{ "version": 3, "sources": ["ssg:https://framerusercontent.com/modules/tFlLoI4CupY6ylWmrmD3/blTlIHgRWnq1gOEDAZX5/J2iOueWvI-10.js"], "sourcesContent": ["import{jsx as e,jsxs as t}from\"react/jsx-runtime\";import{ComponentPresetsConsumer as o,Link as n}from\"framer\";import{motion as i}from\"framer-motion\";import*as a from\"react\";import{Youtube as r}from\"https://framerusercontent.com/modules/NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js\";import s from\"https://framerusercontent.com/modules/pVk4QsoHxASnVtUBp6jr/TbhpORLndv1iOkZzyo83/CodeBlock.js\";export const richText=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"We used a new Appsec combo to get a few thousand dollars from exploiting Cross-Origin Resource Sharing (CORS) misconfigurations on internal networks in bug bounties. \"}),/*#__PURE__*/t(\"p\",{children:[\"Check out this example of \",/*#__PURE__*/e(n,{href:\"https://bugcrowd.com/disclosures/0e3f3821-1d26-466b-8599-7cc2f206f4d9/several-internal-applications-have-open-cors-allowing-external-folks-to-access-the-content\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"hacking Tesla\"})}),\". It was so much fun that we\u2019re here to share our tooling and techniques with everyone. Rest assured that this same approach will work for plenty of other bug bounty targets.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Usually internal networks are out of scope for bug bounties due to the strict rules against lateral movement and social engineering but we devised a method to attack these internal apps directly without the use of either. Internal apps also often \",/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog/trufflehog-the-chrome-extension/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"contain secrets in their javascript\"})}),\". We\u2019re aware we\u2019re walking very close to the line, but we don\u2019t believe it\u2019s been crossed.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"408\",src:\"https://framerusercontent.com/images/gYHG5d1YSkFAuc12d3wQaCRyw.png\",srcSet:\"https://framerusercontent.com/images/gYHG5d1YSkFAuc12d3wQaCRyw.png?scale-down-to=512 512w,https://framerusercontent.com/images/gYHG5d1YSkFAuc12d3wQaCRyw.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/gYHG5d1YSkFAuc12d3wQaCRyw.png 1094w\",style:{aspectRatio:\"1094 / 816\"},width:\"547\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"Feeling antsy and just want to get your hands on some code?? Understandable. \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/of-cors\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"The code can be found under the Truffle Security GitHub organization\"})}),\". Happy hacking.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"481\",src:\"https://framerusercontent.com/images/1hyT3PwHoiDEg6RkAMyfNd3kWyQ.png\",srcSet:\"https://framerusercontent.com/images/1hyT3PwHoiDEg6RkAMyfNd3kWyQ.png?scale-down-to=512 512w,https://framerusercontent.com/images/1hyT3PwHoiDEg6RkAMyfNd3kWyQ.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/1hyT3PwHoiDEg6RkAMyfNd3kWyQ.png 1580w\",style:{aspectRatio:\"1580 / 962\"},width:\"790\"}),/*#__PURE__*/e(\"h5\",{children:\"A QUICK CORS PRIMER\"}),/*#__PURE__*/e(\"p\",{children:\"The same origin policy (SOP) is a foundational element of modern browser security. Without it all of the websites you visit in your browser could access data from one another (we\u2019d be pulling data from your beanie baby fan site page right now if we could).\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"135\",src:\"https://framerusercontent.com/images/ERYeHirPsfcyUyu4qOVyHH82zN8.png\",srcSet:\"https://framerusercontent.com/images/ERYeHirPsfcyUyu4qOVyHH82zN8.png?scale-down-to=512 512w,https://framerusercontent.com/images/ERYeHirPsfcyUyu4qOVyHH82zN8.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/ERYeHirPsfcyUyu4qOVyHH82zN8.png 1600w\",style:{aspectRatio:\"1600 / 270\"},width:\"800\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"The SOP, while super important, is a bit more rigid than modern web developers might like. \",/*#__PURE__*/e(n,{href:\"https://dev.to/benregenspan/the-state-of-jsonp-and-jsonp-vulnerabilities-in-2021-52ep\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Time\"})}),\" and \",/*#__PURE__*/e(n,{href:\"https://medium.com/@chiragrai3666/exploiting-postmessage-e2b01349c205\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"time again\"})}),\" there have been clever ways to try to get around the SOP, often to \",/*#__PURE__*/e(n,{href:\"https://blog.miki.it/2014/7/8/abusing-jsonp-with-rosetta-flash/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"disastrous effect\"})}),\". CORS is an officially supported security standard that tries to address this demand, enabling developers to \u201Copt in\u201D to explicit SOP carve-outs on the web sites they create.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"232\",src:\"https://framerusercontent.com/images/yuNqB9N7MQ6AvjPNCmWgCLPoKI.png\",srcSet:\"https://framerusercontent.com/images/yuNqB9N7MQ6AvjPNCmWgCLPoKI.png?scale-down-to=512 512w,https://framerusercontent.com/images/yuNqB9N7MQ6AvjPNCmWgCLPoKI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/yuNqB9N7MQ6AvjPNCmWgCLPoKI.png 1600w\",style:{aspectRatio:\"1600 / 465\"},width:\"800\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"CORS can be configured in two different ways. The first is to specify an origin that can read responses. In this case, logged in users can have their user data accessed. The second is to use a \",/*#__PURE__*/e(\"strong\",{children:\"wildcard, \"}),\"which will not send login session information and is usually assumed to be safe for that reason. That\u2019s often true for externally facing websites but can go horrendously wrong for internal facing web apps that don\u2019t use authentication.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/TbhpORLndv1iOkZzyo83/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"GET /hello/world HTTP/1.1 \\nUser-Agent: Really Cool Browser .\\nOrigin: some.other.origin.com \\nAccept-Language: en-us \\nAccept-Encoding: gzip, deflate \\nConnection: Keep-Alive \\n\\nHTTP/1.1 200 OK \\nDate: Mon, 12 Dec 2022 00:00:00 GMT \\nServer: Some Cool Server \\nContent-Length: 230 \\nAccess-Control-Allow-Origin: * \\nContent-Type: text/html; charset=iso-8859-1 \\nConnection: Closed\",language:\"Go\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(n,{href:\"https://portswigger.net/web-security/cors\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"PortSwigger has done an excellent job explaining this\"})}),\" and talks through these misconfigurations in much more detail. For this post we will just stay focused on the issue of using wildcards for internal apps.\"]}),/*#__PURE__*/t(\"p\",{children:[\"You\u2019ll find such an example of an incomplete view of wildcard CORS on websites like \",/*#__PURE__*/e(n,{href:\"https://enable-cors.org/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://enable-cors.org/\"})}),\" which fails to mention one of the most dangerous aspects of enabling CORS; its use on internal networks. People\u2019s browsers straddle multiple networks so when a victim visits an evil website that evil website can hit all of the internal apps on internal networks.\"]}),/*#__PURE__*/e(\"p\",{children:\"Take a look at a couple Tweets we found that are born out of a lack of understanding of this threat. Note both posters have over 10,000 followers:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"244\",src:\"https://framerusercontent.com/images/62Kgjyi8atQmwfjWKnZKnmiU8o.png\",srcSet:\"https://framerusercontent.com/images/62Kgjyi8atQmwfjWKnZKnmiU8o.png?scale-down-to=512 512w,https://framerusercontent.com/images/62Kgjyi8atQmwfjWKnZKnmiU8o.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/62Kgjyi8atQmwfjWKnZKnmiU8o.png 1238w\",style:{aspectRatio:\"1238 / 488\"},width:\"619\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"To this lack of clarity, we say \u201Cthank you\u201D for our recent bug bounty victory.\"}),/*#__PURE__*/e(\"h5\",{children:\"CAN YOU FIND CORS MISCONFIGURATIONS? OF-CORS YOU CAN!\"}),/*#__PURE__*/e(\"p\",{children:\"We\u2019d like to introduce you to our new CORS exploitation toolkit, affectionately known as of-CORS. of-CORS is a web application and set of scripts that, when spun up, can sneakily prod target corporate networks for CORS misconfigurations using typosquatting and phone home with data when found. With a modicum of configuration and setup you too can poke around in the networks of large bug bounty targets for that sweet, sweet bounty loot.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"The core hypothesis of-CORS was built to test was \u201Clarge internal corporate networks are exceedingly likely to have impactful CORS misconfigurations.\u201D As such we wanted a toolkit that would do all the following:\"}),/*#__PURE__*/t(\"ul\",{children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Enumerate likely internal subdomains for target organizations\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Launch a JavaScript payload to prod for CORS misconfigurations against configured domains\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Utilize a service worker to make requests long after the victim is redirected off the typosquatting domain\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Accept results from the victim\u2019s browser and provide some level of result queryability in a UI\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Make some level of attempt to hide itself\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Is likely to be visited by employees of target organizations\"})})]}),/*#__PURE__*/e(\"p\",{children:\"Achieving these goals took a bit of work in a handful of domains.