WEBAPPPENTESTINGTOOLSOFTHETRADE
ISSAALLDAYTRAINING
SERGEBORSONOVEMBER2016
ABOUTME
• JurassicPark(1993)• Biometrics• BankingApplicationSecurity• ApplicationDevelopment• PenetrationTesting• SANSCommunityInstructor• Owner:SpyderSec(InformationSecurityConsulting)
ABOUTTHISTRAINING
• Whatyousignedupfor…• WebAppPenTestingToolsofTheTrade• Methodology,vulnerabilities,manualandautomatedexploitation• Talkabouttopic– thenexploretopicinteractively(LecturethenLab)• Hands-on• Focusontools• Learn&HAVEFUN!
HANDS-ONLABS
• Thereare5ofthem:• Browsers• Proxies• Nmap/bash• sqlmap• BeEF• Mygoal/intentisforyoutoleavewithknowledgeofthetopicscoveredandanunderstandingoftheirrelevancyforyouinyourcurrent/futurerole
PROGRESSIONOFTODAY8:00- 4:30
• Breakfast- Intro• Lecture– Lab#1• Lecture– Lab#2• Lecture– Lunch– Lab#3• Lecture– Lab#4• Lecture– Lab#5
CRITICALINFORMATION
• LocationofrestroomsJ• Networkconnectivityandyourlaptop(youhaveKaliright?)• Makesureyoucanaccesstheinternet• Incaseofemergency• Permissiontoengageinattackscenarios• Questions/AnythingImissed?
TELLMEABOUTYOU
• Name• Occupation• Experience
• Whatyouwanttogetoutofthisclass(anddon’tsayCPEsJ )
WEBAPPLICATIONS
• Whatarethey?• Appvswebsite• Howdotheywork?• CommonExamples…
PENETRATIONTESTING
• Whatisit?• Whattypesarethere?• Whatiswebapppentestingspecifically?• RedTeam,BlueTeam,whitebox,blackbox,greybox…• Whatitthegoal?• Scanningvspenetrationtesting
TOOLS
• Whatwouldatoolbeinthiscontext?• Software!• Scripts• Specifictotheweborapplicationsornetworkconnectivity
LETSBEGINWITHBROWSERS
• Abrowseristhe#1toolforaWebApplicationPenetrationTester;seriously• Butwhy?Andwhywouldwecareaboutthebrowser?• Wecarealotactually• Renderpages• Accessingsites(compatibilitymodesorRIA)• Makeourliveseasier(automation)• Visibilitybehindthescenes• Interactingwithapplications(HTML5support)
BROWSERCHOICES• Firefox• Chrome• Opera• Safari• Mobilebrowsers• Links(textbasedbrowser)• Andifyouhavenothingelse…IE• Donottakestatsatfacevalue(w3schools.com)
FIREFOX
• Yes,FireFox• FireFox isKingbecauseofit’sversatility(thisisallsubjective)• Versatilityasin:Add-ons!• Proxysupportisunmatched(lesssubjective)Note– grouppolicyatoffice*• ThisisNOTthemostsecure,orfastestoradvanced
• Usethebesttoolforthegivenjob– ThiswillbearecurringthemeJ
CHROME
• Anothergreatchoice(dependingonthesituation)• Stable,fast,modern(CSS3,HTML5– goodsupportforboth)• Webdevelopmenttoolsarequitegood• Moresecurethansome(sandboxing)• Notthemost“advanced”
ANDTHEREST…
• WejokeaboutIEbutEdgeisactuallynotbad• Howwillpagesrender?• Whatadd-onsaresupported?WhatOSdowehave?• SecurityandfeaturescomeintoplaywithXSSattacks
TRIVIA
• Q:Whichbrowsernowoffersfreebuilt-inVPNsupport?• Meaningyouopenyourbrowser,clickabuttonandconnecttoaVPN
• A:Operaasofabout2monthsabout…anditworkswell!
