SlideShare une entreprise Scribd logo

Cis

D
dorlov
Technologie
1  sur  4
19.12.2008 Chapin Information Services Chapin Information Services Home Google Chrome Receives Lowest Password Security Score News Safari Ties for Last Place Software Translations Security Experience 12/12/2008 — Google's new web Currently, the password manager that browser may be fast and slim, but the is closest to solving the first three My password management features it offers problems is built into Opera 9.62. With Bookmarks are full of bugs. Chapin Information invisble form elements deactivated, Contact Us Services (CIS) reported critical options to limit saved passwords to a vulnerabilities in this software during its single page, and partial destination beta period, all of which were unfixed at checking, this is certainly one of the release time. more worry-free products. © 2003-2008 by Chapin Among the problems are three in Also new to this round of testing is Information particular that, when combined, allow Safari 3.2 for Windows. Safari and Services, Inc. password thieves to take passwords Chrome are essentially tied for the without the user's knowledge. worst password manager built into a major web browser. 3rd-party 1. The destination where passwords applications and plugins that were are sent is not checked. tested in July also tended to score very 2. The location where passwords are low overall, but still offered more requested is not checked. inherent security than either Safari or 3. Invisible form elements can trigger Chrome. password management. For example, RoboForm, which scores A technique described and demonstrated much lower than Opera and Firefox, at by CIS two years ago leveraged such least gives its user the comfort of vulnerabilities without using client-side knowing passwords wont be saved or scripting. The implication was that an transmitted without their personal attacker need not have full control over a attention. Used in combination with a target server or a victim's computer to more reliable browser, it would also be obtain a password from their web free of the broken URI parsing CIS browser. found in both Safari and Chrome. These three problems, combined with Take your browser for a test drive in seventeen others so far identified in version 2.0 of our interactive password Chrome's password manager, form a management demonstration at the CIS toxic soup of potential vulnerabilities that website. can coalesce into broad insecurity. CIS Testing Results Internet Google Test Performed Opera 9.62 Firefox 3.0.4 Safari 3.2 Explorer 7.0 Chrome 1.0 Action Authority Checked on Retrieval PASSED PASSED FAILED FAILED FAILED Action Authority Checked on Save FAILED PASSED FAILED FAILED FAILED www.info-svc.com/news/2008/12-12/ 1/4
19.12.2008 Chapin Information Services Action Authority Raises Warnings FAILED FAILED FAILED FAILED FAILED Action Path Checked on Retrieval FAILED FAILED FAILED FAILED FAILED Action Path Checked on Save FAILED FAILED FAILED FAILED FAILED Action Scheme Checked on Retrieval PASSED PASSED FAILED FAILED FAILED Action Scheme Checked on Save FAILED PASSED FAILED FAILED FAILED Action Scheme Raises Warnings FAILED FAILED FAILED FAILED FAILED Action Scheme Prevented if Unsafe FAILED FAILED FAILED FAILED FAILED Autocomplete=Off Prevents Form Fills FAILED ? FAILED FAILED PASSED Invisiblility Prevents Form Fills PASSED FAILED PASSED PASSED FAILED Method Checked on Retrieval FAILED FAILED FAILED FAILED PASSED Method Raises Warnings FAILED FAILED FAILED FAILED FAILED Multiple Paths Per User Per Authority FAILED FAILED FAILED FAILED FAILED Multiple Ports Per User Per Host FAILED PASSED FAILED FAILED FAILED Multi. Schemes Per User Per Authority FAILED PASSED FAILED FAILED FAILED Page Path Checked on Retrieval PASSED FAILED PASSED FAILED FAILED Random Name Attr. Prevents Form Fills PASSED FAILED FAILED FAILED FAILED User Required for PW Retrieval PASSED FAILED PASSED FAILED FAILED User Required for PW Save FAILED FAILED PASSED PASSED FAILED Valid URIs Don't Break Anything PASSED PASSED PASSED FAILED FAILED Totals 7 7 5 2 2 * Google Chrome is the only PM that strictly adheres to the criteria for autocomplete by disabling itself. Firefox 3.0.4 will avoid filling a password when the page loads, but the PM remains attached to password fields for filling passwords. Test Descriptions Action Authority Checked on Retrieval To pass this test, the PM must never deliver a password to a domain other than the one to which the password was delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to a different website, then the PM has failed this test. Action Authority Checked on Save To pass this test, the PM must never overwrite the destination domain name of a password without explicit user interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a different website, and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish authorities on retrieval. Action Authority Raises Warnings To pass this test, the PM must warn the user if the action authority does not match the page authority. For example, if a login form at www.info-svc.com:80 points to google.com or to www.info-svc.com:81, and the PM allows a user to save or submit a password using this form without notice, then the PM has failed this test. Action Path Checked on Retrieval To pass this test, the PM must never deliver a password to a path other than the one to which the password was delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to a different parent directory, then the PM has failed this test. Action Path Checked on Save To pass this test, the PM must never overwrite the destination path of a password without explicit user interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a parent directory, and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish paths on retrieval. www.info-svc.com/news/2008/12-12/ 2/4
