Securing Web Applications using OWASP ZAP in passive mode

The OWASP Zed Attack Proxy is a powerful open source web application security assessment tool. Even in passive mode, where it just inspects the traffic generated by your browser, it can give valuable pointers for securing your web application against abuse.

In this blog post I will explain how to configure your browser to use the OWASP ZAP Proxy to click through a web application running on local host. Also I will explain its various findings and how to solve them.

Configuring OWASP Zap



I will be using OWASP Zap version 2.2.2, which can be downloaded here. As its a proxy it will sit between your browser and the web application allowing it to inspect all traffic. Think of it as a man-in-the-middle :-). The first thing that needs to be done is making sure that your browser is using the ZAP as a proxy. If you're using Firefox 24 or better you're in luck as version 2.2.2 contains the a 'Plug and Hack' feature which allows automatic configuration of Firefox and includes a command line interface in the browser. The button is on the Quick Start page in ZAP.

For all other browsers, you will need to open your connection settings and configure a proxy.

  • Chrome : 'settings' -> 'show advanced settings' -> 'network' -> 'Change proxy settings'

  • Internet explorer : 'tools' -> 'internet options' -> 'connections' -> 'LAN settings'


Make sure you set the host to localhost and the port to 8080, these are the default ZAP proxy ports. Make sure to use these settings for all protocols.

Now when you surf to a website the ZAP proxy will log all HTTP requests and responses and tell you if something is wrong with them.

Starting your web application



Most of the time when I develop a web application I let it run on port 8080. In this case that is not possible as the ZAP proxy is using that port. Also its using port 8081 for its AJAX proxy. So the web application needs to be reconfigured running on a different port. If you're using the tomcat7-maven-plugin its easy as you can just change the port in the configuration tag to another value, like 8082. Alternatively you can reconfigure ZAP to use a different port in 'tools' -> 'options' -> 'Local proxy'. Remember to also reconfigure your browser to use the changed proxy port.

Now with your web application and ZAP running, point your browser to the URL of the application and hit enter and see what happens!

OWASP ZAP PROXY

You will notice that the URLs you navigate and all the resources required to render the page will be displayed in the Sites tab on the left of the screen (you can expand the nodes to see a directory like view of all URLs accessed). In the middle section of the screen there are the request and response tabs. Here you can examine all the details headers and content of the request and responses. In the bottom of the screen there are History, logging all requests sequentially, and the Alerts tab. When there is something potentially wrong with a request or response a warning will appear here. In the right part of this tab there is an explanation of the issue. Clicking on the URL with the alert will display the offending part in the response tab.

Also notice the top left drop down box, it allows you to set the mode ZAP is working in. Safe mode is sufficient for now, the other options, protected and standard mode, also allow offensive tests to be performed.

While navigating through your web application, more and more warnings will appear (at least it did with mine :-) Below I have compiled a list of the alerts I was able to create and what can be done about them in terms of Java software development.

Common Alerts and their Solutions



Session ID in URL rewrite (Medium Risk)



The container or web application is using URL rewriting to put the Session ID in the URL. This is typically used as a fallback if the browser doesn't support cookies as a session mechanism. When the Session ID is in the request it may be bookmarked, cached or disclosed in the referer header. This is bad as it allows session hijacking.

Solving this alert is easy if you have a Servlet 3.0 web container, just put the following snipped in the web.xml. It will instruct the container to just use cookies.


<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>


If you use a container supporting an older Servlet specification where are container specific ways to do this. For example in Tomcat 6 you can put the disableURLRewriting="true" attribute in the context.xml.

Referer expose session ID (Medium Risk)



This is actually the same as the above alert only this time it warns about a link to an external host which may allow the Session ID to be exposed using the HTTP referer header. The referer header tells the website receiving the request who referred to them (and yes, referer is a typo which got into the HTTP specification ;-)

Secure pages including mixed content (Medium Risk)



This alert is given when the page itself is delivered through HTTPS but some of its resources (such as images and scripts) are not. This lowers the trustworthiness of the page as the unsecured parts of the page may be sniffed or fall victim to a man in the middle attack. The solution? Make sure all your resources are delivered over HTTPS. Yes, blog.42.nl is an excellent example of this warning :-)

Application Error disclosure (Medium Risk)



This alert is triggered when ZAP thinks an error message containing implementation details (such as a stacktrace or a file path) is present in the response. This is bad as this information can be used to launch further attacks against the web application. The solution? Have a generic error page and log the stacktrace. In the Servlet API 3.0 this can be done in a one-liner in the web.xml. For older Servlet versions a little more work is needed.