KEEPINGINMIND
• Theapplication/engagementmightdictatethebrowserweuse• Doweneedcustomproxysupport?That’sFireFox• ActiveX?That’sgoingtobeIEforsure• AdvancedHTML5andjs supportrequired?Chromeisagoodchoice• Arewerestrictedtoaterminalforsomeoddreason?Linkstotherescue• Goesbacktothebesttoolforthejob• Whichbrowserareyoumostcomfortablewith?• It’sprobablygoingtobeIceWeasel todayJ
THEGOALOFGETTINGTOKNOWYOURBROWSER
• Learnitssecrets• Strengths,weaknesses• Allaboutwieldingatoollikeaprofessional• Youwouldn’tusegoogletosearchthecontentsofasitewithout“site:”right?
• Whatdoesthatmean?• Ifyouaregoingtodosomething,doitwell
LAB#1BROWSERS
• #1SpinupKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/BrowserLab1.php• #4Followinstructionsonpage• Alreadycompleted/seekingsomethingmoreadvanced?Goto/BLA.php
BROWSERRECAP
• CircumventingHSTS*• Viewingheaders• Modifyandexportcookies• Easyproxychanges• Tamperwithrequests• AssessApplications– easytofindvulnerabilitiesQuestionsonthisLab?
INTERCEPTIONPROXIES
• Twothatwewilltalkabout:• OWASP’sZAP• Burp(Freeversion)• Severalothersavailable
WHATISANINTERCEPTIONPROXY• Anothertool– thisoneallowsustoviewandmodifyrawHTTPrequests• Softwarethatsitslogicallybetweenthebrowserandwebapplication• Browsersendsallrequeststotheproxy• Proxyforwardstheserequeststotheintendedwebapplication• Webapplicationresponds,responsegoesbackthroughproxy• Proxysendsresponsebacktobrowserandthepageloadsinbrowser• Lookslikethis…
PROXYVIEW
PROXYVIEW
INTERCEPTIONPROXYSPECIFICS• Potenttoolforourarsenal• Youcangetbywithabrowserandaproxyformajorityofthetesting(dependingonscope)
• Theproxyiswhereautomationcomesintoplay• Andattacks:• Malicioustraffic• Fuzzing• Identifyingvulnerabilities
VULNERABILITIESWECANEXPECTTOFIND
• Usingaproxyasapassiveoractivescanner• Essentiallywatchesyourrequestsaswellasserverresponses• Determinesifthereareissuessuchas:• XSS• SQLi• XSRF(CSRF)• Harvesting• Insecureconfigurations&more
SPEAKINGOFVULNERABILITIES
• Weakness• Attacksurface• SecurityBug• WithanOSorsoftwarewetypicallyhaveapatchforremediation• Awebappvulnerabilityfixmightentailacodechangeanddeployment• Afteritmakesittothebacklogandafterthoroughtestingandapprovals• Manyvulnerabilitieswillnotbefixed*really*
VULNERABILITIESREMAIN
• Andtheylingerforyearssometimes• Usuallyduetolowriskorlowprobabilityofexploitation• InMANYcasesbecausesecuritypeopledon’texplaintheriskwellenough• Othertimesit’s3rd partycodeandwedon’thavedirectcontrol/influence• Alotoftheriskcomesdownontheclientoruseroftheapplication• Riskisthecriticalelementthough,evenSQLi mightnotgetfixed*
HOWDOWEFINDTHESEVULNERABILITIES?