19.12.2008 Chapin Information Services Note the implicit requirement that a PM must distinguish paths on retrieval. Action Scheme Checked on Retrieval To pass this test, the PM must never deliver a password using a protocol other than the one by which the password was delivered when it was saved. For example, if a password is saved on a self-referring web page, and then automatically filled in another form that uses e-mail to deliver the password, then the PM has failed this test. Action Scheme Checked on Save To pass this test, the PM must never overwrite the destination scheme of a password without explicit user interaction. For example, if a password is first saved on an http: form, and then re-saved on a form that uses https: or mailto: and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish schemes on retrieval. Action Scheme Raises Warnings To pass this test, the PM must warn the user if the action scheme is potentially unsafe or does not match the page scheme. For example, if a login form uses an e-mail application that will display the password on screen, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test. Action Scheme Prevented if Unsafe To pass this test, the PM must successfully abort a password delivery if requested by the user. Autocomplete=Off Prevents Form Fills To pass this test, the PM must never deliver a password when the autocomplete attribute is present and set to quot;offquot;. Invisiblility Prevents Form Fills To pass this test, the PM must never deliver a password using a form that is not visible. For example, if a login form is present on a web page but has its display property set to none, and the PM automatically fills the form allowing the password to be transmitted despite being invisible, then the PM has failed this test. Method Checked on Retrieval To pass this test, the PM must never deliver a password using an HTTP method other than the one by which the password was delivered when it was saved. For example, if a password is saved on a form that uses POST, and then automatically filled in another form that uses GET to deliver the password, then the PM has failed this test. Method Raises Warnings To pass this test, the PM must warn the user if the password submission method is potentially unsafe. For example, if a login form uses GET, which causes the password to be added to the address bar, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test. Multiple Paths per User per Authority To pass this test, the PM must allow a user to save different passwords in different paths of a single domain using the same user name. Note the implicit requirement that a PM must distinguish paths in both the action URI and page URI. Multiple Ports per User per Authority www.info-svc.com/news/2008/12-12/ 3/4
19.12.2008 Chapin Information Services To pass this test, the PM must allow a user to save different passwords using different ports on a single domain using the same user name. Note the implicit requirement that a PM must distinguish ports in both the action URI and page URI. Multiple Schemes per User per Authority To pass this test, the PM must allow a user to save different passwords using different schemes on a single domain using the same user name. Note the implicit requirement that a PM must distinguish schemes in both the action URI and page URI. Page Path Checked on Retrieval To pass this test, the PM must never deliver a password to a path other than the one at which the password was requested when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to the same path but is located in the parent directory, then the PM has failed this test. Random Name Attribute Prevents Form Fills To pass this test, the PM must never fill a password in a form field whose name attribute does not match the name of the field that was used to save the password. User Required for Password Retrieval To pass this test, the PM must never fill a password without explicit user interaction. User Required for Password Save To pass this test, the PM must never save or overwrite a password without explicit user interaction. For example, if a password is saved with a username, and then the same form is re-submitted with the same username and a different password, and the PM then fills the new password into forms instead of the original password, then the PM has failed this test. Valid URIs Don't Break Anything To pass this test, the PM must never submit a password to the wrong URI or fail to submit a password to a valid URI as a result of erroneous action attribute parsing. For example, if the action attribute value is quot;mailto:localpart@www.info-svc.comquot; and the PM delivers a password to quot;http://www.info- svc.com/mailto:localpart@www.info-svc.comquot; then the PM has failed this test. www.info-svc.com/news/2008/12-12/ 4/4

