From 1a9d859507c0b62c8d43bf218a4b1b60425653d4 Mon Sep 17 00:00:00 2001 From: "sherif.fathy" Date: Mon, 23 Oct 2006 01:15:03 +0000 Subject: [PATCH] - Updated a comment and removed some unused imports in HttpSplitting.java - Added CSRF.html and CSRF.java git-svn-id: http://webgoat.googlecode.com/svn/trunk@26 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../org/owasp/webgoat/lessons/CSRF.java | 111 ++++++++++++++++++ .../owasp/webgoat/lessons/HttpSplitting.java | 6 +- .../project/WebContent/lesson_plans/CSRF.html | 27 +++++ .../project/doc/WebGoatv4UsersGuide_DRAFT.doc | Bin 721408 -> 723456 bytes 4 files changed, 140 insertions(+), 4 deletions(-) create mode 100644 webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java create mode 100644 webgoat/main/project/WebContent/lesson_plans/CSRF.html diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java new file mode 100644 index 000000000..ab641b11b --- /dev/null +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CSRF.java @@ -0,0 +1,111 @@ +package org.owasp.webgoat.lessons; + +import java.util.ArrayList; +import java.util.List; +import java.util.Arrays; + +import org.apache.ecs.Element; +import org.apache.ecs.ElementContainer; +import org.apache.ecs.StringElement; +import org.apache.ecs.html.B; +import org.apache.ecs.html.H1; +import org.apache.ecs.html.Input; +import org.apache.ecs.html.P; +import org.apache.ecs.html.TD; +import org.apache.ecs.html.TR; +import org.apache.ecs.html.Table; +import org.apache.ecs.html.TextArea; +import org.owasp.webgoat.session.ECSFactory; +import org.owasp.webgoat.session.WebSession; + +public class CSRF extends LessonAdapter { + + private final static String MESSAGE = "message"; + private final static String TITLE = "title"; + + @Override + protected Element createContent(WebSession s) { + ElementContainer ec = new ElementContainer(); + String emailBody = null; + + try{ + Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 0 ); + TR row1 = new TR(); + TR row2 = new TR(); + row1.addElement( new TD( new StringElement( "Title: " ) ) ); + + Input inputTitle = new Input( Input.TEXT, TITLE, "" ); + row1.addElement( new TD( inputTitle ) ); + + TD item1 = new TD(); + item1.setVAlign( "TOP" ); + item1.addElement( new