• Wellwehaveamethodology:• Recon• Mapping• Scanning• Exploitation• Toolslikeaproxyhelpinsomephasesmorethanothers
RECON• OSINT• Googlesearches• Sourcecode(HTML)orrepository• Whois• DNS• Etc• Proxieshelpwithautomatingsomeofthisbutnotmuch
MAPPING
• Thisisthedomainoftheproxysotospeak• Mappingiswhereaproxyexcels• Basicallythisisspidering theside• Morespecificallywearelookingforallpages,allfeatures/functions,businesslogic,andtherelationshipsbetweenapplicationcomponents
• Aproxywillautomatethisandmakeusawareofeverythingitcanfind
SCANNINGANDFUZZING
• NotsprayingtheheapandlookingforRCE• Mentionedpassivevsactivescanning• Oncewehaveasolidmapoftheapplicationwecanstartactivelyscanning• Thisiswhereweleverageawebappvulnerabilityscanner• ZAPhasonebuilt-inaspartofthetool• WithBurpwehavetopayforproversiontogetscanningfeatures$350
LASTSTEP(S):EXPLOITATIONANDSTARTOVER
• Exploitationismoreoramanualprocessinasense• Oncewefindanissueweexploitit• Findnewattacksurfaceandstartthecycleoveragain• Supposewesuccessfulgainadminrightstoanapplication• Nowwemapnewfeaturesoftheappwedidn’tknowaboutbefore• It’saniterative/cyclicalmethodology…
BACKTOTHEPROXY
ZAPVIEW
LEVERAGINGAPROXY
• Starttheproxy• Configureit(defaultsworkfineforawhile)• Configureyourbrowsertouseit• Learnaboutthefeatures• Seehowitcanbeusedtomakeyourlifeeasier• Seehowitcanbeusedtomakeyourtestingmoreefficient• Let’sdoademothenalab
PROXYDEMO:SCANNINGANDFUZZING
• Goalistoshowhowtouseabrowser&proxytoscanandfuzzatarget
LAB#2PROXY• #1LogintoKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/ProxyLab1.php• #4Followinstructionsonpage• Alreadycompleted/seekingsomethingmoreadvanced?Goto/PLA.php• Takeabreak
PROXYRECAP
• Whatdidwelearn?• That“intercept”buttonisannoying• Youwillbepromptedtosubmitpopulatedforms• Thisisnotavulnerabilityscanner,takeslotsofmanual“driving”• Greatatautomatingsometasks• Yougetwhatyoupayfor(throttling)
LET’STALKNMAP ANDBASH
• Webapplicationpenetrationtestingisnot100%webappfocused…ever• Wehavetolookforplatformvulnerabilities• BepreparedtoidentifyandexploitSSLissues(heartbleed)• AswellasinjectionvulnerabilitieswhichcanleadtoOSaccess• Onceashellisgainedandevenduringpursuitweshiftawayfromtheapp• Thereforewewieldmultifunctionaltools,likeaSwissarmyknifeperhaps
NMAP
• Thefirstoneofthesetoolsisnmap• Thehighestqualitynetworkmappingtool• Usuallyusedtofindopenports• Identifyrunningservices• OSchecks• Traceroute• Troubleshootnetworkingissues• AndhelpTrinity
NOTJUSTAPORTSCANNERHOWEVER
• Justusingnmap forportscanning…comeoutofthestoneage• NSE– thenmap scriptingengine• Extensibility• Lua basedprogramminglanguageallowsustocreateourownscripts• ls/usr/share/nmap/scripts|wc -l• Severalhundredsuchscriptsarecurrentlyavailablebydefault
NSE
• Methodologyonceagain:Recon,mapping,scanning,exploitation• Reconscripts• Mapping/spidering script(s)• Scanningoptions• Exploitationaswell
SOMENMAP EXAMPLES
SOMENSE EXAMPLES
NSE HTTPSCRIPTS
• Quiterelevanttopenetrationtestingawebapp…• HTTPheader,HTTPgrep,HTTPbruteforce,referrercheck• Spider,robots.txt,slowloris check,sql injection• XSS,title,methods,formfuzzer,shellshock,trace• Vhosts,anddozen+knownvulnerabilitychecks• 100+NSEHTTPscriptsatourdisposal
ANOTHERMULTIFUNCTIONTOOL:BASH
• Extremelycapableshell• Allowsustoautomateattacks• Createinput/fuzzinglists• Leverageothercommandlinetools• Interactwithbuilt-incommandstoparsefiles• Chainattacksandtools• AttackAPIswithease
USINGNSESCRIPTS
• Invokethescriptofyourchoicewith“script=“oncommandline• Canaddmultiplescriptstogether• nmap –p80--script=script.nse,script2.nse,http-vhosts.nse• Somescriptsrequirearguments• OnethingIdon’tlike…lackofresults/indicatorforfailedscript• Mayneedtodebug(-d)totroubleshootsomeissues
WHYBASHANDNMAP
• It’snotalwaysjustoneapplicationforourtestingscope• Theapplicationsarenotonlyrunningon80and443• Redundanttasksrequireautomationforefficiency• i.e.IfIneedtopulldownrobots.txtoneverytarget;timetoscriptthat• IfIneedtomanglewordlists– forxin`catfile`;doecho$x|sed…• IfIneedtocreatexdigitnumbersforfuzzing• IfIneedtosleepwhilegettingworkdoneandbeingproductive:True!
