwithbuilt-incommandstoparsefiles• Chainattacksandtools• AttackAPIswithease

USINGNSESCRIPTS

• Invokethescriptofyourchoicewith“script=“oncommandline• Canaddmultiplescriptstogether• nmap –p80--script=script.nse,script2.nse,http-vhosts.nse• Somescriptsrequirearguments• OnethingIdon’tlike…lackofresults/indicatorforfailedscript• Mayneedtodebug(-d)totroubleshootsomeissues

WHYBASHANDNMAP

• It’snotalwaysjustoneapplicationforourtestingscope• Theapplicationsarenotonlyrunningon80and443• Redundanttasksrequireautomationforefficiency• i.e.IfIneedtopulldownrobots.txtoneverytarget;timetoscriptthat• IfIneedtomanglewordlists– forxin`catfile`;doecho$x|sed…• IfIneedtocreatexdigitnumbersforfuzzing• IfIneedtosleepwhilegettingworkdoneandbeingproductive:True!

BASHANDNMAP• Thegoalhereistoaddtoolstothearsenal• Learntousethemeffectively• Anyonecanrunatool• WhatIwanttoimpartonyouislearnwhatthetoolsdoes• Howthetooloperates• Howitworksunderthehood• Replicateitsfunctionalityusingmanualmethods

MANUALEFFORTS

• Wehavearangeofhoststotest• Wewanttoknowwhattypeofserver(s)wearetargeting• Weneedtoknowtheplatformtocrafttailoredattacks• i.e.whatistheOS,languageanddatabase?• Ifit’saMSSQLdatabase,SQLi attackswithOraclesyntaxisawasteoftime• Wecanbrowseanduseanadd-onordevelopertoolstoseeheaders• Wecanusewget,orncat ornmap or…

USINGABROWSER

BASHBASICS

• Grep• Awk• Sed• Cut• |• forloop• ls,cat,wget (curl)

COMMANDBASICS

• Lookatafile(outputit’scontentstothescreen):cat• catfile.txt• Searchforastring:grep• grepstringIwantToSearchFor file.txt• Downloadafile/pagefromawebsite• wget www.example.com

PUTTINGITTOGETHER

• SavepageandHTTPheaders• wget –save-headersexample.com• Parsesavedfileandpulloutserverheader• grep‘Server:’index.html• Grabjusttheservernameandsaveittoafile• grep‘Server:’index.html|cut–d‘‘–f2,3>>SavedHeaders.txt

AUTOMATEIT

• catTargets…example.comDenver.issa.orgnmap.org• forxin`catTargets`;dowget –save-headers$x;done• grep‘Server:’index.html*|cut–d‘‘–f2,3>>SavedHeaders.txt• CatSavedHeaders.txt…ECS(den/1D77)ApacheApache/2.4.6(CentOS)

LAB#3NMAP ANDBASH• #1LogintoKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/NBLab1.php• #4Followinstructionsonpage• Seekingsomethingmoreadvanced?Goto/NHL.php• Eatlunch

BASHANDNMAP RECAP

• Whatdidwelearn?• Viewingoutputisprudent• Needtoknowwhattoparse

• nmap makesiteasierJ• Butnowweknowhowtodoitourselves• nmap anditsscriptsareopensource…wanttoknowwhattheydo?Look!• Anyquestionswiththislab?

SQLINJECTION

• Sameasbefore...Exceptthisonehasacomic(thanksRandall/xkcd.com)• Let’stalkaboutit• Manuallydoit• Thenautomateitwithanotherawesometoolofthetrade!

SQL INJECTION

• Definitelyinthewebapppenetrationtesterswheelhouse• Oneofthemorewellknownvulnerabilities• Highriskinsomecases• Riskisnotadefaultrating;contextmustbetakenintoaccount

SQLINJECTIONBASICS

• Injectionattack(OWASPtop10#1for2013)• SQLcommandsareinjectedintoaSQLstatement• Lackofsanitizationistheculprit• Poorplanning• ‘or1=1--

SQL INJECTIONDETAILS

• Canbeveryeasytofind• Reviewfuzzingoutput,lookforkeywords• MySQLError1064:YouhaveanerrorinyourSQLsyntax…• ORA-00066LOG_FILESisstringbutneedstobestringtobecompatible• MicrosoftOLEDBProviderforSQLServererror‘80040e14’• Knowyourplatform!