StringElement( "Message: " ) ); + row2.addElement( item1 ); + + TD item2 = new TD(); + TextArea ta = new TextArea( MESSAGE, 5, 60 ); + item2.addElement( ta ); + row2.addElement( item2 ); + t.addElement( row1 ); + t.addElement( row2 ); + + Element b = ECSFactory.makeButton( "Submit" ); + ec = new ElementContainer(); + ec.addElement( t ); + ec.addElement( new P().addElement( b ) ); + + emailBody = new String( s.getParser().getRawParameter( MESSAGE, "" ) ); + + } + catch (Exception e) + { + s.setMessage( "Error generating " + this.getClass().getName() ); + e.printStackTrace(); + } + + if (emailBody.length() != 0 && + emailBody.indexOf( "=0 && + emailBody.indexOf( "src=") > 0 && + emailBody.indexOf( "height=\"1\"" ) > 0 && + emailBody.indexOf( "width=\"1\"" ) > 0) + { + makeSuccess( s ); + } + + return ec; + } + + @Override + protected Category getDefaultCategory() { + return AbstractLesson.A4; + } + + private final static Integer DEFAULT_RANKING = new Integer(140); + + @Override + protected Integer getDefaultRanking() { + + return DEFAULT_RANKING; + } + + @Override + protected List getHints() { + List hints = new ArrayList(); + hints.add( "Enter some text and try to include an image in there." ); + hints.add( "The format of an image in html is 
<img src=\"[URL]\" width=\"1\" height=\"1\" />
"); + hints.add( "In order to make the picture almost invisible try to add width=\"1\" and height=\"1\"." ); + + return hints; + } + + /** + * Gets the title attribute of the MessageBoardScreen object + * + * @return The title value + */ + public String getTitle() + { + return ( "How to Perform Cross Site Request Forgery (CSRF)" ); + } + +} diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java index 833998eac..dd9650a6a 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java @@ -1,7 +1,5 @@ package org.owasp.webgoat.lessons; import java.util.*; -import java.net.URLDecoder; -import java.io.UnsupportedEncodingException; import org.apache.ecs.*; import org.apache.ecs.html.