BASHANDNMAP• Thegoalhereistoaddtoolstothearsenal• Learntousethemeffectively• Anyonecanrunatool• WhatIwanttoimpartonyouislearnwhatthetoolsdoes• Howthetooloperates• Howitworksunderthehood• Replicateitsfunctionalityusingmanualmethods
MANUALEFFORTS
• Wehavearangeofhoststotest• Wewanttoknowwhattypeofserver(s)wearetargeting• Weneedtoknowtheplatformtocrafttailoredattacks• i.e.whatistheOS,languageanddatabase?• Ifit’saMSSQLdatabase,SQLi attackswithOraclesyntaxisawasteoftime• Wecanbrowseanduseanadd-onordevelopertoolstoseeheaders• Wecanusewget,orncat ornmap or…
USINGABROWSER
BASHBASICS
• Grep• Awk• Sed• Cut• |• forloop• ls,cat,wget (curl)
COMMANDBASICS
• Lookatafile(outputit’scontentstothescreen):cat• catfile.txt• Searchforastring:grep• grepstringIwantToSearchFor file.txt• Downloadafile/pagefromawebsite• wget www.example.com
PUTTINGITTOGETHER
• SavepageandHTTPheaders• wget –save-headersexample.com• Parsesavedfileandpulloutserverheader• grep‘Server:’index.html• Grabjusttheservernameandsaveittoafile• grep‘Server:’index.html|cut–d‘‘–f2,3>>SavedHeaders.txt
AUTOMATEIT
• catTargets…example.comDenver.issa.orgnmap.org• forxin`catTargets`;dowget –save-headers$x;done• grep‘Server:’index.html*|cut–d‘‘–f2,3>>SavedHeaders.txt• CatSavedHeaders.txt…ECS(den/1D77)ApacheApache/2.4.6(CentOS)
LAB#3NMAP ANDBASH• #1LogintoKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/NBLab1.php• #4Followinstructionsonpage• Seekingsomethingmoreadvanced?Goto/NHL.php• Eatlunch
BASHANDNMAP RECAP
• Whatdidwelearn?• Viewingoutputisprudent• Needtoknowwhattoparse
• nmap makesiteasierJ• Butnowweknowhowtodoitourselves• nmap anditsscriptsareopensource…wanttoknowwhattheydo?Look!• Anyquestionswiththislab?
SQLINJECTION
• Sameasbefore...Exceptthisonehasacomic(thanksRandall/xkcd.com)• Let’stalkaboutit• Manuallydoit• Thenautomateitwithanotherawesometoolofthetrade!
SQL INJECTION
• Definitelyinthewebapppenetrationtesterswheelhouse• Oneofthemorewellknownvulnerabilities• Highriskinsomecases• Riskisnotadefaultrating;contextmustbetakenintoaccount
SQLINJECTIONBASICS
• Injectionattack(OWASPtop10#1for2013)• SQLcommandsareinjectedintoaSQLstatement• Lackofsanitizationistheculprit• Poorplanning• ‘or1=1--
SQL INJECTIONDETAILS
• Canbeveryeasytofind• Reviewfuzzingoutput,lookforkeywords• MySQLError1064:YouhaveanerrorinyourSQLsyntax…• ORA-00066LOG_FILESisstringbutneedstobestringtobecompatible• MicrosoftOLEDBProviderforSQLServererror‘80040e14’• Knowyourplatform!
