Investigation Report Regarding Security Issues of Web Applications Using HTML5

Total Page:16

File Type:pdf, Size:1020Kb

Investigation Report Regarding Security Issues of Web Applications Using HTML5 Investigation Report Regarding Security Issues of Web Applications Using HTML5 JPCERT Coordination Center October 30, 2013 Contents 1. Introduction ...................................................................................................................... 2 2. Purpose and Method of This Investigation ...................................................................... 4 2.1. Purpose .................................................................................................................... 4 2.2. Method ..................................................................................................................... 4 3. Vulnerabilities that need to be noted especially in HTML5 .............................................. 5 3.1. Cross Site Scripting ............................................................................................... 5 3.2. Cross Site Request Forgery ................................................................................ 10 3.3. Open Redirect ....................................................................................................... 12 3.4. Defect in Access or Authorization Control ........................................................ 15 4. HTML5 features that should be noted ........................................................................... 16 4.1. Newly Added HTML Elements ............................................................................. 16 4.2. JavaScript API ....................................................................................................... 23 4.3. XMLHttpRequest ................................................................................................... 30 5. Security features in HTML5 ........................................................................................... 39 5.1. X-XSS-Protection .................................................................................................. 39 5.2. X-Content-Type-Options ...................................................................................... 40 5.3. X-Frame-Options ................................................................................................... 42 5.4. Content-Security-Policy ....................................................................................... 43 5.5. Content-Disposition ............................................................................................. 45 5.6. Strict-Transport-Security ..................................................................................... 47 6. Conclusion...................................................................................................................... 49 References ............................................................................................................................ 50 Appendix ................................................................................................................................ 52 Browsers Used in this Report ........................................................................................ 52 1 1. Introduction In a narrow sense, HTML5 is a specification of a markup language for structuring and presenting contents on the World Wide Web, and it is in the process of formulation by WHATWG and W3C as the next generation of HTML standard which will take over HTML4, the current standard. In a broad sense, HTML5 is a framework for describing web application, including not only the mark-up language but also WebSocket protocol and other related Internet standards. HTML5 is rapidly gathering population according to the inquiry held by Evans Data, an investigation company, in January 2012, in which 58 percent of engineers answered to adopt HTML5 when developing a new web site. A large number of vendors and entities including web browser developers have been working closely on the implementation of HTML5 in order to respond to such strong market needs, however, they sometimes implement incompatible details in their products such as browser because of the insufficient draft-specification still reviewed by the standardization entity. While HTML5 and its peripheral technologies enable more flexible and convenient web sites to be developed, such as Web Storage storing data in the browser of the web site viewer (herein, “user”), WebSocket for a server and a client to communicate in full-duplex, and Geolocation acquiring geographical location information, , considerations and notifications regarding how attackers may exploit these new features have yet to be properly performed and thus there are concerns that HTML5 may become more and more prevalent without proper security measures being put in place. This investigation was performed to provide web security researchers and web application developers with the basic information about how HTML5 migration may affect web application security by organizing currently known issues. We delegated this research project to web security experts who mainly focused on vulnerabilities that may be built in as a result of using newly added features in HTML5, and methods on utilizing newly added features when building secure web applications as well as considerations upon using such features. As mentioned above, there are discrepancies in the implementation of HTML5 specifications. The results in this report are based on browser implementations from August, 2012 to February, 2013. The list of browsers used in this investigation is listed in the Appendix. This report is composed of 6 sections. Section 1 provides the overview of this investigation and Section 2 will continue to describe the purpose and methods for this investigation. Section 3 gives an overview of long-lasting web application vulnerabilities and respective countermeasures that must be carefully considered in the development phase of the web applications. This section also describes the new attack vectors introduced by the HTML5 as well as 2 web application development considerations that were not necessary in the past but have become necessary due to HTML5. Section 4 contains a description of pitfalls leading to the vulnerabilities in web applications and corresponding mitigations from the point of view of the newly added features in the HTML5 and widely used functions in web application development using the HTML5. Section 5 contains information on browser security features that are particularly