Recommandé

php blunders
php blundersphp blunders
php blundersdecatv
 
PresentacióN1
PresentacióN1PresentacióN1
PresentacióN1aulavirtualpuno
 
Haiku 9 Por Jem Wong
Haiku 9 Por Jem WongHaiku 9 Por Jem Wong
Haiku 9 Por Jem WongFANNY JEM WONG MIÑÁN
 
Groot Onderhoud III, 25/10/2013 | Vincent Nijs, Kennisintro
Groot Onderhoud III, 25/10/2013 | Vincent Nijs, KennisintroGroot Onderhoud III, 25/10/2013 | Vincent Nijs, Kennisintro
Groot Onderhoud III, 25/10/2013 | Vincent Nijs, KennisintroFARO
 
Groot Onderhoud III, 25/10/2013 | Griet Kockelkoren, Collectierisicomanagemen...
Groot Onderhoud III, 25/10/2013 | Griet Kockelkoren, Collectierisicomanagemen...Groot Onderhoud III, 25/10/2013 | Griet Kockelkoren, Collectierisicomanagemen...
Groot Onderhoud III, 25/10/2013 | Griet Kockelkoren, Collectierisicomanagemen...FARO
 
Introduce+Odung+Elementary
Introduce+Odung+ElementaryIntroduce+Odung+Elementary
Introduce+Odung+Elementary光章 林
 
Pri
PriPri
Prijanainii
 
Overview Of Housing/Credit Crisis And Why There Is More Pain To Come
Overview Of Housing/Credit Crisis And Why There Is More Pain To ComeOverview Of Housing/Credit Crisis And Why There Is More Pain To Come
Overview Of Housing/Credit Crisis And Why There Is More Pain To ComeAndrew Coleman
 

Recommandé

php blunders
php blundersphp blunders
php blundersdecatv
 
PresentacióN1
PresentacióN1PresentacióN1
PresentacióN1aulavirtualpuno
 
Haiku 9 Por Jem Wong
Haiku 9 Por Jem WongHaiku 9 Por Jem Wong
Haiku 9 Por Jem WongFANNY JEM WONG MIÑÁN
 
Groot Onderhoud III, 25/10/2013 | Vincent Nijs, Kennisintro
Groot Onderhoud III, 25/10/2013 | Vincent Nijs, KennisintroGroot Onderhoud III, 25/10/2013 | Vincent Nijs, Kennisintro
Groot Onderhoud III, 25/10/2013 | Vincent Nijs, KennisintroFARO
 
Groot Onderhoud III, 25/10/2013 | Griet Kockelkoren, Collectierisicomanagemen...
Groot Onderhoud III, 25/10/2013 | Griet Kockelkoren, Collectierisicomanagemen...Groot Onderhoud III, 25/10/2013 | Griet Kockelkoren, Collectierisicomanagemen...
Groot Onderhoud III, 25/10/2013 | Griet Kockelkoren, Collectierisicomanagemen...FARO
 
Introduce+Odung+Elementary
Introduce+Odung+ElementaryIntroduce+Odung+Elementary
Introduce+Odung+Elementary光章 林
 