\"}),/*#__PURE__*/e(\"h5\",{children:\"The Web Application\"}),/*#__PURE__*/t(\"p\",{children:[\"The of-CORS web application is a Python3 application built using Django and Django Rest Framework. When a victim visits the web application a lookup is done to determine what internal domains are configured to be probed. A browser service worker is then registered to do the probing and the user\u2019s browser is quickly redirected away to the \",/*#__PURE__*/e(\"em\",{children:\"assumed\"}),\" intended destination.\"]}),/*#__PURE__*/t(\"p\",{children:[\"For example, let\u2019s say that we have registered eslamotors.com and pointed it to our of-CORS instance. An internal Tesla employee then accidentally visits \",/*#__PURE__*/e(n,{href:\"https://foobar.eslamotors.com/bing/bang/bong.php\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://foobar.eslamotors.com/bing/bang/bong.php\"})}),\" (whoops, typo alert!). of-CORS then looks up the core domain of \u201Ceslamotors.com\u201D to determine the list of domains that a payload should be launched for. This JavaScript payload for running the probing is then registered as a service worker and the employee\u2019s browser is redirected to \",/*#__PURE__*/e(n,{href:\"https://foobar.teslamotors.com/bing/bang/bong.php\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://foobar.teslamotors.com/bing/bang/bong.php\"})}),\". The service worker continues to run in the background, issuing HTTPS requests to all of the configured domains and reporting back to of-CORS any identified CORS misconfigurations \",/*#__PURE__*/e(\"em\",{children:\"as well as\"}),\" the HTML content for the misconfigured domains.\"]}),/*#__PURE__*/e(\"p\",{children:\"Just like that, we have a setup for probing internal network CORS misconfigurations with minimal indication to the victim. Any internal apps without authentication and permissive CORS will send all their data to your instance of of-CORS.\"}),/*#__PURE__*/e(\"h5\",{children:\"The Infrastructure\"}),/*#__PURE__*/e(\"p\",{children:\"We wanted a toolkit that enabled us to receive HTTPS requests for a myriad of different domains. We also wanted the ability to spin new domains and targets up and down with relative ease. Thus we needed someone else to handle the SSL/TLS certificate management.\"}),/*#__PURE__*/e(\"p\",{children:\"The deployment we landed on was using Cloudflare for SSL/TLS termination and DNS management and Heroku for application hosting. Cloudflare allows for wildcard CNAME routing and Heroku allows for configuring arbitrary domains to point to existing Heroku stacks. Together they achieve the infrastructure flexibility we needed for rapid iteration.\"}),/*#__PURE__*/e(\"p\",{children:\"Even with this relatively simple deployment, managing infrastructure can be a real pain. To address this we implemented Terraform configuration that wires up Cloudflare, Heroku, and of-CORS in the correct configuration based on a single YAML file.\"}),/*#__PURE__*/e(\"h5\",{children:\"Getting Victims to Visit Our Application\"}),/*#__PURE__*/e(\"p\",{children:\"Bug bounty rules can vary wildly from one organization to the next, but a common rule even across this variability is that researchers cannot engage in social engineering to aid in their attacks. Thus we were left with the problem of \u201Chow do we get victims to visit our malicious website.\u201D\"}),/*#__PURE__*/t(\"p\",{children:[\"Human error and bad typing to the rescue! We decided to go the route of purchasing \",/*#__PURE__*/e(n,{href:\"https://www.kaspersky.com/resource-center/definitions/what-is-typosquatting\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"typo-squat\"})}),\" domains that were very similar to the internal domains used by the organizations we targeted. You\u2019ll need to do a little reconnaissance to learn what internal second level domains your target company uses. You can often find this in old commits in Github repos, android builds, and sometimes even StackOverflow questions. An example of an internal Uber domain found via GitHub is shown below:\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"321\",src:\"https://framerusercontent.com/images/jFNK3vhdAvfjyLcEPMNqSTtrk2Y.png\",srcSet:\"https://framerusercontent.com/images/jFNK3vhdAvfjyLcEPMNqSTtrk2Y.png?scale-down-to=512 512w,https://framerusercontent.com/images/jFNK3vhdAvfjyLcEPMNqSTtrk2Y.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/jFNK3vhdAvfjyLcEPMNqSTtrk2Y.png 1040w\",style:{aspectRatio:\"1040 / 642\"},width:\"520\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"Next you\u2019ll need to purchase a common typo of this internal second level domain. We recommend the off-by-one copy paste error that occurs when you drop the first or last character (ex: \",/*#__PURE__*/e(\"em\",{children:\"orpinternal.com\"}),\" for a company that owns the domain \",/*#__PURE__*/e(\"em\",{children:\"corpinternal.com\"}),\").\"]}),/*#__PURE__*/e(\"p\",{children:\"You\u2019ll need to setup DNS for your purchased domain to route all subdomains to the of-CORS web server, and you\u2019ll also need to configure TLS for the subdomains in something like Cloudflare (we made this a little easier for you to configure as explained in the section below).\"}),/*#__PURE__*/e(\"h5\",{children:\"Configuring the Stack\"}),/*#__PURE__*/e(\"p\",{children:\"So we\u2019ve got the application, the sneaky domains to get victims to come say hi, and the infrastructure. Now we just need the data! The of-CORS configuration file not only specifies the infrastructure setup, but also which payloads should be generated for which domains. Take a look at the following sample configuration file:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/TbhpORLndv1iOkZzyo83/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"terraform: \\n# You must change this to a unique string that is a valid Heroku app name \\nheroku_app_name: best-cors-hunter \\n# Fill this out with your Cloudflare API token \\ncloudflare_api_token: this-is-my-api-token \\n\\nhosts: \\n testing: \\n host_domain: 127.0.0.1:8080 \\n redirect_domain: google.com \\n targets: \\n - enable-cors.org \\n - example.com\",language:\"Go\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"Under the hosts.testing configuration directive we see a host_domain value of 127.0.0.1:8080, a redirect_value domain of google.com, and two targets configured for enable-cors.org and example.com. In this configuration of-CORS will expect to receive requests at 127.0.0.1:8080, will subsequently launch a payload targeting subdomains of example.com and enable-cors.org when a request is received, and will redirect the victim\u2019s browser to google.com after the browser service worker is registered.\"}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"br\",{}),\"The last piece of the puzzle here is the identification of good candidate subdomains to target under google.com and enable-cors.org. We do this by relying on \",/*#__PURE__*/e(n,{href:\"https://github.com/OWASP/Amass\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"OWASP\u2019s amass tool\"})}),\" to perform subdomain enumeration and then we do our own light testing to determine which of the identified subdomains (if any) are likely internal domains. Funny enough, we throw out all domains that are external facing in this step, which is the opposite of what bountiers typically do with amass.\"]}),/*#__PURE__*/e(\"p\",{children:\"Note that detailed and explicit steps for configuring of-CORS can be found in its GitHub repository\u2019s README.md file.\"}),/*#__PURE__*/e(\"p\",{children:\"Now that we\u2019ve given you a quick tour let\u2019s see of-CORS in action!\"}),/*#__PURE__*/e(\"h5\",{children:\"of-CORS in Action, a Tesla Story\"}),/*#__PURE__*/e(\"p\",{children:\"While there were a handful of bug bounty targets that we went after, our engagement with Tesla was the most positive, and they allowed us to publicly disclose the bug! Check it out here:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://bugcrowd.com/disclosures/0e3f3821-1d26-466b-8599-7cc2f206f4d9/several-internal-applications-have-open-cors-allowing-external-folks-to-access-the-content\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://bugcrowd.com/disclosures/0e3f3821-1d26-466b-8599-7cc2f206f4d9/several-internal-applications-have-open-cors-allowing-external-folks-to-access-the-content\"})})}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"br\",{}),\"We set up of-CORS with the typo-squat domain of eslamotors.com and configured it to probe for CORS misconfigurations across approximately 150 subdomains of teslamotors.com. We only had to wait a few days before we got a hit:\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"372\",src:\"https://framerusercontent.com/images/IGhwrdCH9NnwOS9G8Z4pB9sMk.png\",srcSet:\"https://framerusercontent.com/images/IGhwrdCH9NnwOS9G8Z4pB9sMk.png?scale-down-to=512 512w,https://framerusercontent.com/images/IGhwrdCH9NnwOS9G8Z4pB9sMk.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/IGhwrdCH9NnwOS9G8Z4pB9sMk.png 1600w\",style:{aspectRatio:\"1600 / 744\"},width:\"800\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"Eureka! They found it. When this unfortunate victim requested the page from of-CORS we registered a service worker that probed all of the configured subdomains. Of those 150 domains that were tested \",/*#__PURE__*/e(\"em\",{children:\"12\"}),\" of them were configured to allow cross-origin access with CORS. The affected domains are shown below in the of-CORS UI:\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"355\",src:\"https://framerusercontent.com/images/YQuxaVKB8ol5Hv8l9kjwypj80P4.png\",srcSet:\"https://framerusercontent.com/images/YQuxaVKB8ol5Hv8l9kjwypj80P4.png?scale-down-to=512 512w,https://framerusercontent.com/images/YQuxaVKB8ol5Hv8l9kjwypj80P4.