*; @@ -75,7 +73,7 @@ public class HttpSplitting extends LessonAdapter { //Split by the line separator line.separator is platform independant String[] arrTokens = lang.toString().toUpperCase().split(System.getProperty("line.separator")); - //Check if the user ended the first request and wrote the second malcious reply + //Check if the user ended the first request and wrote the second malacious reply if (Arrays.binarySearch(arrTokens, "CONTENT-LENGTH: 0") >= 0 && Arrays.binarySearch(arrTokens, "HTTP/1.1 200 OK") >= 0 ) { @@ -99,7 +97,7 @@ public class HttpSplitting extends LessonAdapter { hints.add( "A 200 OK message looks like this: HTTP/1.1 200 OK" ); return hints; - + } private final static Integer DEFAULT_RANKING = new Integer(10); diff --git a/ webgoat/main/project/WebContent/lesson_plans/CSRF.html b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html new file mode 100644 index 000000000..9cc655e12 --- /dev/null +++ b/ webgoat/main/project/WebContent/lesson_plans/CSRF.html @@ -0,0 +1,27 @@ +
+

Lesson Plan Title: Cross Site Request Forgery.

+
+ +

Concept / Topic To Teach:

+ This lesson teaches how to Cross Site Request Forgery (CSRF) attacks. +
+
+

+How the attacks works: +

+Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page that contains img links like the one below: + +
<img src="http://www.mybank.com/sendFunds.do?acctId=123456"/>
+ +When the victim's browser attempts to render this page, it will issue a request to www.mybank.com to the transferFunds.do page with the specified parameters. The browser will think the link is to get an image, even though it actually is a funds transfer function. + +The request will include any cookies associated with the site. Therefore, if the user has authenticated to the site, and has either a permanent cookie or even a current session cookie, the site will have no way to distinguish this from a legitimate user request. + +In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, or any other function provided by the vulnerable website +
+

General Goal(s):

+ +* Your goal is to send an email to a newsgroup.
+* Try to include a 1x1 pixel image that includes a URL that transfers funds to your account.