Pri
PriPri
Prijanainii
 
Overview Of Housing/Credit Crisis And Why There Is More Pain To Come
Overview Of Housing/Credit Crisis And Why There Is More Pain To ComeOverview Of Housing/Credit Crisis And Why There Is More Pain To Come
Overview Of Housing/Credit Crisis And Why There Is More Pain To ComeAndrew Coleman
 
Trabajo De Laboratorio
Trabajo De LaboratorioTrabajo De Laboratorio
Trabajo De Laboratorioalicia8
 
El Amargo Sabor
El Amargo SaborEl Amargo Sabor
El Amargo SaborZamari Manzserran
 
Una Navidad Diferente
Una Navidad DiferenteUna Navidad Diferente
Una Navidad DiferenteAlejandro Becherini
 
Educational Tear Sheets
Educational Tear SheetsEducational Tear Sheets
Educational Tear Sheetssararshea
 
Niet al goud wat blinkt, 28 september 2015 | Loes Nijsmans
Niet al goud wat blinkt, 28 september 2015 | Loes NijsmansNiet al goud wat blinkt, 28 september 2015 | Loes Nijsmans
Niet al goud wat blinkt, 28 september 2015 | Loes NijsmansFARO
 
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...FARO
 
Haikus 8 Por Jem Wong
Haikus 8 Por Jem WongHaikus 8 Por Jem Wong
Haikus 8 Por Jem WongFANNY JEM WONG MIÑÁN
 
Q Grad Party
Q Grad PartyQ Grad Party
Q Grad Partyguest85b68a
 
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...FARO
 
Tech writing
Tech writingTech writing
Tech writingVincent Chu
 
Skybox Creative Corporate Brochure
Skybox Creative Corporate BrochureSkybox Creative Corporate Brochure
Skybox Creative Corporate Brochureskybox_creative
 
concierto de Navidad 08
concierto de Navidad 08concierto de Navidad 08
concierto de Navidad 08sebas navarro
 
El Reto Del Agua
El Reto Del AguaEl Reto Del Agua
El Reto Del AguaRonny Parra
 
Toekomst verkennen
Toekomst verkennenToekomst verkennen
Toekomst verkennenFARO
 
Escape!
Escape!Escape!
Escape!Di Elle
 
Tu Popularidad En Internet
Tu Popularidad En InternetTu Popularidad En Internet
Tu Popularidad En Internetsuperbuzoneo
 
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100FARO
 
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hosting
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hostingWorkshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hosting
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hostingFARO
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 

Contenu connexe

En vedette

Trabajo De Laboratorio
Trabajo De LaboratorioTrabajo De Laboratorio
Trabajo De Laboratorioalicia8
 
Educational Tear Sheets
Educational Tear SheetsEducational Tear Sheets
Educational Tear Sheetssararshea
 
Niet al goud wat blinkt, 28 september 2015 | Loes Nijsmans
Niet al goud wat blinkt, 28 september 2015 | Loes NijsmansNiet al goud wat blinkt, 28 september 2015 | Loes Nijsmans
Niet al goud wat blinkt, 28 september 2015 | Loes NijsmansFARO
 
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...FARO
 
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...FARO
 
Skybox Creative Corporate Brochure
Skybox Creative Corporate BrochureSkybox Creative Corporate Brochure
Skybox Creative Corporate Brochureskybox_creative
 
concierto de Navidad 08
concierto de Navidad 08concierto de Navidad 08
concierto de Navidad 08sebas navarro
 
El Reto Del Agua
El Reto Del AguaEl Reto Del Agua
El Reto Del AguaRonny Parra
 
Toekomst verkennen
Toekomst verkennenToekomst verkennen
Toekomst verkennenFARO
 
Tu Popularidad En Internet
Tu Popularidad En InternetTu Popularidad En Internet
Tu Popularidad En Internetsuperbuzoneo
 
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100FARO
 
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hosting
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hostingWorkshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hosting
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hostingFARO
 

En vedette (18)

Trabajo De Laboratorio
Trabajo De LaboratorioTrabajo De Laboratorio
Trabajo De Laboratorio
 