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/YQuxaVKB8ol5Hv8l9kjwypj80P4.png 1600w\",style:{aspectRatio:\"1600 / 711\"},width:\"800\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"Because of-CORS saves the HTML content that is returned from sites with CORS misconfigurations we also had the ability to review the pages for all of the affected sites. The HTML content for location.teslamotors.com is shown below:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"441\",src:\"https://framerusercontent.com/images/U0ubD8yj5Q8UMRkU1mfmafoK3I.png\",srcSet:\"https://framerusercontent.com/images/U0ubD8yj5Q8UMRkU1mfmafoK3I.png?scale-down-to=512 512w,https://framerusercontent.com/images/U0ubD8yj5Q8UMRkU1mfmafoK3I.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/U0ubD8yj5Q8UMRkU1mfmafoK3I.png 1260w\",style:{aspectRatio:\"1260 / 883\"},width:\"630\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"We reported our findings through Tesla\u2019s bug bounty \",/*#__PURE__*/e(n,{href:\"https://bugcrowd.com/disclosures/0e3f3821-1d26-466b-8599-7cc2f206f4d9/several-internal-applications-have-open-cors-allowing-external-folks-to-access-the-content\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"program on BugCrowd\"})}),\" and the issue was quickly escalated, accepted, resolved, and paid out (a testament to the maturity of Tesla\u2019s bug bounty program generally and security teams specifically).\"]}),/*#__PURE__*/e(\"p\",{children:\"We demonstrated the ability to access and exfiltrate data from Tesla\u2019s internal network just by setting an innocuous trap and waiting for employees to wander into it. Delightful.\"}),/*#__PURE__*/e(\"h2\",{children:\"Conclusion\"}),/*#__PURE__*/t(\"p\",{children:[\"CORS may be an old topic at this point but it is still very relevant when it comes to properly securing your web applications, and this goes for external \",/*#__PURE__*/e(\"em\",{children:\"and\"}),\" internal services. With of-CORS you too can help bug bounty programs identify internal misconfigurations and enjoy some bounty loot.\"]}),/*#__PURE__*/t(\"p\",{children:[\"The of-CORS code and documentation can be found on our GitHub page.\",/*#__PURE__*/e(\"br\",{}),\"A cheekier version of this story is told in our \",/*#__PURE__*/e(n,{href:\"https://www.youtube.com/watch?v=wgHqfeNgt5s\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"recent video on the topic\"})}),\".\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/qIR0eKm1DK4\"})})}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"br\",{}),/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})]})]});export const richText1=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/t(\"h4\",{children:[\"Not long ago, security researchers\",/*#__PURE__*/e(n,{href:\"https://www.theverge.com/2017/2/3/14495978/belgian-hacker-trump-twitter-links\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\" found they could take over old tweets\"})}),\" that linked to links that don\u2019t work anymore. Did you know you can do the same thing with email? To demonstrate this, we \u201CEmail Graffitied\u201D an email sent to all YouTube users in 2020. \"]}),/*#__PURE__*/e(\"p\",{children:\"Take a look for yourself! It has the title: \u201CChanges to YouTube\u2019s Terms of Service\u201D.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"263\",src:\"https://framerusercontent.com/images/J317azaZwz5Nha0RmpPnRvbEpA.gif\",srcSet:\"https://framerusercontent.com/images/J317azaZwz5Nha0RmpPnRvbEpA.gif?scale-down-to=512 512w,https://framerusercontent.com/images/J317azaZwz5Nha0RmpPnRvbEpA.gif 1000w\",style:{aspectRatio:\"1000 / 526\"},width:\"500\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"We\u2019re also open sourcing a small script that can help you find emails that you too can take over the images for: \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/EmailGraffiti\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/EmailGraffiti\"})})]}),/*#__PURE__*/e(\"p\",{children:\"People often assume Email is static and unchanging, but that\u2019s not true. Most major email providers will dynamically pull in fonts and images at the time of viewing the email from external locations. That means if you view an email today, it could look totally different looking at the same email tomorrow!\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"414\",src:\"https://framerusercontent.com/images/n7AHoc8GLZWwlvOL8fxc6midMI.png\",srcSet:\"https://framerusercontent.com/images/n7AHoc8GLZWwlvOL8fxc6midMI.png?scale-down-to=512 512w,https://framerusercontent.com/images/n7AHoc8GLZWwlvOL8fxc6midMI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/n7AHoc8GLZWwlvOL8fxc6midMI.png 1200w\",style:{aspectRatio:\"1200 / 828\"},width:\"600\"}),/*#__PURE__*/e(\"p\",{children:\" Email dynamically loading fonts and images\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"So how does this lead to vandalizing old Emails? Imagine a scenario where an image is loaded with the following HTML:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/TbhpORLndv1iOkZzyo83/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:'',language:\"HTML\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"Try visiting the URL in a browser, but replace the bolded text with just a random set of characters. You\u2019ll get the following error:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"270\",src:\"https://framerusercontent.com/images/S4NUPilV6qiiKfpYxM2fWqNRwk.png\",srcSet:\"https://framerusercontent.com/images/S4NUPilV6qiiKfpYxM2fWqNRwk.png?scale-down-to=512 512w,https://framerusercontent.com/images/S4NUPilV6qiiKfpYxM2fWqNRwk.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/S4NUPilV6qiiKfpYxM2fWqNRwk.png 1536w\",style:{aspectRatio:\"1536 / 540\"},width:\"768\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"In cloud computing (GCP or AWS) you can store images in \u201Cbuckets\u201D, and these buckets have names that are shared globally across all customers. That means two customers of AWS or GCP can\u2019t have the same bucket name. So what happens if you typo the name of the bucket you want to serve the image out of? \",/*#__PURE__*/e(\"strong\",{children:\"Someone else can take that bucket name and serve their image in your email!\"})]}),/*#__PURE__*/e(\"p\",{children:\"That\u2019s the basic idea behind Email Graffiti. Whether the company typo\u2019d the bucket and never owned it in the first place, or maybe they once owned it, but stopped paying for it at some point, in either case, anyone can just come in, register the bucket, and take over the email!\"}),/*#__PURE__*/e(\"p\",{children:\"You can also do the same thing with domains that aren\u2019t registered anymore, but we only explored buckets, we didn\u2019t look for domains that could be registered.\"}),/*#__PURE__*/e(\"p\",{children:\"Interestingly we found a lot of emails that were sent from businesses that don\u2019t exist anymore, that had 100% of their images that could be taken over. This is because they likely deleted their entire cloud account, and so the further back in email you go, the more rot, and decay you might find.\"}),/*#__PURE__*/e(\"h2\",{children:\"Sticking GIF\u2019s where JPEG\u2019s go\"}),/*#__PURE__*/e(\"p\",{children:\"You might be wondering, how did we make our email image animated? It turns out in Google Chrome, if your hyper link links to a .JPEG file extension, it actually doesn\u2019t matter, if the web server returns a GIF and sets the content type to GIF, chrome will treat the image as a GIF!\"}),/*#__PURE__*/e(\"p\",{children:\"This means any static JPEG email image that\u2019s takeover-able can be replaced with an animated GIF! Cool, right?\"}),/*#__PURE__*/t(\"p\",{children:[\"Naturally we wanted to push this to it\u2019s logical conclusion, so we found a full feature length film that was in the public domain, and converted it into a GIF. Did you know \",/*#__PURE__*/e(n,{href:\"https://en.wikipedia.org/wiki/Night_of_the_Living_Dead#:~:text=Night%20of%20the%20Living%20Dead%20entered%20the%20public%20domain%20in,copyright%20notice%20to%20maintain%20a\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"The Knight Of The Living Dead\"})}),\" is in public domain? We didn\u2019t either, but were happy to see it was.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"Here it is in GIF format:\",/*#__PURE__*/e(\"br\",{}),/*#__PURE__*/e(n,{href:\"https://storage.googleapis.com/nightofthelivingdeadgifbucket/notld.gif\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://storage.googleapis.com/nightofthelivingdeadgifbucket/notld.gif\"})})]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"Unfortunately we ran into another problem, which is, Gmail specifically actually proxies all the images in your email through their mail client proxy, and will check ahead of time if images are more than 1000 frames. This limitation means we can\u2019t play the Night Of The Living Dead in Gmail, but it does work with other mail providers!\"}),/*#__PURE__*/e(\"h2\",{children:\"Can this be abused?\"}),/*#__PURE__*/t(\"p\",{children:[\"We partnered with \",/*#__PURE__*/e(n,{href:\"https://material.security/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Material Security\"})}),\" (they do a lot of email stuff) to look over a ton of email to identify when this problem occurs the most. They were able to identify a few instances of typos, but by far the more frequent scenario was resources that used to be owned that got given up in the past.