effective for secure operations of HTML5 web applications by focusing on how to configure and implement these features. Section 6 gives a conclusion of this report. The contents of this report were created so that it can act as a starting point for discussions on how to develop secure web applications using HTML5. Since this report focuses on HTML5 features used in web applications, basic technologies related to conventional web application security may not be mentioned here. Please refer to the "How to Secure Your Website" document provided by the Information-technology Promotion Agency (herein, IPA) for such information. Also, not a few specifications of HTML5 still remain undetermined, and for this reason, it is necessary to continuously pay attention to the standardizing processes and their impacts on security. In addition, it cannot be denied that new attack methods specific to HTML5 may be discovered in the future. Therefore, we believe that this report needs to be updated periodically by adding new findings and feedbacks from readers of this report, since this report lists security issues on HTML5 that were discovered at the time of the investigation and the basic mitigations against such issues. 3 2. Purpose and Method of This Investigation 2.1. Purpose The purpose of this investigation was to examine the mechanism of the vulnerabilities themselves and basic mitigations to avoid from such vulnerabilities. It was additionally to provide materials that can serve as a basis for technical documentations and guidelines for secure web application development, regarding major vulnerabilities that tend to be accidentally implemented into the HTML5 web applications and frequently utilized in the HTML5 web applications. 2.2. Method In this investigation, we made the following list of newly introduced features in the HTML5, and offered web application security experts to investigate security risks and mitigations. HTML elements that have been newly added or functionally expanded: meta a iframe video audio source canvas input button Newly defined JavaScript API WebSocket Web Storage Offline Web Application Web Workers Cross Document Messaging In this investigation, we first listed up security risks of each feature and studied them, then inspected them as much as possible, and finally compiled this report. In addition, we also investigated other security issues and included them into this report. 4 3. Vulnerabilities that need to be noted especially in HTML5 In HTML5, new elements and attributes were added in order to expand features to present contents in web browsers. Misuse of such elements and attributes may cause vulnerabilities to be built into web sites. In addition, web applications that had been secure in the past may became vulnerable since features newly enhanced to the HTML5 may become available for attackers to attack. Of those vulnerabilities, we focused and deeply analyzed the following 4 vulnerabilities that web application developers should especially keep in mind: Cross Site Scripting (XSS) Cross Site Request Forgery (CSRF) Open Redirect Lack of Access and Authorization Control
Recommended publications
  • How to Secure Your Web Site Picked up SQL Injection and Cross-Site Scripting As Sample Cases of Failure Because These Two Are the Two Most Reported Vulnerabilities
    How to Secure your Website rd 3 Edition Approaches to Improve Web Application and Web Site Security June 2008 IT SECURITY CENTER (ISEC) INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN This document is a translation of the original Japanese edition. Please be advises that most of the references referred in this book are offered in Japanese only. Both English and Japanese edition are available for download at: http://www.ipa.go.jp/security/english/third.html (English web page) http://www.ipa.go.jp/security/vuln/websecurity.html (Japanese web page) Translated by Hiroko Okashita (IPA), June 11 2008 Contents Contents ......................................................................................................................................... 1 Preface ........................................................................................................................................... 2 Organization of This Book ........................................................................................................... 3 Intended Reader ......................................................................................................................... 3 Fixing Vulnerabilities – Fundamental Solution and Mitigation Measure - .................................... 3 1. Web Application Security Implementation ............................................................................... 5 1.1 SQL Injection .................................................................................................................... 6 1.2
    [Show full text]
  • The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
    The Web Never Forgets: Persistent Tracking Mechanisms in the Wild Gunes Acar1, Christian Eubank2, Steven Englehardt2, Marc Juarez1 Arvind Narayanan2, Claudia Diaz1 1KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium {name.surname}@esat.kuleuven.be 2Princeton University {cge,ste,arvindn}@cs.princeton.edu ABSTRACT 1. INTRODUCTION We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies A 1999 New York Times article called cookies compre­ and use of “cookie syncing” in conjunction with evercookies. hensive privacy invaders and described them as “surveillance Canvas fingerprinting, a recently developed form of browser files that many marketers implant in the personal computers fingerprinting, has not previously been reported in the wild; of people.” Ten years later, the stealth and sophistication of our results show that over 5% of the top 100,000 websites tracking techniques had advanced to the point that Edward employ it. We then present the first automated study of Felten wrote “If You’re Going to Track Me, Please Use Cook­ evercookies and respawning and the discovery of a new ev­ ies” [18]. Indeed, online tracking has often been described ercookie vector, IndexedDB. Turning to cookie syncing, we as an “arms race” [47], and in this work we study the latest present novel techniques for detection and analysing ID flows advances in that race. and we quantify the amplification of privacy-intrusive track­ The tracking mechanisms we study are advanced in that ing practices due to cookie syncing. they are hard to control, hard to detect and resilient Our evaluation of the defensive techniques used by to blocking or removing.