SQL INJECTIONDETAILS
• Canbeeasytoexploit• Manually• Automated• Askwhatisgoalis?• IhaveseenSQLi vulnerabilitiesmadetoppriorityforremediation• ConverselyIhavebeenaskedtonotexploitthem
SQL INJECTION
• Canbequitechallengingtofindaswell…• EnterBlindSQLinjection• Developerscansuppresserrors- >whoa->• Varyingdegreesofblindness• Wehavetogetsmarterwithourqueries• Alsosmarterwithourinferencing
SQL INJECTION- BLIND
• AskaseriesofTrue/Falsequestions• TimingAttacks• Bewareoffalsepositives(burpandautomatedscanningtools– cough)• Manuallyvalidateallfindings• Capitalizeonrelationshipwithdevteamorwhiteboxengagement
SQL INJECTION– INADDITION
• Canbehardtoexploit• Justbecausethereisanerrormessage,doesn’tmeantheflawisexploitable
• Justbecausewecansuccessfullyinject,doesn’tmeanthereisvalueindoingso• Contextonceagain!• Talkingaboutvaryingdegreesofblindness
SQL INJECTION– EXAMPLES
SQL INJECTION– HOWITWORKS/COMPONENTS
• Application– LAMPstack,IISand.NET,Java,Oracle,evennosql• Sloppycode• Sanitizeduserinput– notsomuch• Enduserinterface(thewebapp)• Processingcode(PHP,.NET,Java…)• DBconnection• Codereliesonuserinputandplacesitdirectlyintoquery– notuncommon
SQL INJECTIONRISK• Dependsonthedetails• What’sinthedatabase?• Whatisthevulnerablequery?• Mitigations(permissions,IPS,WAF,SEGMENTATION)• Ultimately,informationdisclosure…• Modify,Delete,etc (insertSQLverbhere),andshell!• CIAtriad:Confidentiality(select),Integrity(modify)andAvailability(drop)
WHYSOPREVALENT?
• Becauseit’sHARD!• Developingarobustwebapplicationischallenging• Manycomponents,features,movingparts• Havetokeepusershappy• Profitmattersasdoestimetomarket:Finiteamountofdevcycles• Lackoftraining• Overreliantonframework
MANUALLYIDENTIFYING
• Manual…whatdoesthatmean?• Typingincommandstoaformfieldandclickingsubmit–rathermanual• Easywaytofindlowhangingfruit• Notaproficientmethodhowever• Thiswillworkforsomeattacksonsomeapplications• Soyoufindaflaw,nowwhat?
MANUALEFFORTS
• Youneedtounderstandtheriskassociatedwiththatflaw• Goodtimetoreachouttoorganizationandletthemknow• Priortoexploitingit!• ThegoalisusuallynotDOSorcausingharmtothebusiness• Meaningyoudon’tnecessarilywanttodropatable
AUTOMATEDTOOLS
• Plentytochoosefrom:• BBQSQL• BSQL• Pangolin(GUI)• Havij• sqlmap• Somearedated,notmaintainedandjustnotgreat
SQLMAP – THE SQL INJECTIONTOOL!
• ByfarthemostcapablefreelyavailabletoolforSQLi• Python,opensource,extensible• IntegrateswithBurpandothertools• CLI,wizard,batchmode,configurationoptionsgalore• Veryflexible• Moststableandmostlyreliableintermsofquality
SLQMAP OVERVIEW
• Commandlineinterface• Writteninpython• Requirespython2.6or2.7• GNUGeneralPublicLicense• Greatresourcesandinformationatgithub.com/sqlmapproject
SQLMAP – USECASES
• ManuallyfindSQLi vulnerabilityandleveragesqlmap• Useasscanningtooltofindvulnerabilities• Importresultsfromtoolintosqlmap• Usejusttoexploitaknowvulnerability• Usespecialfeaturesforaspecificscenario
• Filterbypass(WAF/IPS/mod_security,etc)• TOR
SQLMAP – HOWITWORKS
• Basicallysendstraffictowebserver• Scrutinizesresults/responses• Makesdeterminationsbasedonresults• Vulnerable– notvulnerable– WAF/IPS– orunstabletarget• Asksuserwhattodoinagivensituation
SQLMAP – EXPLOITATION
• Potentially…• Banner• Hostname• OSVersion• Users• Passwords• Datadump• Shellaccess
SQLMAP – EXPLOITOVERVIEW
• Usingfunctionalityofthedatabase,sqlmap writesbackdoortowebserver• Makesfilesexecutable(0755)• Identifiesthelocationofthefile• PassesOScommandsasparametervalue• Returnsresults• Lookslikethis…
SQLMAP – EXPLOITVIEW
SQLMAP –DECODED
• Samething,decoded• Canyoutellwhat’shappening?
SQLMAP – LET’SCHECKITOUT
LAB#4SQLI
• #1LogintoKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/SQLiLab1.php• #4Followinstructionsonpage• Seekingsomethingmoreadvanced?Goto/ASIL.php• Feelfreetotakeabreak
SQLINJECTIONRECAP
• Whatdidwelearn?• Proxysupportisawesome• Onceagainanopensourcetool– viewsourceifinterested• Anyquestionswiththislab?