\"]}),/*#__PURE__*/e(\"p\",{children:\"Because of this, the abuse use case is fairly limited (at least as far as we could think of potential abuse scenarios). Most emails get read in the first 12 hours of sending, so stomping over an old email, potentially years past, is probably unlikely to cause too many abuse avenues.\"}),/*#__PURE__*/e(\"h2\",{children:\"Conclusion\"}),/*#__PURE__*/e(\"p\",{children:\"Honestly there\u2019s not much to take away from this, other than the fact you can show your friends some cool graffiti art on some old emails. Because the emails are distributed so widely it\u2019s almost like an NFT, but that\u2019s actually easy to show it\u2019s ownership. So have fun collecting buckets, maybe ask permission or shoot the company a heads up first (we let google know about the YouTube email)\"}),/*#__PURE__*/e(\"p\",{children:\"Are you curious how appsec research like this is done? Checkout my hacking reenactment in the video below!\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/5sn9zVdT-zM\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Our blog\"})}),\" has more appsec content if you like this kind of stuff, take a look! You can \",/*#__PURE__*/e(n,{href:\"https://twitter.com/trufflesec\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"follow us on Twitter\"})}),\" for when we drop new content\"]})]});export const richText2=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"Security static analysis tools generally seem to throw a ton of false positives. Did you know there\u2019s a reason for that, that\u2019s rooted in math?\"}),/*#__PURE__*/e(\"h2\",{children:\"The Halting Problem\"}),/*#__PURE__*/e(\"p\",{children:\"86 years ago Alan Turing proved it\u2019s impossible to look at a program\u2019s source code and know for certain what it\u2019s going to do in runtime.\"}),/*#__PURE__*/t(\"p\",{children:[\"We now refer to this problem as \",/*#__PURE__*/e(n,{href:\"https://en.wikipedia.org/wiki/Halting_problem\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"the halting problem\"})}),\", but interestingly in Alan\u2019s original paper he didn\u2019t describe whether a program would halt or not, he described it an uncertainty in what a program will print out:\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/t(\"em\",{children:[\"\u2026Similarly [if] there is a general process for determining whether U- prints 1 infinitely often. By a combination of these processes we have a process for determining whether. U prints an infinity of figures, i.e. we have a process for determining whether M is circle-free. There can therefore be no machine i . \",/*#__PURE__*/e(\"br\",{})]}),/*#__PURE__*/e(n,{href:\"https://www.cs.virginia.edu/~robins/Turing_Paper_1936.pdf\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:/*#__PURE__*/e(\"em\",{children:\"Source\"})})})]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"Interestingly, this proof is usually taught in a philosophical \",/*#__PURE__*/e(\"strong\",{children:\"computer science\"}),\" context, but I always found it interesting it\u2019s rarely applied to practical \",/*#__PURE__*/e(\"strong\",{children:\"computer security\"}),\" problem solving.\"]}),/*#__PURE__*/e(\"p\",{children:\"Determining the output of a computer program based on its source code is indeed at the heart of many security problems; unsafely outputting user input is the direct cause of XSS, SQLi, and many other security vulnerabilities.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"459\",src:\"https://framerusercontent.com/images/W5ZJGzSTOdDmJ6uzA5PAH3tISVU.jpeg\",srcSet:\"https://framerusercontent.com/images/W5ZJGzSTOdDmJ6uzA5PAH3tISVU.jpeg 675w\",style:{aspectRatio:\"675 / 919\"},width:\"337\"}),/*#__PURE__*/e(\"p\",{children:\"In 1936 Alan Turing proved it\u2019s impossible to know how arbitrary programs will behave in runtime\"}),/*#__PURE__*/e(\"h2\",{children:\"The Problem With Security Static Analysis\"}),/*#__PURE__*/e(\"p\",{children:\"We now have an entire industry set out to do the impossible: find every security vulnerability in an application based on its source code. But if we already know this is impossible based on Alan\u2019s 1936 proof, how do these programs behave in the real world?\"}),/*#__PURE__*/e(\"p\",{children:\"Static analysis tools by definition must at times be uncertain about whether a security vulnerability is present. This leads the programs to make a best guess, and guessing wrong leads us to one of two possibilities: a false positive or a false negative.\"}),/*#__PURE__*/e(\"p\",{children:\"This outcome is mathematically and provably, unpreventable.\"}),/*#__PURE__*/e(\"p\",{children:\"So what\u2019s a better outcome? A program that sometimes alerts on not real vulnerabilities (false positives) or a program that misses real vulnerabilities (false negative)?\"}),/*#__PURE__*/e(\"p\",{children:\"Naively one may want to lean into false positives, and see all \u201Cpotential\u201D vulnerabilities. This is especially true with particular bug classes we want to squash, but trying to strike a balance between false positives and false negatives creates a scaling problem. A static analysis tool with rules that throw false positives 1% of the time, will start to throw false positives 90% of the time after it gets its 230th rule. This rapidly leads to alert fatigue and developers turning off or ignoring the output of the scanner.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"450\",src:\"https://framerusercontent.com/images/cibliEguyfPuX0OWT0CLOxZAc.png\",srcSet:\"https://framerusercontent.com/images/cibliEguyfPuX0OWT0CLOxZAc.png?scale-down-to=512 512w,https://framerusercontent.com/images/cibliEguyfPuX0OWT0CLOxZAc.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/cibliEguyfPuX0OWT0CLOxZAc.png 1600w\",style:{aspectRatio:\"1600 / 900\"},width:\"800\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"For the above reasons, we believe the best approach to static analysis is not to strike a balance between false positives and false negatives, but rather to \",/*#__PURE__*/e(\"strong\",{children:\"become intolerant to false positives in any form,\"}),\" and embrace false negatives as the mathematical certainty Alan Turing proved to be.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"450\",src:\"https://framerusercontent.com/images/hHQ9IZJnZ1SHRs8fG4w7hdt1xwI.png\",srcSet:\"https://framerusercontent.com/images/hHQ9IZJnZ1SHRs8fG4w7hdt1xwI.png?scale-down-to=512 512w,https://framerusercontent.com/images/hHQ9IZJnZ1SHRs8fG4w7hdt1xwI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/hHQ9IZJnZ1SHRs8fG4w7hdt1xwI.png 1600w\",style:{aspectRatio:\"1600 / 900\"},width:\"800\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"How do we eliminate false positives? Through automating the triage process with \",/*#__PURE__*/e(\"strong\",{children:\"dynamic testing.\"})]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"450\",src:\"https://framerusercontent.com/images/U3J0AUEiVAD8g4GGdMnAHcjp74.png\",srcSet:\"https://framerusercontent.com/images/U3J0AUEiVAD8g4GGdMnAHcjp74.png?scale-down-to=512 512w,https://framerusercontent.com/images/U3J0AUEiVAD8g4GGdMnAHcjp74.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/U3J0AUEiVAD8g4GGdMnAHcjp74.png 1600w\",style:{aspectRatio:\"1600 / 900\"},width:\"800\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"Imagine a security engineer read a line of code they thought was vulnerable, the first thing they\u2019d do is test that code out to see if they can hit the vulnerability in runtime. Once they trigger the vulnerability, the tester becomes confident the issue is a true positive result.\"}),/*#__PURE__*/t(\"p\",{children:[\"Similarly, at Truffle Security when we find keys, we test them at runtime. For all \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/trufflehog/tree/main/pkg/detectors\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"currently supported >700 key detectors\"})}),\" we test to see if they can authenticate successfully.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"450\",src:\"https://framerusercontent.com/images/Acm8FHuCDBC5q9jbAkSxh3tVa4g.png\",srcSet:\"https://framerusercontent.com/images/Acm8FHuCDBC5q9jbAkSxh3tVa4g.png?scale-down-to=512 512w,https://framerusercontent.com/images/Acm8FHuCDBC5q9jbAkSxh3tVa4g.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/Acm8FHuCDBC5q9jbAkSxh3tVa4g.png 1600w\",style:{aspectRatio:\"1600 / 900\"},width:\"800\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"People often ask us if we support detecting things like PII or other types of data that can\u2019t be dynamically triaged and confirmed in runtime. Our answer is no, because the introduction of false positives to the engine, from not being able to auto-triage the results, is not worth the inevitable scaling issues and alert fatigue.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/npQMV55XNec\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\"For a more detailed proof of the halting problem, as well as an interview with the author of Bandit, one of the most popular Python static analysis tools, check out the video above.\"})})]});export const richText3=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"5 years ago I wrote the original TruffleHog tool to detect API keys, passwords and secrets that were committed to Git. This was a great research tool, but fell short many ways.\"}),/*#__PURE__*/e(\"h2\",{children:\"Introducing TruffleHog v3\"}),/*#__PURE__*/e(\"p\",{children:\"We\u2019ve since raised millions of dollars to build open source security tooling, starting with the next generation of TruffleHog, which is faster, detects 10x more secrets, and automatically validates 100% of the secrets it supports with dynamic checks.