<!-- Servlet API 3.0 -->
<error-page><location>/oops.html</location></error-page>
<!-- Older Servlet API versions (more HTTP error codes may be required) -->
<error-page><error-code>500</error-code><location>/oops.html</location></error-page>
<error-page><error-code>503</error-code><location>/oops.html</location></error-page>


Content-Type header missing (Low Risk)



If the Content-Type header is missing in the response the browser must guess the content.

Cookie no http-only flag (Low Risk)



If a cookie has no http-only flag its accessible from JavaScript. When the page has a cross site scripting (XSS) vulnerability the value of the cookie may be stolen and used to hijack the session if its a session cookie. Make sure that the http-only modifier is set on the cookie. There are various ways to do it. The easiest is when you have a Servlet API 3.0 container, there you can just declare it in the web.xml:
web.xml

<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<session-config>


Cookie without secure flag (Low Risk)



The secure flag of a cookie makes sure that the cookie is only used over HTTPS connections. If it is not set, it may also be used over non HTTPS connections allowing for session hijacking. In a Servlet API 3.0 container you can set the secure tag to true in the web.xml to make the cookie https only.

Cross-domain JavaScript source file inclusion (Low Risk)



The page includes one or more script files from a third-party which is outside the control of this web application and as such may contain 'unexpected' functionality.

Incomplete or no cache-control and pragma HTTPHeader set (Low Risk)



Part of the browsers functionality is to cache downloaded pages and resources. This speeds up browsing. However, in most web applications a page is different on each request so caching must be disabled. In most cases the no-cache, must-revalidate options are sufficient, however if your page holds data of a personal nature additional options are required. no-store disallows storing the page and private disallows caching by a shared cache such as a proxy. Not setting these options may cause the personal data to be stored somewhere and worst case delivered to some other user. Cache settings must be applied for both versions of HTTP because you never know what version a proxy supports. You will need to add the following headers:



VersionHeaderValue
HTTP/1.1Cache-Controlno-cache, no-store, must-revalidate, private
HTTP/1.0 Pragmano-cache


For more information see RFC2616.

Password Autocomplete in browser (Low Risk)



Most users find remembering a password hard so they are quite happy with the browser remembering them. However this also imposes a security risk: any one using that browser can now access the application protected by the password. If you want to disable the password auto-complete feature you can add the autocomplete="off" attribute to the input tag that will hold the password.

Private IP disclosure (Low Risk)



A private IP address such as 10.x.x.x, 172.x.x.x or 192.168.x.x has been found in the HTTP response body. This may be helpful for further attacks targeting internal systems.

X-Content-Type-Options header missing (Low Risk)



Besides the Content-Type header its also possible to serve some options with it using the X-Content-Type-Options. One of them is the nosniff option which prevents browsers from guessing the right content type if for some reason the wrong one was specified. This is risky as it may trick your browser into loading a page disguised as something else (an image for example). Read this for more details. Adding a header is easy using for example a Servlet filter. The upcoming Spring-Security 3.2 has built in support for this and other headers.

httpServletResponse.addHeader("X-Content-Type-Options", "nosniff");


IE8's XSS protection filter not disabled (Info)



The XSS protection filter in IE8+ protects against reflected cross site scripting (this is the kind of cross site scripting where the evil script is in the request URL or parameters). Sometimes this filter breaks existing functionality, so it can be turned off or on by the server using a proprietary header. Read this stackoverflow entry for more details. Turning the filter on or off (for Internet Explorer only) works like this:

httpServletResponse.addHeader("X-XSS-Protection", "1; mode=block"); // on
httpServletResponse.addHeader("X-XSS-Protection", "0"); // off


X-Frame-Options header not set (Info)


Without this header present your web application may put into an IFRAME on any another page, perhaps as part of a clickjacking scheme. The X-Frame-Options header allows you to specify which domains may put your web application into an IFRAME. See RFC7034 for more details.

httpServletResponse.setHeader("X-Frame-Options", "DENY"); // DENY, SAMEORIGIN, or ALLOW-FROM