    [Show full text]
  • Do Not Track a Nokia Browser Look
    Do Not Track Nokia Browser Position - Vikram Malaiya Copyright: Nokia Corporation, 2011 Our understanding of Do Not Track (DNT) • DNT is a technology to enables users to opt out of third-party web tracking • No agreed upon definition of DNT. There are currently 3 major technology proposals for responding to third-party privacy concern. 1. Stanford University and Mozilla’s DNT HTTP Header technique. 2. Blacklist based technique such as Microsoft’s ‘Tracking Protection’ which is part of IE9 3. Network Advertising Initiative’s model of a per company opt-out cookie. Opt-out cookie approach is being promoted by Google. DNT as HTTP Header The Browser adds ‘DNT’/ ‘X-Do-Not-Track’ to its http header. The header is sent out to the server with every web request. This header acts as a signal to the server suggesting that the user wishes to opt out of tracking. Adoption: Firefox 4, IE9 DNT as HTTP Header • Pros: – Scope: Server could apply restrictions to all third party entities and tracking mechanisms – Persistent: No reconfiguration needed once set – Simple: Easy to implement on the browser side • Cons: – Only work as long as the server honors users preferences – No way to enforce national regulations/legislations to servers located beyond country boundaries Block(Black) List / Tracking Protection This is a consumer opt-in mechanism which blocks web connections from known tracking domains that are compiled on a list. First party Third party Adoption: ‘Tracking Protection’ in Internet Explorer 9 cy.analytix.com The downloadable Tracking allow Protection Lists enable IE9 xy.ads.com consumers to control what deny third-party site content can deny track them when they’re ads.tracker.com Tracking Protection online.
    [Show full text]
  • In-Depth Evaluation of Redirect Tracking and Link Usage
    Proceedings on Privacy Enhancing Technologies ; 2020 (4):394–413 Martin Koop*, Erik Tews, and Stefan Katzenbeisser In-Depth Evaluation of Redirect Tracking and Link Usage Abstract: In today’s web, information gathering on 1 Introduction users’ online behavior takes a major role. Advertisers use different tracking techniques that invade users’ privacy It is common practice to use different tracking tech- by collecting data on their browsing activities and inter- niques on websites. This covers the web advertisement ests. To preventing this threat, various privacy tools are infrastructure like banners, so-called web beacons1 or available that try to block third-party elements. How- social media buttons to gather data on the users’ on- ever, there exist various tracking techniques that are line behavior as well as privacy sensible information not covered by those tools, such as redirect link track- [52, 69, 73]. Among others, those include information on ing. Here, tracking is hidden in ordinary website links the user’s real name, address, gender, shopping-behavior pointing to further content. By clicking those links, or or location [4, 19]. Connecting this data with informa- by automatic URL redirects, the user is being redirected tion gathered from search queries, mobile devices [17] through a chain of potential tracking servers not visible or content published in online social networks [5, 79] al- to the user. In this scenario, the tracker collects valuable lows revealing further privacy sensitive information [62]. data about the content, topic, or user interests of the This includes personal interests, problems or desires of website. Additionally, the tracker sets not only third- users, political or religious views, as well as the finan- party but also first-party tracking cookies which are far cial status.
    [Show full text]
  • IYIR for HTML
    INFOSEC UPDATE 2006 Student Workbook Norwich University June 19-20, 2006 M. E. Kabay, PhD, CISSP-ISSMP Assoc. Prof. Information Assurance Program Director, MSIA BSIA Division of Business Management Norwich University [email protected] Copyright © 2006 M. E. Kabay. All rights reserved. Page 1 INFOSEC UPDATE 2006 -- June 19-20, 2006 01 Introduction Category 01 Introduction 2006-06-12 Introduction M. E. Kabay, PhD, CISSP WELCOME Welcome to the 2005 edition of the Information Security Year in Review (IYIR) project. In 1993 and 1994, I was an adjunct professor in the Institute for Government Informatics Professionals in Ottawa, Canada under the aegis of the University of Ottawa. I taught a one-semester course introducting information security to government personnel and enjoyed the experience immensely. Many of the chapters of my 1996 textbook, _The NCSA Guide to Enterprise Security_ published by McGraw-Hill were field-tested by my students. In 1995, I was asked if I could run a seminar for graduates of my courses to bring them up to date on developments across the entire field of information security. Our course had twenty students and I so enjoyed it that I continued to develop the material and teach the course with the NCSA (National Computer Security Association; later called ICSA and then eventually renamed TruSecure Corporation and finally CyberTrust, its current name) all over the United States, Canada, Europe, Asia and the Caribbean. After a few years of working on this project, it became obvious that saving abstracts in a WordPerfect file was not going to cut it as an orderly method for organizing the increasing mass of information that I was encountering in my research.