\"}),/*#__PURE__*/t(\"p\",{children:[\"Check it out here: \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/trufflehog\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/trufflehog\"})})]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/AM3REzw1LDk\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"h5\",{children:\"KEY VERIFICATION\"}),/*#__PURE__*/t(\"p\",{children:[\"The most critical piece to our new detection engine is the verification step, which constitutes API calls to the providers for the keys identified. For example if we find an AWS key, we reach out to the GetCallerIdentity API endpoint to validate the AWS key found.\",/*#__PURE__*/e(\"br\",{}),/*#__PURE__*/e(\"br\",{}),\"You can see this in action here: \"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L92\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!0,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L92\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"We get creative with some of the checks we do, like with \",/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog/driftwood\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Driftwood\"})}),\" for private encryption keys\"]}),/*#__PURE__*/e(\"h5\",{children:\"PERFORMANCE\"}),/*#__PURE__*/e(\"p\",{children:\"We also made some significant improvements to the scanner\u2019s runtime speed. Notably, all secret detectors are now preflighted with string comparisons which run quite a bit faster than regular expressions. You can see one example of the string comparisons here: \"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L31\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!0,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/aws/aws.go#L31\"})})}),/*#__PURE__*/e(\"p\",{children:\"We also made some git improvements that were heavily inspired by Gitleaks.\"}),/*#__PURE__*/e(\"h5\",{children:\"VOLUME OF KEYS\"}),/*#__PURE__*/e(\"p\",{children:\"You can browse the 639 key types we now support, and check out how we do verification for all of them here: \"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/trufflehog/tree/main/pkg/detectors\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!0,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/trufflehog/tree/main/pkg/detectors\"})})}),/*#__PURE__*/e(\"p\",{children:\"We do not know of another secrets scanning engine that supports this many key types, let alone the verification, and the fact they\u2019re all now open source.\"}),/*#__PURE__*/e(\"h5\",{children:\"COLLABORATION\"}),/*#__PURE__*/e(\"p\",{children:\"If you see a detector we\u2019re missing, or see a way to improve an existing one, one of the most exciting things about open sourcing this engine is we can now all work on it together. Please check out our collaboration docs to see how you can contribute to detectors: \"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/trufflehog/blob/main/hack/docs/Adding_Detectors_external.md\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!0,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/trufflehog/blob/main/hack/docs/Adding_Detectors_external.md\"})})}),/*#__PURE__*/e(\"h5\",{children:\"TRY IT OUT\"}),/*#__PURE__*/e(\"p\",{children:\"Try the new engine out yourself with the following docker command:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/TbhpORLndv1iOkZzyo83/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:'docker run --rm -it -v \"/tmp:/tmp\" -v \"$PWD:/pwd\" trufflesecurity/trufflehog git https://github.com/trufflesecurity/test_keys.git',language:\"Shell\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"And check it out on GitHub for more details about how to run it and how to contribute \"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/trufflehog\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!0,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/trufflehog\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"162\",src:\"https://framerusercontent.com/images/kXm3FoOI8yyoQ0QAlGdnPKin35E.jpg\",srcSet:\"https://framerusercontent.com/images/kXm3FoOI8yyoQ0QAlGdnPKin35E.jpg?scale-down-to=512 512w,https://framerusercontent.com/images/kXm3FoOI8yyoQ0QAlGdnPKin35E.jpg 840w\",style:{aspectRatio:\"840 / 324\"},width:\"420\"})]});export const richText4=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"Asymmetric private keys are among the most often leaked out, so we\u2019re open sourcing a tool that immediately tells you if one is sensitive.\"}),/*#__PURE__*/t(\"p\",{children:[\"Check it out here: \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/driftwood\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/driftwood\"})})]}),/*#__PURE__*/e(\"p\",{children:\"With this tool we found the private keys for hundreds of TLS certificates, and SSH keys that would have allowed an attacker to compromise millions of endpoints/devices.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/C5lErTIWKCc\"})})}),/*#__PURE__*/e(\"p\",{children:\"Asymmetric private keys have a number of different use cases, but two of the most common use cases are TLS and SSH.\"}),/*#__PURE__*/e(\"p\",{children:\"Today the status quo for triaging a private keys at best involves a cursory check of the surrounding context to see if there\u2019s any clues that could help us figure out if it\u2019s a sensitive key.\"}),/*#__PURE__*/t(\"p\",{children:[\"Running \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/truffleHog\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"TruffleHog\"})}),\" on the Twitter GitHub organization returns about 25 Private Keys, and the Netflix Organization returns about 4811 Private Keys. Not only is this a tremendous amount of code to review, the surrounding context doesn\u2019t always give us the answer. This is the status quo for most organizations, these keys were not unique or exceptional to Twitter and Netflix.\"]}),/*#__PURE__*/t(\"p\",{children:[\"We compiled a database of billions of TLS and SSH public keys that we know pair with sensitive private keys. \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/driftwood\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Driftwood\"})}),\" will take a given Private Key, extract its public key component, and then post the public key to our database to see whether it pairs with a known sensitive key.\"]}),/*#__PURE__*/e(\"p\",{children:\"Of the thousands of keys from Twitter and Netflix, none of them matched TLS and SSH keys that we had in our database.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"219\",src:\"https://framerusercontent.com/images/r1jeWZG2PMmUjlMiWyXd3Az0NhU.png\",srcSet:\"https://framerusercontent.com/images/r1jeWZG2PMmUjlMiWyXd3Az0NhU.png?scale-down-to=512 512w,https://framerusercontent.com/images/r1jeWZG2PMmUjlMiWyXd3Az0NhU.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/r1jeWZG2PMmUjlMiWyXd3Az0NhU.png 1363w\",style:{aspectRatio:\"1363 / 439\"},width:\"681\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Driftwood showing a leaked Private Key matches 2 TLS certificates\"})}),/*#__PURE__*/e(\"p\",{children:\"We obtained these billions of keys from 2 main sources (though we will be adding new sources in the future)\"}),/*#__PURE__*/t(\"p\",{children:[\"The first source is through \",/*#__PURE__*/e(n,{href:\"https://certificate.transparency.dev/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Certificate Transparency\"})}),\". Certificate Transparency is a public log containing all TLS certificates created after 2018. TLS Certificates include a public key, allowing us to index every single public key used for TLS today.\"]}),/*#__PURE__*/e(\"p\",{children:\"We sampled about 50,000 private keys we were able to find on the internet, and found hundreds of certificates that matched with these keys, many of which had not expired and needed to be revoked.\"}),/*#__PURE__*/e(\"p\",{children:\"In the example screenshot above a single Private Key was connected to multiple certificates. This means even though in this case one of these certificates was in the surrounding context, the traditional way of triaging this key would not have sufficed in finding all the affected certificates.\"}),/*#__PURE__*/e(\"p\",{children:\"It\u2019s worth noting it\u2019s best practice to not re-use Private Keys, but we found this practice to be quite common. Even though Certificates expire, the underlying private key never expires and nothing prevents the key owner from using it again and again in future certificates.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"188\",src:\"https://framerusercontent.com/images/kCdl3XIIx4HiQv7ZacL2bJSuc.png\",srcSet:\"https://framerusercontent.com/images/kCdl3XIIx4HiQv7ZacL2bJSuc.png?scale-down-to=512 512w,https://framerusercontent.com/images/kCdl3XIIx4HiQv7ZacL2bJSuc.png 772w\",style:{aspectRatio:\"772 / 376\"},width:\"386\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" SSH Key from Github\"})}),/*#__PURE__*/e(\"p\",{children:\"The second main source for keys was GitHub SSH keys. Developers often have a single SSH key they use from their workstation, and they add the public key for this key to the machines they want to SSH into.\"}),/*#__PURE__*/e(\"p\",{children:\"Among those is often GitHub, which allows you to authenticate yourself with SSH. Because GitHub lets you query these SSH keys for other users, we are able to use Driftwood to quickly figure out if a private key happens to pair with a GitHub user\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"236\",src:\"https://framerusercontent.com/images/QMQeBhSX7VkVESIHu3eXUgoHEU.png\",srcSet:\"https://framerusercontent.com/images/QMQeBhSX7VkVESIHu3eXUgoHEU.png?scale-down-to=512 512w,https://framerusercontent.com/images/QMQeBhSX7VkVESIHu3eXUgoHEU.png 714w\",style:{aspectRatio:\"714 / 472\"},width:\"357\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Driftwood Finds an SSH key\"})}),/*#__PURE__*/e(\"p\",{children:\"When this happens, typically the same SSH key can be used to SSH into many other servers that the developer has access to.