El Amargo Sabor
El Amargo SaborEl Amargo Sabor
El Amargo Sabor
 
Una Navidad Diferente
Una Navidad DiferenteUna Navidad Diferente
Una Navidad Diferente
 
Educational Tear Sheets
Educational Tear SheetsEducational Tear Sheets
Educational Tear Sheets
 
Niet al goud wat blinkt, 28 september 2015 | Loes Nijsmans
Niet al goud wat blinkt, 28 september 2015 | Loes NijsmansNiet al goud wat blinkt, 28 september 2015 | Loes Nijsmans
Niet al goud wat blinkt, 28 september 2015 | Loes Nijsmans
 
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...
Niet al goud wat blinkt, 28 september 2015 | Waarderen doe je samen, leren wa...
 
Haikus 8 Por Jem Wong
Haikus 8 Por Jem WongHaikus 8 Por Jem Wong
Haikus 8 Por Jem Wong
 
Q Grad Party
Q Grad PartyQ Grad Party
Q Grad Party
 
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...
Groot Onderhoud III, 25/10/2013 | Jorijn Neyrinck, Naar een duurzaam stedelij...
 
Tech writing
Tech writingTech writing
Tech writing
 
Skybox Creative Corporate Brochure
Skybox Creative Corporate BrochureSkybox Creative Corporate Brochure
Skybox Creative Corporate Brochure
 
concierto de Navidad 08
concierto de Navidad 08concierto de Navidad 08
concierto de Navidad 08
 
El Reto Del Agua
El Reto Del AguaEl Reto Del Agua
El Reto Del Agua
 
Toekomst verkennen
Toekomst verkennenToekomst verkennen
Toekomst verkennen
 
Escape!
Escape!Escape!
Escape!
 
Tu Popularidad En Internet
Tu Popularidad En InternetTu Popularidad En Internet
Tu Popularidad En Internet
 
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100
Groot Onderhoud IV, 14 oktober 2014 | Rachael Corver, First World War 100
 
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hosting
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hostingWorkshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hosting
Workshop CollectiveAccess: Pilootproject CollectiveAccess & cloud hosting
 

Similaire à Cis

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - IntroductionSQALab
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Juho Nurminen
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browserkosborn
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingDevOps Indonesia
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingDevOps Indonesia
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controlsjasonholtzapple
 
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...Cloudyn
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Da-Chang Guan
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 

Similaire à Cis (20)

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Web Security - Introduction
Web Security - IntroductionWeb Security - Introduction
Web Security - Introduction
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3
 
Advanced Java
Advanced JavaAdvanced Java
Advanced Java
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Let's pwn a chinese web browser!
Let's pwn a chinese web browser!Let's pwn a chinese web browser!
Let's pwn a chinese web browser!
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential Stuffing
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controls
 
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuff
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009Capture-HPC talk@ OSDC.tw 2009
Capture-HPC talk@ OSDC.tw 2009
 
Macdoored
MacdooredMacdoored
Macdoored
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 

Dernier

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Dernier (20)

Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Cis

  • 1. 19.12.2008 Chapin Information Services Chapin Information Services Home Google Chrome Receives Lowest Password Security Score News Safari Ties for Last Place Software Translations Security Experience 12/12/2008 — Google's new web Currently, the password manager that browser may be fast and slim, but the is closest to solving the first three My password management features it offers problems is built into Opera 9.62. With Bookmarks are full of bugs. Chapin Information invisble form elements deactivated, Contact Us Services (CIS) reported critical options to limit saved passwords to a vulnerabilities in this software during its single page, and partial destination beta period, all of which were unfixed at checking, this is certainly one of the release time. more worry-free products. © 2003-2008 by Chapin Among the problems are three in Also new to this round of testing is Information particular that, when combined, allow Safari 3.2 for Windows. Safari and Services, Inc. password thieves to take passwords Chrome are essentially tied for the without the user's knowledge. worst password manager built into a major web browser. 3rd-party 1. The destination where passwords applications and plugins that were are sent is not checked. tested in July also tended to score very 2. The location where passwords are low overall, but still offered more requested is not checked. inherent security than either Safari or 3. Invisible form elements can trigger Chrome. password management. For example, RoboForm, which scores A technique described and demonstrated much lower than Opera and Firefox, at by CIS two years ago leveraged such least gives its user the comfort of vulnerabilities without using client-side knowing passwords wont be saved or scripting. The implication was that an transmitted without their personal attacker need not have full control over a attention. Used in combination with a target server or a victim's computer to more reliable browser, it would also be obtain a password from their web free of the broken URI parsing CIS browser. found in both Safari and Chrome. These three problems, combined with Take your browser for a test drive in seventeen others so far identified in version 2.0 of our interactive password Chrome's password manager, form a management demonstration at the CIS toxic soup of potential vulnerabilities that website. can coalesce into broad insecurity. CIS Testing Results Internet Google Test Performed Opera 9.62 Firefox 3.0.4 Safari 3.2 Explorer 7.0 Chrome 1.0 Action Authority Checked on Retrieval PASSED PASSED FAILED FAILED FAILED Action Authority Checked on Save FAILED PASSED FAILED FAILED FAILED www.info-svc.com/news/2008/12-12/ 1/4
  • 2. 19.12.2008 Chapin Information Services Action Authority Raises Warnings FAILED FAILED FAILED FAILED FAILED Action Path Checked on Retrieval FAILED FAILED FAILED FAILED FAILED Action Path Checked on Save FAILED FAILED FAILED FAILED FAILED Action Scheme Checked on Retrieval PASSED PASSED FAILED FAILED FAILED Action Scheme Checked on Save FAILED PASSED FAILED FAILED FAILED Action Scheme Raises Warnings FAILED FAILED FAILED FAILED FAILED Action Scheme Prevented if Unsafe FAILED FAILED FAILED FAILED FAILED Autocomplete=Off Prevents Form Fills FAILED ? FAILED FAILED PASSED Invisiblility Prevents Form Fills PASSED FAILED PASSED PASSED FAILED Method Checked on Retrieval FAILED FAILED FAILED FAILED PASSED Method Raises Warnings FAILED FAILED FAILED FAILED FAILED Multiple Paths Per User Per Authority FAILED FAILED FAILED FAILED FAILED Multiple Ports Per User Per Host FAILED PASSED FAILED FAILED FAILED Multi. Schemes Per User Per Authority FAILED PASSED FAILED FAILED FAILED Page Path Checked on Retrieval PASSED FAILED PASSED FAILED FAILED Random Name Attr. Prevents Form Fills PASSED FAILED FAILED FAILED FAILED User Required for PW Retrieval PASSED FAILED PASSED FAILED FAILED User Required for PW Save FAILED FAILED PASSED PASSED FAILED Valid URIs Don't Break Anything PASSED PASSED PASSED FAILED FAILED Totals 7 7 5 2 2 * Google Chrome is the only PM that strictly adheres to the criteria for autocomplete by disabling itself. Firefox 3.0.4 will avoid filling a password when the page loads, but the PM remains attached to password fields for filling passwords. Test Descriptions Action Authority Checked on Retrieval To pass this test, the PM must never deliver a password to a domain other than the one to which the password was delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to a different website, then the PM has failed this test. Action Authority Checked on Save To pass this test, the PM must never overwrite the destination domain name of a password without explicit user interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a different website, and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish authorities on retrieval. Action Authority Raises Warnings To pass this test, the PM must warn the user if the action authority does not match the page authority. For example, if a login form at www.info-svc.com:80 points to google.com or to www.info-svc.com:81, and the PM allows a user to save or submit a password using this form without notice, then the PM has failed this test. Action Path Checked on Retrieval To pass this test, the PM must never deliver a password to a path other than the one to which the password was delivered when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to a different parent directory, then the PM has failed this test. Action Path Checked on Save To pass this test, the PM must never overwrite the destination path of a password without explicit user interaction. For example, if a password is first saved on a self-referring form, and then re-saved on a form that points to a parent directory, and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish paths on retrieval. www.info-svc.com/news/2008/12-12/ 2/4