+* Whoever receives this email and happens to be authenticated at that time will be a victim. + diff --git a/ webgoat/main/project/doc/WebGoatv4UsersGuide_DRAFT.doc b/ webgoat/main/project/doc/WebGoatv4UsersGuide_DRAFT.doc index 23c11538cef3a167b0fb0d0cca0e49042f804903..1933d6d80ea58758c7692835110ab17a470576c5 100644 GIT binary patch delta 11036 zcmd^_cYIW3x`4kknM@{!BqU-2A(Q|CX=xxu6qc4OModCSL?93#AP^uRVqpd@O%VhK z_z+!1U00E^^g%?*>RJ|7B1J%y;zdPa)vFYVl>5Br%#Z|vzuoojU-!)KIq%oY`<3&Z z_l$RXQ}4p2^PAR+P)d12xyco+)Rn7OuZq)_3wqa$evH`1VG4M_A9KZ=Zam{~=8PK@ z?o{gMTeeFED>rwSQav6}DoPC=Ie6r_+;O>9T)A7gGfvHlGgOr}Hivs!(K@EYjQ5Rl zH1li-v(t+#>z2@p{7H6l>wYMZ*E`A%EGwlg#e|*e{$O1&JS)RM=QiXh`3rzka>q+`}8A))+XaE^2 z`70^4mw<&75bImutP&pVb7fs;oms`V%<1$jp?0}M4nS7+imy~k=CW6?h@cGiCYVP2 zk1?9d$(Kdob93yN>!s8)$f=rN8;4*)*B2~mD0@9O#}|{|vQ4m^H%8lurM{MEGy4st zjuR9tc0(B1+j)LmX(tQTx~3526ZFGNefLg3_Z}JTD>&+f)0N6asVOTM$Y3NgYqe5I zboVD(*#*ChzFb+Pd!14~_uKyMGnIOnbmDKVREYXr4Ko9;NCM znT@Q5461P${#)@sf?UMd)~hQi<+@%52XNs!k~Iizg24~<_#$rno>A^cxusz2}4u!3nz^kRhXAwRO%WybVyOkkl`bI-BRM$ zKc8JA+MV7aHZsy}MEZ6PNca6PVE=k!P>9n!++V5gY(|$a`%k=Mo-x*!4Bg~)ZSSho zj;_8>ziJxt@}e2&w0?GN!#&m6#i2qA)~$Nuz1V`0^%|=<>t5Bm$KN!*O1T(2kFW37 zuNlefPNkWlGpK8$FXp>=-+&*d`D*5m@ZIs#d!C3L1n-3E_bQbDHDEXtz(`mG>)-%< z0vDijwo)08oukw!SPL$8v@naI`Proqjg>gdyzwYC@kMoVWFwGMYTQIo)8z@8W$`x0TS?eK7TK-h!o*G-= z8U1P?fvv5ytXtI(w3%NZ!ymkhW^X6G!#y=*WSv5{a=8t=SUXoQw{c@8kK|JI$yPS$ zjp-y=3aLUyN|j~PR#>bgPn59{Wj_c(g^RKef+$>+J*bFVU@wr885UdE_i~<9Wn*41 z>$!Qdb-vt!c;6qKiN4w=+`e6B>-fCqMx`(r@-6*39k?uwvj+{&-%@>_QomQKQ<9PK zo>v|-(h)YKhwlqShD&>&g{6?g49N}5mNkJHbGXc`X~7I>1;b%9$g_G8$m~(f6cg;p zn{q1BCk*&8(pU34+Z_xO`47U6|5&{oUtWyytvUPJ@G4SFGIWG~-~lgefwPd#TxsxH)u(p0ER?qCM~_w5KAeR4SYTu~byH;^*)` z4}XG>VIS;=<4~y=s}G_e6YhatFr^p!y%$H--aHwgIwZgya0D*G6=>3jM#2ZM58Cuq zsvQh~f$;s&;_vzG{$Tgcw|Bq!!J8XbE$6=c%~!$t>E*khc(n9KO>qVP)2c}6SHg{S z7oMbs!}PXrBi`5KLUK}YWwYK7bp9(VNba)UC5uS>zIhkg`&M2E_f5J`t$Nx#dbt!t z3x5F7!d^J!eE#NGhimnfe)bs?qmo@!#H>bG;9Drd<^^H0DJ;RAnHC2D);FH z5ym9FEW)@=yCaRCJu(q?Kruv;q8g+?D*PV0!xgv+vHg^~9a_M-`xz&w&I9rw90GY* zehQz#=Wq;;!x!-1@Fjc&r{Ej-wm%2uGdTVMKfzfz4;SEPxCkZi3;cL8@Y}a%*PdPP za(jE@TKo6Pi?8Sx=gyk@*xYe1zA{2p4jI{Iy_*SmIU`E3dEXja(7Vw`0e`2gXq5*l z)_T(Fk7A89?Fcto#k|;#0}^><+l?#0r?bM1Ct5Y?LeFQzQ?LToz~A8SPy&}hv?E%n zgGQ3!+xtb&BmK*wj6p``w}b@sbs?a$puUdKHPP2m5Ph8h(bq{3eSHn0uhac~wdOVQ z7e*TkjO5bE3H7I}@j?CWrn=Ywozh1LC|Z!vsEhUioBq!J&@ zmx;S8+zZ)|1J{>z>FhU`jvYSs(Xqc?+PP(YOn$1N(_)R7nwILKV+)>Z(Kn#xysX6X zD()L=G;p&C$e2WKiZeDi94|-tH&rwG9dU0sB09%g?X2-uTO&m8Pj{pn4()2@NG8>+ z7R?