\"}),/*#__PURE__*/e(\"p\",{children:\"We were able to find dozens of GitHub user\u2019s SSH private keys in our 50,000 sample. These dozens of keys had push rights to hundreds of GitHub code repositories, which includes repositories owned by IBM, Arm, and Oracle. These keys likely could SSH into many servers other than GitHub as well.\"}),/*#__PURE__*/e(\"p\",{children:\"This presents itself as a cascading supply chain issue, because some of these repositories the keys could push to are quite large which many down stream dependancies and users become impacted to malicious pushes. We estimate the total number of devices that were consuming the hundreds of impacted repositories to be in the millions.\"}),/*#__PURE__*/e(\"p\",{children:\"Another way of putting this: these keys could have put malicious code on millions of devices. Fortunately we got them rotated.\"}),/*#__PURE__*/e(\"p\",{children:\"What was really interesting to see was in many examples the keys found were in repositories seemingly totally unrelated to the impacted user, and in some cases were in directories marked as \u201Ctest\u201D or \u201Ctutorial\u201D. These keys very likely would have been ignored in a code review. One example was a key in a directory labeled \u201Ctools/lab_key\u201D and another in a directory labeled \u201Ctests/test_jssign/id_rsa\u201D (paths slightly modified to protect anonymity). In both cases the repositories where not owned by the impacted users.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"148\",src:\"https://framerusercontent.com/images/I5mntKtLwcDVBE68qVC0S8c9VAc.png\",srcSet:\"https://framerusercontent.com/images/I5mntKtLwcDVBE68qVC0S8c9VAc.png?scale-down-to=512 512w,https://framerusercontent.com/images/I5mntKtLwcDVBE68qVC0S8c9VAc.png 964w\",style:{aspectRatio:\"964 / 296\"},width:\"482\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Cracking Encrypted Private Key\"})}),/*#__PURE__*/e(\"p\",{children:\"In our 50,000 sample we also found about 2500 Private Keys encrypted with symmetric encryption keys. We were able to almost immediately guess the passwords for over 70% of these keys. For this reason we are also including a very basic word list in Driftwood that can guess the top 250 most common passwords.\"}),/*#__PURE__*/t(\"p\",{children:[\"Here\u2019s again a link to the repo \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/driftwood\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/driftwood\"})})]}),/*#__PURE__*/e(\"p\",{children:\"Happy hacking!\"})]});export const richText5=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"In 2014, while working at a social media company, Andy discovered something that would lead him on a multiple month forensic investigation \u2014 leading him to conclude his company had been thoroughly breached. \"}),/*#__PURE__*/e(\"p\",{children:\"This video details my interview with him for what happened next.\"}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/JYRKR41BoNg\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})})]});export const richText6=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/t(\"h4\",{children:[\"In 2017, unemployed and sitting on the couch of my future co-founder Dustin Decker, I wrote and open sourced a tool called \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/truffleHog\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"TruffleHog\"})}),\", which was originally intended to find API keys in Git source code that would help me more easily submit bug bounties.\"]}),/*#__PURE__*/e(\"p\",{children:\"Below is a real key that I found and reported on one of Netflix\u2019s public repositories (Netflix later hired me to do security work for them)\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"287\",src:\"https://framerusercontent.com/images/TFKyfGewQBVkBNkPJb3Jh18Lbbo.png\",srcSet:\"https://framerusercontent.com/images/TFKyfGewQBVkBNkPJb3Jh18Lbbo.png?scale-down-to=512 512w,https://framerusercontent.com/images/TFKyfGewQBVkBNkPJb3Jh18Lbbo.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/TFKyfGewQBVkBNkPJb3Jh18Lbbo.png 1708w\",style:{aspectRatio:\"1708 / 574\"},width:\"854\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"Giving back to the community, and helping everyone raise the security bar through open source technology has always been at the heart of TruffleHog. In the beginning of 2021, my co-founders, Dustin Decker and Julian Dunning, and I decided to leave our full time jobs and focus 100% of our time on giving back to the community that helped make our career, specifically focus on continuing to build out TruffleHog to prevent credential leakage.\"}),/*#__PURE__*/t(\"p\",{children:[\"Fast forward to today, having recently been honored on Forbes\u2019\",/*#__PURE__*/e(n,{href:\"https://www.forbes.com/30-under-30/2022/enterprise-technology?profile=truffle-security\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0annual 30 Under 30 list\"})}),\" and having recently pushed out\",/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog/trufflehog-the-chrome-extension\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0two\"})}),\" awesome\",/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog/driftwood-know-if-private-keys-are-sensitive/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0new\"})}),\" releases to the open source community, we are so happy to have found venture partners who understand our mission and enable us to continue on this journey.\\xa0\"]}),/*#__PURE__*/t(\"p\",{children:[\"We\u2019re thrilled to be able to work full time on open source technology that improves the state of security. We\u2019re even happier to have found amazing VC partners that believe in this mission and have empowered us to empower developers everywhere with open source, easy-to-use, security tooling. \",/*#__PURE__*/e(n,{href:\"https://a16z.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Andreessen Horowitz\"})}),\" led our Series A this year, followed by \",/*#__PURE__*/e(n,{href:\"https://www.expa.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Expa\"})}),\",\",/*#__PURE__*/e(n,{href:\"https://lyticalventures.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0Lytical\"})}),\",\",/*#__PURE__*/e(n,{href:\"https://harpoon.vc/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0Harpoon\"})}),\",\",/*#__PURE__*/e(n,{href:\"https://hnvr.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0HNVR\"})}),\",\",/*#__PURE__*/e(n,{href:\"https://www.essencevc.fund/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0Essence\"})}),\",\",/*#__PURE__*/e(n,{href:\"https://www.abstractvc.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0Abstract\"})}),\", and many amazing, helpful angel investors.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Secrets are leaking out\",/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog/an-api-worm-in-the-making-thousands-of-secrets-found-in-open-s3-buckets\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0more places than ever\"})}),\" and we are assembling a team to tackle the problem through the power of community and open source.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Look out for additional new and exciting tools we plan to release in the coming months and check out our\",/*#__PURE__*/e(n,{href:{webPageId:\"DYec0XrTO\"},motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"\\xa0careers page\"})}),\" to learn about opportunities to help us on our mission to open source security tooling.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"335\",src:\"https://framerusercontent.com/images/fvpOx9woMtxmPS7QfqnEkCvIE.png\",srcSet:\"https://framerusercontent.com/images/fvpOx9woMtxmPS7QfqnEkCvIE.png?scale-down-to=512 512w,https://framerusercontent.com/images/fvpOx9woMtxmPS7QfqnEkCvIE.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/fvpOx9woMtxmPS7QfqnEkCvIE.png 1559w\",style:{aspectRatio:\"1559 / 671\"},width:\"779\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\"Truffle Security Co-founders Julian, Dustin and Dylan\"})})]});export const richText7=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"API Keys for SaaS and cloud providers are more often making their way into Javascript. That\u2019s why we\u2019re proud to open source a tool that helps find them.\"}),/*#__PURE__*/t(\"p\",{children:[\"Check it out here! \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/Trufflehog-Chrome-Extension\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/Trufflehog-Chrome-Extension\"})})]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/i9b5Yij_HV4\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"Below is a real example of an AWS key from weather.com making its way onto the front page, identified with the extension\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"306\",src:\"https://framerusercontent.com/images/VtSlKXjvDNXqcj0hZLgaX2AYw8.png\",srcSet:\"https://framerusercontent.com/images/VtSlKXjvDNXqcj0hZLgaX2AYw8.png?scale-down-to=512 512w,https://framerusercontent.com/images/VtSlKXjvDNXqcj0hZLgaX2AYw8.png 1013w\",style:{aspectRatio:\"1013 / 612\"},width:\"506\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" AWS key on weather.com\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"You can still view this key today by visiting archive.org and going back to 2020. The chrome extension should alert you there\u2019s a key there.