Conclusion



There is a lot to learn by just clicking through a web application and examining the alerts ZAP gives you. Fixing most of the issues found require a little configuration or a few lines code but can have great impact on the security of your web application. Of course finding big flaws like injection, cross site scripting and id guessing requires a more active approach. ZAP also supports this and it may be subject of another blog post in the near future :)

 
 

101 comments:

  1. I think this is an informative post and it is very beneficial and knowledgeable. Therefore, I would like to thank you for the endeavors that you have made in writing this article. All the content is absolutely well-researched. Thanks... UK VPS

    ReplyDelete
  2. But a smiling visitant here to share the love (:, btw great style and design . new york web design company

    ReplyDelete
  3. I need to verify with you here. Which isn’t one thing I often do! I get pleasure from reading a publish that can make people think. Additionally, thanks for allowing me to remark! new york website design company

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Yeah bookmaking this wasn’t a risky decision outstanding post! . branding agencies in san francisco

    ReplyDelete
  6. For a great many people, local application gives off an impression of being a characteristic decision as these applications are stylish and give rich client experience.토토먹튀

    ReplyDelete
  7. You completed a number of nice points there. I did a search on the issue and found nearly all people will have the same opinion with your blog. design agency san francisco

    ReplyDelete
  8. We are not going to charge a fortune for our services, only pay what you need with flexible add-on packages. We are known for providing cost-effective solutions for all your digital problems. web development agency in usa

    ReplyDelete
  9. I am typically to blogging and i actually recognize your content. The article has actually peaks my interest. I am going to bookmark your web site and maintain checking for brand new information. web design san francisco

    ReplyDelete
  10. I really treasure your piece of work, Great post. website designers san francisco

    ReplyDelete
  11. You’re the best, beautiful weblog with great informational content. This is a really interesting and informative content. design agency san francisco

    ReplyDelete
  12. F*ckin’ awesome issues here. I’m very satisfied to peer your post. Thanks a lot and i am having a look forward to touch you. Will you kindly drop me a e-mail? web designer san francisco

    ReplyDelete
  13. My wife and i ended up being absolutely fulfilled Chris managed to carry out his studies from your ideas he had out of the web pages. It is now and again perplexing to just happen to be releasing facts that many many others may have been selling. Therefore we remember we now have the blog owner to thank because of that. All of the explanations you made, the easy blog menu, the relationships you can help to engender – it’s got mostly spectacular, and it’s really assisting our son and us reason why the theme is exciting, which is very indispensable. Many thanks for the whole thing! design agency san francisco

    ReplyDelete
  14. continue with the the great work on the site. I love it. Could maybe use some more updates more often, but im sure you got better things to do , hehe. =) los angeles web design

    ReplyDelete
  15. you can always count on search engine marketing if you want to promote products online., los angeles web agency

    ReplyDelete
  16. I am delighted that I observed this web blog , just the right info that I was looking for! . design firms los angeles

    ReplyDelete
  17. There are a handful of intriguing points with time here but I do not know if I see these people center to heart. There is certainly some validity but I’ll take hold opinion until I take a look at it further. Good post , thanks and we want a lot more! Added to FeedBurner also los angeles web design

    ReplyDelete
  18. This kind of lovely blog you’ve, glad I found it!?? top web design agencies

    ReplyDelete
  19. Thanks for taking the time to discuss this topic. I really appreciate it. I’ll stick a link of this entry in my blog. website design company

    ReplyDelete
  20. Interesting column , I am going to spend more time reading about this topic website tips

    ReplyDelete
  21. acer laptops have much brighter lcd screens compared to other brands* branding agency la

    ReplyDelete
  22. eCommerce Website Designers who are 100% Australian developers from Website Development Australia. We build high performing eCommerce websites. ecommerce

    ReplyDelete
  23. I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your site to check out the new stuff you post. SEO Agency Vancouver

    ReplyDelete
  24. Wow, What a Excellent post. I really found this to much informatics. It is what i was searching for.I would like to suggest you that please keep sharing such type of info.Thanks wordpress web design agencies

    ReplyDelete
  25. Thanks, foг ones marvelous posting! I genuinely enjoyed reading it, you miggһt Ƅe a great author. I wiⅼl made certain to booҝmark your blog and ѡill often come back sometime soon. I want to encoᥙrage yourself to continue your great job, have a nice evening!
    Web Development Course
    best web development courses
    web development classes
    web development course near me
    Web Development Training
    training on web development
    web development training program
    web development training course
    web development summer training

    ReplyDelete
  26. If you set out to make me think today; mission accomplished! I really like your writing style and how you express your ideas. Thank you. web design in Switzerland

    ReplyDelete
  27. Hey friend, it is very well written article, thank you for the valuable and useful information you provide in this post. Keep up the good work! FYI, please check these depression, stress and anxiety related articles:


    Mental Stress in Children


    Depression In College Students


    How To Save Your Relationship


    Depression in Men




    You can also contact me at depressioncure.net@hotmail.com for link exchange, article exchange or for advertisement.