SQL INJECTIONDETAILS

• Canbeeasytoexploit• Manually• Automated• Askwhatisgoalis?• IhaveseenSQLi vulnerabilitiesmadetoppriorityforremediation• ConverselyIhavebeenaskedtonotexploitthem

SQL INJECTION

• Canbequitechallengingtofindaswell…• EnterBlindSQLinjection• Developerscansuppresserrors- >whoa->• Varyingdegreesofblindness• Wehavetogetsmarterwithourqueries• Alsosmarterwithourinferencing

SQL INJECTION- BLIND

• AskaseriesofTrue/Falsequestions• TimingAttacks• Bewareoffalsepositives(burpandautomatedscanningtools– cough)• Manuallyvalidateallfindings• Capitalizeonrelationshipwithdevteamorwhiteboxengagement

SQL INJECTION– INADDITION

• Canbehardtoexploit• Justbecausethereisanerrormessage,doesn’tmeantheflawisexploitable

• Justbecausewecansuccessfullyinject,doesn’tmeanthereisvalueindoingso• Contextonceagain!• Talkingaboutvaryingdegreesofblindness

SQL INJECTION– EXAMPLES

SQL INJECTION– HOWITWORKS/COMPONENTS

• Application– LAMPstack,IISand.NET,Java,Oracle,evennosql• Sloppycode• Sanitizeduserinput– notsomuch• Enduserinterface(thewebapp)• Processingcode(PHP,.NET,Java…)• DBconnection• Codereliesonuserinputandplacesitdirectlyintoquery– notuncommon

SQL INJECTIONRISK• Dependsonthedetails• What’sinthedatabase?• Whatisthevulnerablequery?• Mitigations(permissions,IPS,WAF,SEGMENTATION)• Ultimately,informationdisclosure…• Modify,Delete,etc (insertSQLverbhere),andshell!• CIAtriad:Confidentiality(select),Integrity(modify)andAvailability(drop)

WHYSOPREVALENT?

• Becauseit’sHARD!• Developingarobustwebapplicationischallenging• Manycomponents,features,movingparts• Havetokeepusershappy• Profitmattersasdoestimetomarket:Finiteamountofdevcycles• Lackoftraining• Overreliantonframework

MANUALLYIDENTIFYING

• Manual…whatdoesthatmean?• Typingincommandstoaformfieldandclickingsubmit–rathermanual• Easywaytofindlowhangingfruit• Notaproficientmethodhowever• Thiswillworkforsomeattacksonsomeapplications• Soyoufindaflaw,nowwhat?

MANUALEFFORTS

• Youneedtounderstandtheriskassociatedwiththatflaw• Goodtimetoreachouttoorganizationandletthemknow• Priortoexploitingit!• ThegoalisusuallynotDOSorcausingharmtothebusiness• Meaningyoudon’tnecessarilywanttodropatable

AUTOMATEDTOOLS

• Plentytochoosefrom:• BBQSQL• BSQL• Pangolin(GUI)• Havij• sqlmap• Somearedated,notmaintainedandjustnotgreat

SQLMAP – THE SQL INJECTIONTOOL!

• ByfarthemostcapablefreelyavailabletoolforSQLi• Python,opensource,extensible• IntegrateswithBurpandothertools• CLI,wizard,batchmode,configurationoptionsgalore• Veryflexible• Moststableandmostlyreliableintermsofquality

SLQMAP OVERVIEW

• Commandlineinterface• Writteninpython• Requirespython2.6or2.7• GNUGeneralPublicLicense• Greatresourcesandinformationatgithub.com/sqlmapproject

SQLMAP – USECASES

• ManuallyfindSQLi vulnerabilityandleveragesqlmap• Useasscanningtooltofindvulnerabilities• Importresultsfromtoolintosqlmap• Usejusttoexploitaknowvulnerability• Usespecialfeaturesforaspecificscenario

• Filterbypass(WAF/IPS/mod_security,etc)• TOR

SQLMAP – HOWITWORKS

• Basicallysendstraffictowebserver• Scrutinizesresults/responses• Makesdeterminationsbasedonresults• Vulnerable– notvulnerable– WAF/IPS– orunstabletarget• Asksuserwhattodoinagivensituation

SQLMAP – EXPLOITATION

• Potentially…• Banner• Hostname• OSVersion• Users• Passwords• Datadump• Shellaccess

SQLMAP – EXPLOITOVERVIEW

• Usingfunctionalityofthedatabase,sqlmap writesbackdoortowebserver• Makesfilesexecutable(0755)• Identifiesthelocationofthefile• PassesOScommandsasparametervalue• Returnsresults• Lookslikethis…

SQLMAP – EXPLOITVIEW

SQLMAP –DECODED

• Samething,decoded• Canyoutellwhat’shappening?