\"}),/*#__PURE__*/t(\"p\",{children:[\"To understand why keys like this are making their way into Javascript we first need to understand \",/*#__PURE__*/e(n,{href:\"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"CORS\"})}),\".\"]}),/*#__PURE__*/e(\"p\",{children:\"By default websites can\u2019t just make request and read the response to other API\u2019s without the foreign API inviting them to do so with a permissive CORS header.\"}),/*#__PURE__*/t(\"p\",{children:[\"Amazon AWS API\u2019s as well as many other SaaS and Cloud provider API\u2019s have extremely permissive CORS settings, as seen below with the \",/*#__PURE__*/e(\"strong\",{children:\"Access-Control-Allow-Origin: *\"}),\" header\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"98\",src:\"https://framerusercontent.com/images/8mQ3COFM86Nl2l8HJRKuqNJ3UoI.png\",srcSet:\"https://framerusercontent.com/images/8mQ3COFM86Nl2l8HJRKuqNJ3UoI.png?scale-down-to=512 512w,https://framerusercontent.com/images/8mQ3COFM86Nl2l8HJRKuqNJ3UoI.png 670w\",style:{aspectRatio:\"670 / 196\"},width:\"335\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Permissive CORS on AWS\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"This header not only encourages websites to make requests to AWS, but because AWS\u2019s API\u2019s are credentialed, this encourages Javascript to contain AWS credentials as seen below:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"222\",src:\"https://framerusercontent.com/images/7DIFBqaofTnSE7yaCPvkcnhKno.png\",srcSet:\"https://framerusercontent.com/images/7DIFBqaofTnSE7yaCPvkcnhKno.png?scale-down-to=512 512w,https://framerusercontent.com/images/7DIFBqaofTnSE7yaCPvkcnhKno.png 601w\",style:{aspectRatio:\"601 / 445\"},width:\"300\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Cross Origin Requests to AWS\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"We\u2019ve observed this pattern on the open internet, but it also seems more common in internal applications at companies. Unfortunately CORS issues can often cascade and lead to multiple points of failure compromising the integrity of the keys on internal apps.\"}),/*#__PURE__*/e(\"p\",{children:\"Specifically common apps often have permissive CORS settings. This is a growing trend with API first application development. Because multiple frontend applications often consume the same backend API, many internal apps unfortunately get scopes with permissive CORS settings.\"}),/*#__PURE__*/e(\"p\",{children:\"If we combine the above two concepts, we end up with a foreign origin from the open internet with the ability to make requests to internal apps and API\u2019s, view the responses, and steal API keys hardcoded client side in the internal applications:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"575\",src:\"https://framerusercontent.com/images/cxQ8RilTtdcy2hHULziA7WViPQ.png\",srcSet:\"https://framerusercontent.com/images/cxQ8RilTtdcy2hHULziA7WViPQ.png?scale-down-to=512 512w,https://framerusercontent.com/images/cxQ8RilTtdcy2hHULziA7WViPQ.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/cxQ8RilTtdcy2hHULziA7WViPQ.png 1178w\",style:{aspectRatio:\"1178 / 1150\"},width:\"589\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"The chrome extension has a few other nice features as well, such as the ability to detect \",/*#__PURE__*/e(n,{href:\"https://medium.com/swlh/hacking-git-directories-e0e60fa79a36\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\".git directories\"})}),\" and .env files, both of which can also contain credentials in them.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Here\u2019s again a link to the repo \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/Trufflehog-Chrome-Extension\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://github.com/trufflesecurity/Trufflehog-Chrome-Extension\"})})]}),/*#__PURE__*/e(\"p\",{children:\"The extension is currently pending security review on the google extension store, but in the mean time it can be side loaded.\"}),/*#__PURE__*/e(\"p\",{children:\"Happy hacking!\"})]});export const richText8=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"In August 2021 an attacker used XSS to attack users. XSS is one of the most common web vulnerabilities. Why don\u2019t we see more of this?\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/llTfexvH4pQ\"})})}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"br\",{}),/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})]})]});export const richText9=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"In 2017 DJI created a bug bounty program that lead to a series of interactions with the drone hacking community.\"}),/*#__PURE__*/e(\"p\",{children:\"This video details what happened next.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/VqyzTv-2h9k\"})})})]});export const richText10=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h4\",{children:\"In 2014 Uber first experienced a data breach stemming from posting keys to a Git Gist. \"}),/*#__PURE__*/e(\"p\",{children:\"The story below chronicles the years that follow; it\u2019s a wild story that spans multiple breaches, multiple court cases, and lead to people getting fired, and indicted by the FBI\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/fGY-v-eYwOY\"})})})]});export const richText11=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/t(\"h4\",{children:[\"A hacker \",/*#__PURE__*/e(n,{href:\"https://www.bleepingcomputer.com/news/security/source-code-from-dozens-of-companies-leaked-online/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"found\"})}),\" a common misconfiguration in Gitlab servers and used it to download source code.\"]}),/*#__PURE__*/e(\"p\",{children:\"I used TruffleHog to help, as seen in the short video below\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/1mZzMzdE2-4\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog?author=5e9cf68199ac757991813e9b\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!0,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Dylan Ayrey\"})})})]});export const richText12=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/t(\"h4\",{children:[\"It\u2019s been a little over 4 years since I originally open sourced \",/*#__PURE__*/e(n,{href:\"https://github.com/trufflesecurity/truffleHog\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"TruffleHog\"})}),\". \"]}),/*#__PURE__*/t(\"p\",{children:[\"At the time the tool was meant to be a tool to help me with Bug Bounties. It\u2019s been inspiring to watch so many members of the community use the tool over the years to help clean up GitHub, and in many cases, provide some income for hackers all over the world on platforms like \",/*#__PURE__*/e(n,{href:\"https://hackerone.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Hackerone\"})}),\" through responsible disclosure.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Secrets leakage today is still a growing and evolving issue as we\u2019ve pointed out recently in a \",/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog/an-api-worm-in-the-making-thousands-of-secrets-found-in-open-s3-buckets\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"blog post\"})}),\" or you can see for yourself with simple \",/*#__PURE__*/e(n,{href:\"https://www.google.com/search?q=filetype:env+localhost\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Google dorking\"})})]}),/*#__PURE__*/t(\"p\",{children:[\"The impact of leaky credentials is also evolving, as I pointed out in my \",/*#__PURE__*/e(n,{href:\"https://www.youtube.com/watch?v=Ml09R38jpok\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"2020 Blackhat talk\"})}),\" centered around GCP credentials.\"]}),/*#__PURE__*/e(\"p\",{children:\"In 2017, I was never prescriptive about what one SHOULD do with their secrets. I wrote a tool that told people what they shouldn\u2019t do, but in the world of infosec that\u2019s not particularly useful if it\u2019s not accompanied with a usable solution to complement the problem.\"}),/*#__PURE__*/e(\"p\",{children:\"Today Truffle Security helps customers scan all kinds of things for leaky credentials, as seen below:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"618\",src:\"https://framerusercontent.com/images/HQBvdsfFx7SuFa3IkL9nQ7zWlO0.png\",srcSet:\"https://framerusercontent.com/images/HQBvdsfFx7SuFa3IkL9nQ7zWlO0.png?scale-down-to=512 512w,https://framerusercontent.com/images/HQBvdsfFx7SuFa3IkL9nQ7zWlO0.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/HQBvdsfFx7SuFa3IkL9nQ7zWlO0.png?scale-down-to=2048 2048w,https://framerusercontent.com/images/HQBvdsfFx7SuFa3IkL9nQ7zWlO0.png 2500w\",style:{aspectRatio:\"2500 / 1237\"},width:\"1250\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"But that\u2019s only half the story. What if you\u2019re in a situation where you\u2019ve determined you don\u2019t want your keys in Slack, and Jira, but you don\u2019t have a mature strategy towards secrets management.\"}),/*#__PURE__*/t(\"p\",{children:[\"There\u2019s a lot of different secrets management solutions out there, but many of them aren\u2019t very user friendly, and can be difficult to set up. One we\u2019ve had our eye on recently is \",/*#__PURE__*/e(n,{href:\"https://www.doppler.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Doppler\"})}),\".\"]}),/*#__PURE__*/e(\"p\",{children:\"They\u2019ve really taken a user friendly approach to managing sensitive environment variables, and are very quick to set up.\\xa0\"}),/*#__PURE__*/e(\"p\",{children:\"This helps with one of the most important things Truffle Security helps customers with: remediation and rotation. Of course we prefer to catch keys before they leak out, in pre-commit hooks, or IDE plugin, but they still happen. The more approachable and usable your secrets management solution is, the quicker leaked keys can be rotated out, and the less exposure time they have to bad actors.