+G;&0K+`RAQ_U%KNKef}qBA_=RWbxI0<=2_>*UG&MHoVVykZ9@|cr_O2{YQ;=$ z8~WfbUA1i}dEBl4zko&JN-FrCs5T^b=2or$}>3c7;!Er`zlb z?^#9OZ!1XKCy>nD-bnC=M3^JO@-tQM_AjfKj7$|l9yvcM6{9j$p&G@nP)$-pRX(p8 zlhs&U;|Uv~#;6BL6`|TSHaa$r7+c^~Ui_?eCU_4vEehf-nfb}(R2gyp*;UMkLp?J( zQvrwc2VoJcgHPZfT!4&BrHbHLSPD6u7;<40tbw&~7+k#ggh2~v1;b%9jDtn671Z7I zACjRX^t+oy@4?}PEpQgnvnT}afgJF`Dp(8KVJG|rI^4rU8-_tXhp(Y96K26YSPIX< zAK*{07xuvcI1UjU$|CRO`B@o9ZSa5>romh|4QJpxkP}=ihoCs93e_MUszU;_ggam& ztb&7Z5gKzqY69(`19XIeFc_x63=g-NFb6(_61bBSQ}6`!3~mh@zz-k8emDT1z!8u$ zc^8-sPr(XU1Al|RLkV1ls~|_CI-EX|;ali+j@x;-0M&U)9s)6;9D$>70#3r$a0*Vt z8Tc74!X@a;^vZx-=mtG?dT+Cq-qX~qtOq2RS^9W_nX7jsm^J)qHOwrRUR}@Z>Hny% zdAp&xM;Ot1dtI}pK9p%j>3KM z*He?sTV2I6(;I3JsX`hC0;Q0)6(rUR>YK6U^H&sfv)nfe|Id_4ZLRgxMs|b4+$*J@ z!Cv1qyn?3uwpQP)0Towtzka@nImOX1LDy(%R&UcVK^h&rmMBM}N(;5U-iqQ}*W&b8 z@=G~S1!P2;+0v0(Q%Bb!967eREiHdWEj#@GP?jsdcU`;ue?c})rT@LfbaU-mqC)7u zY{XpNisBsC;{NISEWPZjzql6axL)YuG_!iGef8~9tyNN0SZRVeYu;v+ za}!Z6=`#)OCjJZ3QfZ)#tsCoQDXi=31>I?=bL*N>j;2lQ3X*S>RzbuEr8NginpkcB z&j_8?0{#9QWd}3rrY&Xurt96AGH=thx1}xTC;dP3H?jL`uj6!UjN7E9mrhYk(Riv{ zo1(uSXU`GzX|03!7Sr z^akaxX9}jWXGuwGEA>r;e!eY>x}^1ued3rWm$zKT-q)oxr1z4nxDCgH@}*dDvOnD{ zPBdf3=|SzxxOO*7CoQ>Iob3O0T=`zwIw;q6M@j2os3qH6*Iwl=vz1j87u;(pXU*@J zcgWqy3dY<94It4({2LN+71Ji^x?c-dM#1mWi(Y$Tu@Ve zGX1$7&EAo6c#F~-a@e9nbn!KDmu{GA&eFf{%kgeouKBp_I+|lf_I|as83~Uq7z@Q>XQma>w=HFuH6UV7Ke-68Qwn{4-SMS<@dX2JivMTG8iPK$+ z7&czYi_BZyfpFUwX8YX!)FLxE#8ogyr8P*`gCC;3YaTMIxfX^mqgMS9Zs&?$a~Ugi z?MY@$hn+YsHqoCtQRv2=WKWa6erH^{uz&$MIn(pn5qd()#1>?A3DX{YSb`dr&l3Wb*Kr_ zvm%%XkNQ9Nm_BD{qUD}A-5lbKmA7bldzRTQuUztG)l>gtwt2y`mf-V{Pt@)7I-WlC zr0rL)%J8{V+}q=fXl1C+jtq!$sjB#5@I8NQKvWj(5+t=;4#MT$jW8h?ZiiZ*7p)YH zy%WceX;Z{Eu+e!%dfAiaZ94l&v#mQqDdYHx=qSDCN%OO)lPTy5y6{lQNz=>cm>n&{ zz;;R&!@ziW9}d7bAbr@x=JF1_3x9(?7yQH3Q@u+WT-C&ck|U#5Q;zK9bJ}U%)r;3tWa!W>N&mRwl?hx**${ zAn)t4y~#VfY;p45F58^-PTouD)pO0Kv42veU6y4-$v%NLYVg;JQpiTuDI2kk< zpnMnsqd*4c7|1y64(Q*79$Ud(AbQUO(eoRy9z@qQP)B_b^_&M$j~g|lLCYKlx)YAO zAsOSi*yDr{1+^N7vN3U4xhtGh((t*AP0KEbMOMJ1wZV810Xh# z^d5Ko27S&qo9I{Pn_iu7h9vE0TkuS$M7Q#x{4X2?}G|MoC z(TvgK7MT4!C)h{hFbQPT!VCtkx=bBtl*EdGC*VnV7DDP{w}fcu1Eb*M2515<--dy@ zA*0v?s}}TwH=tgMQuo21;0utwEj5*LVQwnwcooMF&^}FvKf^{hy)&Q6GpMi&pFf~^ zmOYonpeTkzF&c`&F!Em8PAE1)u@8!EQ0#&-ZDq>J$4{A}G96_qo@2!Z&1~`v2wK*z zTe+TJUAkgk>%^WPSi&kyg@Ut;6!