    Thanks a lot

    Emma

    ReplyDelete
  28. Download All Movie Subtitles Here for Hollywood, Bollywood and all kinds of movies. Download English SRT Subtitles Here subtitleplanet.com

    ReplyDelete
  29. This comment has been removed by the author.

    ReplyDelete
  30. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. Epik-protocolEPIK

    ReplyDelete
  31. We are a top SEO services agency in Pakistan with a success rate of 91%. Seo Services In Pakistan

    ReplyDelete
  32. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. I will do 70 dofollow backlinks SEO service high tf cf

    ReplyDelete
  33. Meraas Cherrywoods Townhouses at Al Qudra Road, which offers 3 and 4 bedroom townhouses starting price AED 1,625,000, decorated with full living amenities.

    ReplyDelete
  34. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! edge hosting

    ReplyDelete
  35. Searching for a free domain name and cheap web hosting? Stop waisting your valuable time viewing hundreds of web hosting companies. Read an honest review of the best free domain name and cheap web hosting packages available. Then focus your efforts on what's important, building your website. top web hosts in 2020

    ReplyDelete
  36. It’s really a cool and useful piece of info. I’m glad that you simply shared this useful information with us. Please stay us informed like this. Thank you for sharing. Website Development Company in UK

    ReplyDelete
  37. They make it sound simple to construct a beneficial web business, yet reminder time: fabricating a productive, web-based business takes difficult work, extended periods and, in particular, cautious arranging and determination of the correct sellers. Woke Hosting

    ReplyDelete
  38. The internal team was impressed with best app design companies creative insight, attentive customer management, and exceptional product quality.

    ReplyDelete
  39. Samana Golf Avenue apartments which offers studio, 1 and 2 bedroom apartments starting price AED 415,000 located in Dubai Studio City.

    ReplyDelete
  40. I’m eager to find the valuable information and for me this is the right place to get the good stuff.
    how to open bulk urls

    ReplyDelete
  41. For instance, in the event that you just need certain consultants, you can list that in your task depiction. Professional graphic design

    ReplyDelete
  42. This is such a great resource that you are providing and you give it away for free. I love seeing blog that understand the value of providing a quality resource for free. download trafficize

    ReplyDelete
  43. iPods, iPads, Blackberries, DVRs, Kindles and more - all fascinating forms of technology. As the technology era continues to explode, there's something interesting that's exploding with it. Stress. Discover how to overcome stress from technology today. Bluehost hosting discount

    ReplyDelete
  44. Great post, and great website. Thanks for the information! Take me to another useless website

    ReplyDelete
  45. This is really likewise an incredibly beneficial placing most of us severely encountered shopping as a result of. It truly is faraway from each and every day we have now possibility to think about something. Software Programmer

    ReplyDelete
  46. iPods, iPads, Blackberries, DVRs, Kindles and more - all fascinating forms of technology. As the technology era continues to explode, there's something interesting that's exploding with it. Stress. Discover how to overcome stress from technology today. iPhoneIMEI.net

    ReplyDelete
  47. Emaar introduced Club Villas at Dubai Hills Estate which offers 3 and 4 bedroom villas, Book with 5%.