    [Show full text]
  • IBM Cognos Analytics - Reporting Version 11.1
    IBM Cognos Analytics - Reporting Version 11.1 User Guide IBM © Product Information This document applies to IBM Cognos Analytics version 11.1.0 and may also apply to subsequent releases. Copyright Licensed Materials - Property of IBM © Copyright IBM Corp. 2005, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at " Copyright and trademark information " at www.ibm.com/legal/copytrade.shtml. The following terms are trademarks or registered trademarks of other companies: • Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. • Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. • Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. • Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. • UNIX is a registered trademark of The Open Group in the United States and other countries. • Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
    [Show full text]
  • HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014
    HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S.
    [Show full text]
  • Statement of Justin Brookman Director, Consumer Privacy Center for Democracy & Technology Before the U.S. Senate Committee O
    Statement of Justin Brookman Director, Consumer Privacy Center for Democracy & Technology Before the U.S. Senate Committee on Commerce, Science, and Transportation Hearing on “A Status Update on the Development of Voluntary Do-Not-Track Standards” April 24, 2013 Chairman Rockefeller, Ranking Member Thune, and Members of the Committee: On behalf of the Center for Democracy & Technology (CDT), I thank you for the opportunity to testify today. We applaud the leadership the Chairman has demonstrated in examining the challenges in developing a consensus Do Not Track standard and appreciate the opportunity to address the continued insufficiency of self-regulatory consumer privacy protections. CDT is a non-profit, public interest organization dedicated to preserving and promoting openness, innovation, and freedom on the decentralized Internet. I currently serve as the Director of CDT’s Consumer Privacy Project. I am also an active participant in the Worldwide Web Consortium’s Tracking Protection Working Group, where I serve as editor of the “Tracking Compliance and Scope” specification — the document that purports to define what Do Not Track should mean. My testimony today will briefly describe the history of online behavioral advertising and the genesis of the Do Not Track initiative. I will then describe the current state of the World Wide Web Consortium’s efforts to create Do Not Track standards and the challenges going forward to implement Do Not Track tools successfully. I will conclude with my thoughts on the future of Do Not Track. and why I believe that this protracted struggle demonstrates the need for the fundamental reform of our nation’s privacy protection framework for commercial and government collection and use of personal information.
    [Show full text]
  • Amazon Silk Developer Guide Amazon Silk Developer Guide
    Amazon Silk Developer Guide Amazon Silk Developer Guide Amazon Silk: Developer Guide Copyright © 2015 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. The following are trademarks of Amazon Web Services, Inc.: Amazon, Amazon Web Services Design, AWS, Amazon CloudFront, AWS CloudTrail, AWS CodeDeploy, Amazon Cognito, Amazon DevPay, DynamoDB, ElastiCache, Amazon EC2, Amazon Elastic Compute Cloud, Amazon Glacier, Amazon Kinesis, Kindle, Kindle Fire, AWS Marketplace Design, Mechanical Turk, Amazon Redshift, Amazon Route 53, Amazon S3, Amazon VPC, and Amazon WorkDocs. In addition, Amazon.com graphics, logos, page headers, button icons, scripts, and service names are trademarks, or trade dress of Amazon in the U.S. and/or other countries. Amazon©s trademarks and trade dress may not be used in connection with any product or service that is not Amazon©s, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS documentation posted on the Alpha server is for internal testing and review purposes only. It is not intended for external customers. Amazon Silk Developer Guide Table of Contents What Is Amazon Silk? .................................................................................................................... 1 Split Browser Architecture ......................................................................................................
    [Show full text]
  • I Can't Generalize a Whole Lot About the Maxthon Cloud Browser, Which Got
    I can’t generalize a whole lot about the Maxthon Cloud Browser, which got a major upgrade to Version 4.x in a December preview and was officially released on February 25. Maxthon Cloud Browser versions are available for Windows, OS X, iOS and Android, and it’s designed to provide users with a seamless and unified user experience across multiple devices and platforms. I can’t speak to the Windows and Android versions, but I’m unevenly impressed with the OS X and iOS variants. I found myself quickly becoming a fan of the OS X version; it’s a lot like Google’s Chrome browser—very fast and slick with super-smooth performance—but more so. It incorporates pretty much everything I like about Chrome, such as an automatic Google Translate machine translation option. The iOS version isn’t bad, just not nearly as outstanding as the OS X version. Interestingly, that would be my assessment of Google Chrome for iOS compared with Chrome for OS X, as well, and I think the reason in both instances is Apple’s imposition on its own WebKit technology on iOS browsers. Using Maxthon Cloud Browser for iOS is not terribly different from the standard iOS Safari experience in terms of speed, but the iOS version of Maxthon has an absolutely maddening bug that sporadically turns the screen brightness on my iPad 2 down to minimum, obliging a trip to the iOS Settings to restore it. I suspect that Maxthon for iOS’s Brightness Control feature that purportedly lets you adjust screen brightness from within the browser, and/or Night Mode that adjusts screen brightness in low light situations are responsible for this behavior.