&kT!*9uK<<;LkW2SZzXKCA z4GPg5oBw>DS+A4qO!64|H}^bIj-KZ;6a1kI&HL)aGA?M#T3+f)q+B_=XrtLG1T(u{ zzR?^V!Y2%W>?X5?!}A|Hpq4wIUT;ngKFL|^{tq{sl^k~&UPFl*gfq9@V;DTy#VuD* zI-+gAW$JG)f1l%a^=gQYe#=a*8KHWp0_#h`2sKP4@+BcpO(0~lm8AV!X4T4p>>Me` zMb-V@GUpkctEnG~9VeagS2ia9=2vD~|DeDfYW*Q;c?8=yOU6(vJoFk8y%bqKbg94T z+vY&SwVIi{x~Kf_$~X3}PXE4bCI_nunm<3|ij z%*>lmAcsT6&S4E?3;p;zX2aH9zuzvy+8+2cy|`KSdxqt{%l)qWlZzf%$03o@Jdx7y z5cw-l?I`&Z+~U3Fp#*8Z#7TEVN~1*{s#Zz=ve%6FN9;348jhSO{qTNsyvQ^AF?AwG z9WV!rEIwd|cmBkdn**}xL35tOZ#`(IOFU%9FFa%pknppI%rPSK51Wle&OdBsi##5X zX`kADZ$K6YWa1G!d~87O2*~Kq?C?PWxyF`@KevN(19DkF{t%GukJ|C`1M+x4rX91x zy#ZMqkcr3b@Ua28BOs$sn9oS_|9HYu4<86WGd7(x8#>%`P^bJK)Svd1c|67)8XE9c z`ic6T}dt%xnno$M}9Fq sMw~AB#eBpVq9-W4sxAmIDEi*aKd<`t)v0^$xl5gM z>sHmNE?v~5bas>ZO)ia5O5GL7PPPQ4W^inAc)FsZLbAq@9uE^D7ZhA#JezdRbMyOJ z3q9VR5rd<>N*%BHim2Ij+541A8K6`RHFVU_QEyLpdxBkd&Mw-UqVB6@si)E%mfheK zPYy2drUplQnw5->a&kmgK9=0-(hVGSdp|#1x6kcPW@XuftkvWnLOwKFsiT~zt3PF( zQX@$}G**?UR-Et~3_T0QFT`!7C(lT!Sb1}+yV5-qS4Yx! z;mSBnkV|HioJKWL`pNaGE6(`9ZK!I)VuH$B)cwK4!j`SwasIT}QI>vNV#&=+F_0T4#qTv|2(Mn&p9^7tQm0OBNG$xPwc-2Wn@TU;e?1c)4npIu zN;QF7U=ozW!>|SX-GVRvqe-t-Ysy#6U$y3iH4nV7CN_EG(Ed-W6nn1{l1G+|c|4rT zEx<#`9{-)x*9+Dk!38{JK*D`5Z(grx4w8OVj=?!f~) zvim;cHY0LK>X z$mnW@M>7%mCwLoLv9MkRePA$@!fe}^usca~KK`cy$I|d-U|c^PUQygK9v&Of9m4k zn@5L~_`rT zu-&4<}ot#0*4995n>QQA=Rl z;-*&m;v8%9h7V7tSgFb@nc}^25bx~-TWMpCwcARRq&V|^_&an8C3>tQR$`~HGxL!> zVO=QEEBWg~+z@FYA1Ps18`7S_Ug_~!5zd*7?(_wuHVn>Max_vG@W&TsAm zb7wwKc`4x7w9l|2P1AU*Wnw$e31*tR=8-a!;;jeb6%+h}yf>MoDI*(X-5P9is&1pE z`>>L0u^+-#y9z6fgQXzWJA6|pQ(GTfqYjf0GkP#xB>12{WI{f4fdc3bb731)z~z{+ z1>6MvU@}aD#ZU(2@GvZg-4J_=SrBX8X;#Eqjf_9eI^HrCV_y$Fpa_a#9xQ-u@G6LN z#3`TllqMlt?M7G zH!nL>RMT2uUAB%4aoZNy3a>yEw>m#0K`oG5pFC5a3U)Y@9$fZLTyT0(MrceeD`=HS z-RB?#FTp0*3~qZbbG!|t-EY8cJDT?5ApsJhCRFY3*pXw0j_vv253hU>TJwROSoy*7 zvU6rkuwLPFra09~Otq&Ax6-A!C}rfS&NbAKf&de0cdC_{z%**T!5_}&R%-I&t&1)e zB~>eVvtICchDC*5%&_`?;&1h#jG>ka zrF~~@X=@H0^VT$X@4TWB z%Ky&0>soV2`)Zo(c98)q!W6WNv`eP6i@g19^Xy7Lb+j*Fc};4J&u%q8#&=(S40U7t zBg!nlS-aAIIhV`9m43To{3?Hqm;IeP_?^);91@*%SyBYIP^DS0RLoZmIP`Y#m`C4@ z&NdIsi_VdO{P1q{%-@;T??&H{CA1Dck~+;9*z_TOc~0rwkYX10m@e+JIarhKaBY{seEs2{;Lj zujMj?7H|uc!W-}&d=0)X+_<1q7gn-74rahha12gBd;y)o%`gro!YsH4?uE$fxVOWl zki~;tHWa{h&cES7CmvEoppcBtjd5{l1VI8c8=Ruyg_Q1#R z3G9V^upbV<4{!