LETSMOVEONTOTODAYSLASTTOPIC
• Client-sideattacks• Client-side– asinbrowseroruseroftheapplication• Clientsareoftenoverlookedasattackvector• Manyclientimpactingvulnerabilitiesgouncheckedonapplications• Perfectexample…
HTTPS://SECURITYHEADERS.IO
LACKOFHEADERS
• HSTS(StrictTransportSecurity)• HPKP(PublicKeyPinning)• CSP(ContentSecurityPolicy)• X-XSS-Protection(ReflectedXSSprotectioninbrowser)• X-Frame-Options(Preventframingattacks)
CLIENT-SIDE
• Attackingusersofanapplication• Commontheme• Commonattackscenario• Thinkaboutit…• Compromiseasite?• Compromise1M+usersofthesite?• Ordoboth– whicheveriseasier(asanattacker)
CLIENT-SIDE– WHY?
• Takeastepbackandask:Whyattackusers?• Webapppentesting;notallaboutpoppingshells• Whatarethegoalsoftheattackers?
• Maliciousads(malvertisng)• Botnet
• Monetary
• Howcanapplicationvulnerabilitiesbeleveraged?
MORECLIENT-SIDEATTACKS
• XSS(Crosssitescripting)• XSRF(CSRF)(Crosssiterequestforgery)• XFS(Crossframescripting)• Harvestingattacks• Theseallleverageservervulnerabilitiestocauseharmtoclients/users
FROMPENTESTERSPERSPECTIVE
• User’sareloggedin• User’shaveaccess• User’smaybeadmins• User’sareontheLANthatcouldbeinscope• User’sareaweakspothistorically
USERRISK
• IstheOSuptodatewithpatches?(probablynot)• Isthebrowseronthelatestversion?(isyours?)• Arethereanycorporaterestrictionsinplacetopreventbrowsing?(NO)• Doesyourlaptophaveamicrophoneandcamerabuilt-in?(likely)• Sowhatcouldpossiblygowrong?• Letsfindout…
BEEF – BROWSEREXPLOITATIONFRAMEWORK
• Pentestingtoolwithafocusonthebrowser• Client-sideonceagain• Allowsusto“hook”victims• Exploitbrowserbasedvulnerabilities• Beefproject.com
BEEF – OVERVIEW
• Greatforpenetrationtestingengagements(dependingonscope)• Leveragesocialengineering• Targetusers• Advancedfeatures• MaptheLAN• Integratewithmetasploit
BEEF – VISUAL
BEEF – HOWITWORKS
• Client– Servermodel• VictimconnectstoBeEF instance• Victimbrowserexecutesjs andbecomes“hooked”• BeEF cannowcontrolthe“zombie”browser• Hookdisappearsoncevictimclosestab*
BEEF – EXPLOITATION
• Variousmodulesatourdisposal• Portscanning• Networkingscanning• Stealvictimshistoryandclipboardcontents• Targetvulnerabilitiesinbrowserandplugins• Ownbox
BEEF – DEMO
• IamgoingtoneedavolunteerJ
LAB#5BEEF• #1LogintoKali• #2OpenBrowser(IceWeasel)• #3Browsetodenvertrainingday.com:11432/BeEFLab1• #4Followinstructionsonpage• Seekingsomethingmoreadvanced?Goto/wheresthebeef
BEEFRECAP
• Whatdidwelearn?• ThereisareasonwhypeoplelikeSergehaveducttapeovertheircameras• Javascript isPOWERFUL• Lotsofmodulesdon’twork…• Canyouthinkofrealworldscenarioswhereyouwouldusethistool?*kids
WRAP-UP
• Learnedaboutsomecoolbrowserfeatures• Automatedattackswithburpandzap• Wrotesomebashscriptsutilizingnmap andNSEscripts• GotshellaccessviaablindSQLinjectionvulnerabilitywithsqlmap• HadsomefunwithBeEF• Anyquestionsaboutanythingwecoveredtoday?
THANKYOU!
@sergeborso
https://www.linkedin.com/in/sergeborsoAndthankstoISSA