    [Show full text]
  • Mozilla, the European Perspective
    Mozilla, the European perspective Pascal Chevrel Mozilla Europe October 09 TheThe MozillaMozilla structurestructure Project led by a non-profit: Mozilla Foundation 2 direct subsidiaries: Mozilla Corporation (Web and labs) Mozilla Messaging (Thunderbird) 3 regional affiliates Mozilla Europe Mozilla Japan Mozilla China AA fewfew factsfacts aboutabout MozillaMozilla inin EuropeEurope 45% of Firefox users are in Europe (~150 million) ~32% market share in Europe (vs 23% world) Regional affiliate to Mozilla (Mozilla Europe) Firefox in 41 European languages Dynamic professional market based on the Mozilla platform or using pieces of it (Mozdev Group, Zoomorama, Briks, Glaxstar, Disruptive Innovations, TomTom, 3Liz, Nokia...) France:France: aa fertilefertile fieldfield forfor MozillaMozilla Strong and organized community of developers building applications with the Mozilla platform Organized community with several not for profit organizations (frenchmozilla, geckozone, xulfr) Mozilla Europe is based in Paris Professional market for Xul outside of Firefox add- ons (intranet applications, large scale deployments of Firefox/Thunderbird, industry applications...) TheThe EuropeanEuropean MozillaMozilla CommunityCommunity EuropeanEuropean eventsevents onon MozillaMozilla TechnologiesTechnologies Two annual European-wide meetings for Mozilla 1. FOSDEM, in Université Libre de Bruxelles 2. MozCamp Europe + Direct education outreach with Mozilla Add-ons Workshops across Europe WhyWhy MozillaMozilla EducationEducation inin Europe?Europe? The Mozilla project values are based on sharing of knowledge and meritocracy, values shared with Education Open Source is quickly gaining acceptance both in the industry and the public sector in Europe, making Mozilla technologies an asset on the job market The Web was invented in Europe in CERN ! MMTCMMTC coursecourse inin Madrid,Madrid, 20092009 CollaborationCollaboration withwith URJCURJC A 3 months course online, started with a one week live session of teaching in Madrid.
    [Show full text]
  • Download Forecheck Guide
    Forecheck Content 1 Welcome & Introduction 5 2 Overview: What Forecheck Can Do 6 3 First Steps 7 4 Projects and Analyses 9 5 Scheduler and Queue 12 6 Important Details 13 6.1 La..n..g..u..a..g..e..s.,. .C...h..a..r.a..c..t.e..r. .S..e..t.s.. .a..n..d.. .U..n..i.c..o..d..e....................................................................... 13 6.2 Ch..o..o..s..i.n..g.. .t.h..e.. .c.o..r..r.e..c..t. .F..o..n..t............................................................................................. 14 6.3 St.o..r.a..g..e.. .L..o..c..a..t.i.o..n.. .o..f. .D..a..t.a................................................................................................ 15 6.4 Fo..r.e..c..h..e..c..k. .U...s.e..r.-.A...g..e..n..t. .a..n..d.. .W...e..b.. .A..n..a..l.y..s.i.s.. .T..o..o..l.s............................................................. 15 6.5 Er.r.o..r.. .H..a..n..d..l.i.n..g................................................................................................................ 17 6.6 Ro..b..o..t.s...t.x..t.,. .n..o..i.n..d..e..x..,. .n..o..f.o..l.l.o..w......................................................................................... 18 6.7 Co..m...p..l.e..t.e.. .A..n..a..l.y..s..i.s. .o..f. .l.a..r.g..e.. .W....e..b..s.i.t.e..s............................................................................. 20 6.8 Fi.n..d..i.n..g.. .a..l.l. .p..a..g..e..s. .o..f. .a.. .W....e..b..s.i.t.e....................................................................................... 21 6.9 Go..o..g..l.e.. .A...n..a..l.y.t.i.c..s.
    [Show full text]