    ReplyDelete
  48. Technology is in the society. The society is into technology. The society contributes the human and material resources necessary for technology to blossom. There is no denying the obvious fact that technology has indeed, blossomed. The point of discourse is what technology has taken, and is still taking away from the society in its course for growth. cheap uk windows vps

    ReplyDelete
  49. I would like to say that this blog really convinced me to do it! Thanks, very good post. web-agency

    ReplyDelete
  50. Use your headline to grab the user’s attention and sub-headlines to keep them engaged or drive home your point. E.g. Selling a major benefit of your product or service in the headline, use your sub-headline to elaborate. affordable professional web design

    ReplyDelete
  51. It is advertising and marketing offers advertisments so as to practical research ahead of placing. In other words to jot down more appropriate area in this way. Web Development

    ReplyDelete
  52. Thank you very much for this great post. notebook

    ReplyDelete
  53. Depending on your needs for file storage space, you may need more or less. Generally the more disk space offered, the better. ssd vps hosting

    ReplyDelete
  54. This is my first visit to your web journal! We are a group of volunteers and new activities in the same specialty. Website gave us helpful data to work. sayapro bin checker

    ReplyDelete
  55. This has tackled consistent issues with web designers who are genuinely enthusiastic in their work who at some point can get excessively delicate to a little remedy or perception of his work. Webdesign Genk

    ReplyDelete
  56. Damac Properties introduced Melrose Estates Golf Villas, which offers 3 to 5 bedroom villas located at Damac Hills, Dubai, limited edition golf villas that capture the true essence of California.

    ReplyDelete
  57. I invite you to the page where you can read with interesting information on similar topics. try these out

    ReplyDelete
  58. Positive site, where did u come up with the information on this posting? I'm pleased I discovered it though, ill be checking back soon to find out what additional posts you include. WordPress Developer Brisbane

    ReplyDelete
  59. Hey there! I’ve been reading your web site for a long time now and finally got the courage to go ahead and give you a shout out from Austin Texas! Just wanted to mention keep up the fantastic work! 부산출장마사지

    ReplyDelete
  60. WordPress has been the most sought-after site when it comes to content management system. A responsive website development gets easier with WordPress. There are two preferred methods when it comes to developing and modifying sites using WordPress Development Company. They are Local development and Staging development. With a list of pros and cons of their own, both the kind offers a variety of features to the diverse audience and WordPress users. So here is a quick guide differentiating between Local development and Global development and how to choose the apt one for you. Buy Web Traffic to improve your SEO

    ReplyDelete
  61. This is really intriguing, You’re an especially efficient writer. I have signed up with your feed additionally look ahead to finding your personal interesting write-ups. Furthermore, I’ve got shared the blog inside our social networks. 토토사이트

    ReplyDelete
  62. This really is an incredibly amazing powerful resource that you’re offering and you just provide it away cost-free!! I comparable to discovering websites that view the particular price of providing you beautiful learning resource for zero cost. We truly dearly loved examining this web site. Be thankful! 부산출장마사지

    ReplyDelete
  63. Hello, this weekend is good for me, since this time i am reading this enormous informative article here at my home.
    quenza app

    ReplyDelete
  64. Furthermore, an alternate society that will not partake in the aggregate sensibilities or enthusiasm of such society has, by the normal rationale, become a potential or real adversary and faces encounter on every single imaginable front. TutuApp web

    ReplyDelete
  65. You there, this is really good post here. Thanks for taking the time to post such valuable information. Quality content is what always gets the visitors coming. pay monthly web design

    ReplyDelete
  66. Deciding which are the important features and components can be a confounding task. How do you decided on the best web hosting solution for your online business needs? managed-hosting-solutions.com examines the key elements of this important decision, and helps you make the best choice with ease. .net.au registration

    ReplyDelete
  67. Thanks , I’ve just been searching for info about this topic for a while and yours is the greatest I have found out so far. But, what about the conclusion? Are you sure about the supply? free backlink

    ReplyDelete
  68. Web designers and developers are the foundation of the Internet. If you are skilled in web design or web development you can make a growing income on the Internet. The secret to making money with your web design and development skills is to include web hosting in your web design or web development quotes or standard packages. ssd vps

    ReplyDelete
  69. My Name Is Emily Albert i have 10 years of experience in digital marketing like SEO, Facebook ads google ads etc. last 6 months I'm connected with digimart. digimart USA base digital marketing company who have amazing digital marketing person. marketing agency near me

    ReplyDelete
  70. Youre so cool! I dont suppose Ive read something like this before. So nice to seek out any person with some unique ideas on this subject. realy thank you for beginning this up. this website is one thing that’s needed on the web, somebody with a little originality. useful job for bringing something new to the internet! Caribou social media

    ReplyDelete
  71. You undoubtedly ensure it is look simple along with your business presentation however i come across this kind of topic being truly an issue that I think I might never recognize. It appears also complex and extremely wide personally. I will be impatient for your next article, I am going to try to get the hang of it! Matthew Fleeger supports local charities