  • 3. 19.12.2008 Chapin Information Services Note the implicit requirement that a PM must distinguish paths on retrieval. Action Scheme Checked on Retrieval To pass this test, the PM must never deliver a password using a protocol other than the one by which the password was delivered when it was saved. For example, if a password is saved on a self-referring web page, and then automatically filled in another form that uses e-mail to deliver the password, then the PM has failed this test. Action Scheme Checked on Save To pass this test, the PM must never overwrite the destination scheme of a password without explicit user interaction. For example, if a password is first saved on an http: form, and then re-saved on a form that uses https: or mailto: and the PM prevents the password from being filled on the original form, then the PM has failed this test. Note the implicit requirement that a PM must distinguish schemes on retrieval. Action Scheme Raises Warnings To pass this test, the PM must warn the user if the action scheme is potentially unsafe or does not match the page scheme. For example, if a login form uses an e-mail application that will display the password on screen, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test. Action Scheme Prevented if Unsafe To pass this test, the PM must successfully abort a password delivery if requested by the user. Autocomplete=Off Prevents Form Fills To pass this test, the PM must never deliver a password when the autocomplete attribute is present and set to quot;offquot;. Invisiblility Prevents Form Fills To pass this test, the PM must never deliver a password using a form that is not visible. For example, if a login form is present on a web page but has its display property set to none, and the PM automatically fills the form allowing the password to be transmitted despite being invisible, then the PM has failed this test. Method Checked on Retrieval To pass this test, the PM must never deliver a password using an HTTP method other than the one by which the password was delivered when it was saved. For example, if a password is saved on a form that uses POST, and then automatically filled in another form that uses GET to deliver the password, then the PM has failed this test. Method Raises Warnings To pass this test, the PM must warn the user if the password submission method is potentially unsafe. For example, if a login form uses GET, which causes the password to be added to the address bar, and the PM allows the user to save or submit a password using this form without notice, then the PM has failed this test. Multiple Paths per User per Authority To pass this test, the PM must allow a user to save different passwords in different paths of a single domain using the same user name. Note the implicit requirement that a PM must distinguish paths in both the action URI and page URI. Multiple Ports per User per Authority www.info-svc.com/news/2008/12-12/ 3/4
  • 4. 19.12.2008 Chapin Information Services To pass this test, the PM must allow a user to save different passwords using different ports on a single domain using the same user name. Note the implicit requirement that a PM must distinguish ports in both the action URI and page URI. Multiple Schemes per User per Authority To pass this test, the PM must allow a user to save different passwords using different schemes on a single domain using the same user name. Note the implicit requirement that a PM must distinguish schemes in both the action URI and page URI. Page Path Checked on Retrieval To pass this test, the PM must never deliver a password to a path other than the one at which the password was requested when it was saved. For example, if a password is saved on a self-referring form, and then automatically filled in another form that points to the same path but is located in the parent directory, then the PM has failed this test. Random Name Attribute Prevents Form Fills To pass this test, the PM must never fill a password in a form field whose name attribute does not match the name of the field that was used to save the password. User Required for Password Retrieval To pass this test, the PM must never fill a password without explicit user interaction. User Required for Password Save To pass this test, the PM must never save or overwrite a password without explicit user interaction. For example, if a password is saved with a username, and then the same form is re-submitted with the same username and a different password, and the PM then fills the new password into forms instead of the original password, then the PM has failed this test. Valid URIs Don't Break Anything To pass this test, the PM must never submit a password to the wrong URI or fail to submit a password to a valid URI as a result of erroneous action attribute parsing. For example, if the action attribute value is quot;mailto:localpart@www.info-svc.comquot; and the PM delivers a password to quot;http://www.info- svc.com/mailto:localpart@www.info-svc.comquot; then the PM has failed this test. www.info-svc.com/news/2008/12-12/ 4/4