>u;;CmGEQOchFdP97xAI8vL4C-CeCPrNCG5JxT-XK`;NJ6Z;vU}* zCc`vX3}sLb55sbh$EH~B_18lWD1u^`2Mb^uyb7;_JQIA%o%(B7%bj`?^xVvD3+#tS zxMRv&_HuX(9*5QN46K25upYL+R(J)Xm|A{Ff?AMjp6jFQnIm=e#U{{HYje7;u4x~I zINISmn>ME#=xfc4hB^=`XsErGl*C#IQnhYqa;DC-0!-IZ=Im;u3aD}sxw2y`70k9q zIxQeaXzfH&T#eT6vvgXU%34|0Pqk>_FVaGm^^}Nn`+2XGPLr#y)a=i^&>jP#|BK_g zFfFI=-!h8dUh~36c41n-eH8zmn)ZyUcCM^#eAd4gruFml?zfNs!YupiwEj(J)X}tQ zqie_oop0LY=u2DcbX939Q=WiCgzT-fy0XYKWoAW=&hY4TvlUsdI$i%+-P|1A(vw)* zw6Cu-yot40N|EQ60PF|4MoraYH?~hgJcnhYOUgTLqlKJNq&ffnCBmrPY?=r>DQ~5V zt-3PzVxxX(Tl%fi-p{3N|Do?n`=YCqu9|00JwHA)*r!`v znY#d2X}4-SmTRZyTk)`aZXb4;*vTm~^V{o`zUR}Ev7E0=#&W(gxfz7px9wDEytaKR zrQLEjUu3;1V^;o3ey8ri4)_-NBeLqb+q&nop|n%UhCMnu?YMp0KI_uXnXAaXQtqbb zwsU-mwDlhB;G};>+AFMEesw3iUGLSM+?CTUncm5i=Ft=K5u`QU9Ldw!p@VrkCoazL z$bV)tMZI_^FYcx5oY}232YTt+rde-2PLAq^w)fU~-jb^CSHJDu>eszmxvx~bfTXAu zyjiS-C*UcNH;mK}Zx*w?mNG2|=ptSeo)Do-%0OFe8_3exQW@lx zR*9xc$W+3k5(<@&rv&LF_9jsQUow&G&5%XWaf*Q-v8^Wz8##Q; zkO}6`b9I)PF;}^c#u=`F%jGk^Po1Nk}T*B z{b3(`0sn$ya0=qCC4vJ9kP3~U5GKGJSOf+hgU2BR30<(OgjVk6;J;uIJPKRkkMIE; zfY0G;NF$`u0Ir5>;X3FA{b3BufKtf8%2z{kA|@R`!Yj9dgjH6;`|vkNXPPzaN@zvG zDLp{KD4XF3d=K-PspYU9How66uh&Mxq_E-q?|h8xukTcBr~ z8yD&vA1jlJO))bU>W(EH@oHxfuZhRRJ6UiUA4)laRum~Oo2_wA$5=!!8v^=;5`omC| z4zu7gM8=+_uCW09U?+Ah)o^Y|j2={xFW z>PMP?F4ld2*SQ{jLUseC9t3Ygz6rywO#WB_mo+Au2=#M_D8f5%266=#VpTzhiz9+Fgv7^{fKDmj_#6Du1O`NM6Dw8GW z7v@mlCzD9RV?LG_cQSodrW=`xGM!fK?$2e~Z)TS3v<{IfiiJqFU+D5DJ%)P<%_!H! z7bkb41#GPR@F~dF)kJO4SDKDn^ytv@TXb_z$$#SBUNvm$F0PC$G<=(m@wAC6WufKj z5>_?2*Ro_emb7fh_OrK7^CUP)JDiP!5>$J8r8jG~>&qf#$@lZkH7U}P^@k%dDlCT;xS0lq1j0Ee{=jO%Jks<8kNs z8{{u0!8_jch8Dk}>saR1?K&;E&|53C?@j%w_2Ld)Xr*@?KXKUbK-VEtMh=&|wqjn} zerRr{|50bPn%}LjJYlv6m65WfS+}<=`*{4Y0rK}0DU;EPl!1tpJ3)l=r-ne`$JU0Q z+10a_e560BEvF$h<+Mb~;6<)Zk1;1d(&?etJ$jVo`NU%;f2_xg{PJTxL*(dB^iYvI zKXLN&_B!&VuxzqV&y(`4`y9Q%ey4oVemzj~kM7rFMHU{=mx`Q!Kz9>)Ff4NqI_c7| z+!>aEzdHGMgyr_IO!%9VKR7JcJ95e2o$MZAxgspT3d{C~obvf$c`z( z2L9pX-w~GE!!qGBy-NDFsIAO2#;ukv02$fEs*%F{XeG?s+F24o|tLY9COSQ)7$SuiFPWuN*eegDenD(nHmvOV%0J~M8r(B z2AhfAn3CEfDQOVC)-1kA6{#`m4%J-^RimhRc|uKACuzpr$jq|Faba9%@*-o}Ect?9 z{^^a0F-NQg^J9lwj6Fg-9akN;Jmq!0ZP@st2}QRS2fE*S>up>(Hy4dB4CECJn>c3p i*kbu6rn>f)JhJ4Ehf0of-13}O>gZL^kHalXt^WaIg&Nra