    ReplyDelete
  72. As soon as I found this internet site I went on reddit to share some of the love with them. we are caribou

    ReplyDelete
  73. naturally like your web site however you have to test the spelling on several of your posts. A number of them are rife with spelling issues and I in finding it very bothersome to tell the reality on the other hand I will surely come back again. Matthew Fleeger is CEO of Dallas company Gulf Coast Western

    ReplyDelete
  74. I got what you intend, thanks for putting up. Woh I am glad to find this website through google. cockatoo for sale

    ReplyDelete
  75. Whatsminer M30s++ has the highest hashrate of any commercially available SHA-256 miner. The M30s++ is built for reliability, stability and profitability. At 112Th/s and coming with all required plugs to mine out of the box, this is a perfect unit for a first time miner or large scale farms. The M30s++ is currently in hundreds of mining facilities worldwide. Bitmain

    ReplyDelete
  76. Hey. Cool article. There's a problem with your site in chrome, and you may want to check this... The browser is the market leader and a huge component of other people will omit your wonderful writing because of this problem. brazilian sugaring

    ReplyDelete
  77. Thanks for one’s wonderful post! We definitely liked reading it, you could be an great contributor. I shall always take a note of this blog page and will often come back later on, I wish to motivate that you continue this great job, enjoy your evening? BTW have you read Gaddafi remarkable headlines Regards Independent Financial Advisor covid in mexico

    ReplyDelete
  78. Welcome to today’s discussion about GST university admission 2020-2021 where we will be revealing all the necessary information regarding the combined admission process of the universities, 20 to be specific. All these universities have agreed to undergo a common admission test in a cluster system gst admission 2021

    ReplyDelete
  79. good day, your internet site is cheap. I do many thanks for succeed Buy OrCAD 17.2.0

    ReplyDelete
  80. Hello, this weekend is good for me, since this time i am reading this enormous informative article here at my home.
    คลินิกเสริมความงาม

    ReplyDelete
  81. I am definitely enjoying your website. You definitely have some great insight and great stories. how to make a site like fiverr

    ReplyDelete
  82. As soon as I found this internet site I went on reddit to share some of the love with them. Corporation Wiki Matthew Fleeger

    ReplyDelete
  83. As a seller of legal steroids, you can buy Crazy Bulk products, explore stacks and finally get the body you’ve always wanted What Is Dedicated Server Hosting

    ReplyDelete
  84. Thanks, Your post is an excellent example of why I keep coming back to read your excellent quality content…. Dallas CEO Matthew Fleeger

    ReplyDelete
  85. As soon as I found this internet site I went on reddit to share some of the love with them. general construction contractors near me

    ReplyDelete
  86. Training and knowledge are necessary for a successful web design or web development. A web developer and a web designer are two different beings. Hone your talents in both these fields. Knowledge of the right software for the calling in hand is very necessary. Accomplishment lies in keeping it lucid. Social Media Creation, Design, Management and Optimisation

    ReplyDelete
  87. What a good perspective, nonetheless is not help make every sence whatsoever talking about that will mather. Every approach many thanks plus i had endeavor to discuss your own publish straight into delicius nonetheless it is apparently issues using your websites are you able to please recheck the item. with thanks again. check these guys out

    ReplyDelete
  88. But wanna admit that this is very helpful , Thanks for taking your time to write this. click here

    ReplyDelete
  89. Thank you of this blog. That’s all I’m able to say. You definitely have made this web site into an item thats attention opening in addition to important. You definitely know a great deal of about the niche, youve covered a multitude of bases. Great stuff from this the main internet. All over again, thank you for the blog. https://mattceramicmugs.blogspot.com/2020/11/matt-ceramic-mugs.html

    ReplyDelete
  90. That is enterprise associated knowledge gaining article. This put up is truly the first-class on this valuable subject matter.
    Idn Slot

    ReplyDelete
  91. I like this web site very much, Its a real nice spot to read and receive info . افلام

    ReplyDelete
  92. Superbly written article, if only all bloggers offered the same content as you, the internet would be a far better place..
    먹튀검증사이트

    ReplyDelete
  93. I am hoping the same best effort from you in the future as well. In fact your creative writing skills has inspired me.
    메이저놀이터

    ReplyDelete