SQLMAP – LET’SCHECKITOUT

LAB#4SQLI

• #1LogintoKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/SQLiLab1.php• #4Followinstructionsonpage• Seekingsomethingmoreadvanced?Goto/ASIL.php• Feelfreetotakeabreak

SQLINJECTIONRECAP

• Whatdidwelearn?• Proxysupportisawesome• Onceagainanopensourcetool– viewsourceifinterested• Anyquestionswiththislab?

LETSMOVEONTOTODAYSLASTTOPIC

• Client-sideattacks• Client-side– asinbrowseroruseroftheapplication• Clientsareoftenoverlookedasattackvector• Manyclientimpactingvulnerabilitiesgouncheckedonapplications• Perfectexample…

HTTPS://SECURITYHEADERS.IO

LACKOFHEADERS

• HSTS(StrictTransportSecurity)• HPKP(PublicKeyPinning)• CSP(ContentSecurityPolicy)• X-XSS-Protection(ReflectedXSSprotectioninbrowser)• X-Frame-Options(Preventframingattacks)

CLIENT-SIDE

• Attackingusersofanapplication• Commontheme• Commonattackscenario• Thinkaboutit…• Compromiseasite?• Compromise1M+usersofthesite?• Ordoboth– whicheveriseasier(asanattacker)

CLIENT-SIDE– WHY?

• Takeastepbackandask:Whyattackusers?• Webapppentesting;notallaboutpoppingshells• Whatarethegoalsoftheattackers?

• Maliciousads(malvertisng)• Botnet

• Monetary

• Howcanapplicationvulnerabilitiesbeleveraged?

MORECLIENT-SIDEATTACKS

• XSS(Crosssitescripting)• XSRF(CSRF)(Crosssiterequestforgery)• XFS(Crossframescripting)• Harvestingattacks• Theseallleverageservervulnerabilitiestocauseharmtoclients/users

FROMPENTESTERSPERSPECTIVE

• User’sareloggedin• User’shaveaccess• User’smaybeadmins• User’sareontheLANthatcouldbeinscope• User’sareaweakspothistorically

USERRISK

• IstheOSuptodatewithpatches?(probablynot)• Isthebrowseronthelatestversion?(isyours?)• Arethereanycorporaterestrictionsinplacetopreventbrowsing?(NO)• Doesyourlaptophaveamicrophoneandcamerabuilt-in?(likely)• Sowhatcouldpossiblygowrong?• Letsfindout…

BEEF – BROWSEREXPLOITATIONFRAMEWORK

• Pentestingtoolwithafocusonthebrowser• Client-sideonceagain• Allowsusto“hook”victims• Exploitbrowserbasedvulnerabilities• Beefproject.com

BEEF – OVERVIEW

• Greatforpenetrationtestingengagements(dependingonscope)• Leveragesocialengineering• Targetusers• Advancedfeatures• MaptheLAN• Integratewithmetasploit

BEEF – VISUAL

BEEF – HOWITWORKS

• Client– Servermodel• VictimconnectstoBeEF instance• Victimbrowserexecutesjs andbecomes“hooked”• BeEF cannowcontrolthe“zombie”browser• Hookdisappearsoncevictimclosestab*

BEEF – EXPLOITATION

• Variousmodulesatourdisposal• Portscanning• Networkingscanning• Stealvictimshistoryandclipboardcontents• Targetvulnerabilitiesinbrowserandplugins• Ownbox

BEEF – DEMO

• IamgoingtoneedavolunteerJ

LAB#5BEEF• #1LogintoKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/BeEFLab1• #4Followinstructionsonpage• Seekingsomethingmoreadvanced?Goto/wheresthebeef

BEEFRECAP

• Whatdidwelearn?• ThereisareasonwhypeoplelikeSergehaveducttapeovertheircameras• Javascript isPOWERFUL• Lotsofmodulesdon’twork…• Canyouthinkofrealworldscenarioswhereyouwouldusethistool?*kids

WRAP-UP

• Learnedaboutsomecoolbrowserfeatures• Automatedattackswithburpandzap• Wrotesomebashscriptsutilizingnmap andNSEscripts• GotshellaccessviaablindSQLinjectionvulnerabilitywithsqlmap• HadsomefunwithBeEF• Anyquestionsaboutanythingwecoveredtoday?

THANKYOU!

@sergeborso

https://www.linkedin.com/in/sergeborsoAndthankstoISSA