\"}),/*#__PURE__*/e(\"p\",{children:\"Another difficult thing is you usually need a secret solution that can inject secrets across many different providers. This is because companies typically operate in a multi-cloud, on-prem, docker, Kubernetes hodgepodge, and all of those places typically have secrets needs. A good example is if you\u2019re using docker locally, building in GitLab, and are deploying to Kubernetes, you need secrets potentially injected into all those places, and Doppler supports this.\"}),/*#__PURE__*/e(\"p\",{children:\"Here\u2019s a video demo of Truffle Security finding a key, moving the key into free community version of Doppler, and rotating the key:\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{\"--aspect-ratio\":\"560 / 315\",aspectRatio:\"560 / 315\",height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(o,{componentIdentifier:\"module:NEd4VmDdsxM3StIUbddO/bZxrMUxBPAhoXlARkK9C/YouTube.js:Youtube\",children:t=>/*#__PURE__*/e(r,{...t,play:\"Off\",shouldMute:!0,thumbnail:\"Medium Quality\",url:\"https://youtu.be/K2PBUynC6jA\"})})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"\\xa0I\u2019m happy to tell a more complete story now, not just highlighting problems, but also providing solutions that are easy to use, and developer friendly.\"})]});export const richText13=/*#__PURE__*/t(a.Fragment,{children:[/*#__PURE__*/e(\"h2\",{children:\"Background\"}),/*#__PURE__*/e(\"p\",{children:\"S3 buckets are a common place to store files in AWS. These buckets have a feature that allows you to make your files readable by anyone on the internet without authentication. If the content is meant for public consumption, like storing HTML, CSS, and JS assets for a website, this feature can be really useful, but it\u2019s a double edged sword. Frequently, these files contain sensitive information, which has caused several high profile security incidents, including:\"}),/*#__PURE__*/t(\"ul\",{children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://www.darkreading.com/cloud/twilio-security-incident-shows-danger-of-misconfigured-s3-buckets/d/d-id/1338447\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"A recent incident with Twilio\"})})})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://www.darkreading.com/cloud/dow-jones-data-leak-results-from-amazon-aws-configuration-error/d/d-id/1329382?\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"The Dow Jones data breach\"})})})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://www.theverge.com/2017/7/12/15962520/verizon-nice-systems-data-breach-exposes-millions-customer-records\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"A Verizon Wireless data breach\"})})})})]}),/*#__PURE__*/e(\"p\",{children:\"Typically the data exposed is the end of the reported story, but we\u2019ve found it\u2019s often not the end of the security story. Since we recently added S3 support to TruffleHog, we thought scanning the set of publicly exposed buckets for credentials would be a great way to get ahead of potential security incidents, and we ended up finding thousands of distinct secrets spanning hundreds of customers.\"}),/*#__PURE__*/e(\"h2\",{children:\"Methodology\"}),/*#__PURE__*/t(\"p\",{children:[\"The first thing we needed to do is compile a list of open S3 buckets. Luckily, the bucket names are globally unique and can be specified by subdomain. For example, if a bucket was named \u201Ctrufflehogbucket\u201D, the files could be accessed at: \",/*#__PURE__*/e(n,{href:\"https://trufflehogbucket.s3.amazonaws.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"https://trufflehogbucket.s3.amazonaws.com/filename\"})}),\". Because DNS traffic is typically unencrypted, many bucket names are collected by DNS taps. Some vendors like RiskIQ expose this data via their PassiveTotal API.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"149\",src:\"https://framerusercontent.com/images/xfZi133mhf85wVJ82ro7VaYowVQ.png\",srcSet:\"https://framerusercontent.com/images/xfZi133mhf85wVJ82ro7VaYowVQ.png?scale-down-to=512 512w,https://framerusercontent.com/images/xfZi133mhf85wVJ82ro7VaYowVQ.png 998w\",style:{aspectRatio:\"998 / 298\"},width:\"499\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/t(\"p\",{children:[\"Other tools like \",/*#__PURE__*/e(n,{href:\"https://buckets.grayhatwarfare.com/\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"grayhatwarfare\"})}),\" take a different approach and generate large lists of likely bucket names and make requests to the S3 API to determine if the bucket exists and contains publicly exposed files.\\xa0 Using these, and other techniques, we built our initial list of buckets. Scanning all of the exposed data quickly grew impractical, so we needed a way to narrow the list to buckets and files likely to contain secrets. Fortunately, greyhatwarfare\u2019s API also allows you to search the names of files, so we searched for common names like \u2018.credentials\u2019, \u2018.env\u2019, etc. and only scanned buckets containing matching files.\"]}),/*#__PURE__*/e(\"h2\",{children:\"Results\"}),/*#__PURE__*/t(\"p\",{children:[\"After scanning approximately \",/*#__PURE__*/e(\"strong\",{children:\"4000\"}),\" buckets containing .env files and .credentials files, we found a file containing secrets had an average of \",/*#__PURE__*/e(\"strong\",{children:\"2.5\"}),\" secrets in it, with some as high as \",/*#__PURE__*/e(\"strong\",{children:\"10+\"}),\" secrets in a file.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"696\",src:\"https://framerusercontent.com/images/UzgSfsVnUhbmqnBjGecpD7GsHTU.png\",srcSet:\"https://framerusercontent.com/images/UzgSfsVnUhbmqnBjGecpD7GsHTU.png?scale-down-to=512 512w,https://framerusercontent.com/images/UzgSfsVnUhbmqnBjGecpD7GsHTU.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/UzgSfsVnUhbmqnBjGecpD7GsHTU.png 1999w\",style:{aspectRatio:\"1999 / 1392\"},width:\"999\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Secret results\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"We also found a wide variety of credential types, including:\"}),/*#__PURE__*/t(\"ul\",{children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"AWS Keys\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"GCP service accounts\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Azure Blob Storage connection strings\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Coinbase API keys\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Twilio\\xa0 API keys\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Mailgun API keys\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"RDS passwords\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Sendgrid credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Pusher credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"MSSQL passwords\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Mailtrap credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Google OAuth credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Twitter OAuth credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Linked in OAuth credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Google Maps API keys\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Segment API keys\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Sauce API keys\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Hosted MongoDB credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Firebase credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Stripe credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Rollbar credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Twilio credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Amplitude credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Mailjet credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"SMS partner credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Dropbox credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Yousign credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"PayPal credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Mandrill credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Zendesk credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Hosted message queue connection strings\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Razor pay credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Text local credentials\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Application signing secrets\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"JWT signing secrets\"})})]}),/*#__PURE__*/e(\"h2\",{children:\"Impact Magnifier: Wormability\"}),/*#__PURE__*/e(\"p\",{children:\"It\u2019s clear from the surrounding context, many of these credentials unlock more buckets that are otherwise authenticated. Here are two examples\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"106\",src:\"https://framerusercontent.com/images/QkUP6EXA9LYXwTORY9GA62vgvU.png\",srcSet:\"https://framerusercontent.com/images/QkUP6EXA9LYXwTORY9GA62vgvU.png?scale-down-to=512 512w,https://framerusercontent.com/images/QkUP6EXA9LYXwTORY9GA62vgvU.png 652w\",style:{aspectRatio:\"652 / 212\"},width:\"326\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Leaked credentials leading to more buckets\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"349\",src:\"https://framerusercontent.com/images/hQoe8A5N7oeObDNQ8m9L00lLMuI.png\",srcSet:\"https://framerusercontent.com/images/hQoe8A5N7oeObDNQ8m9L00lLMuI.png?scale-down-to=512 512w,https://framerusercontent.com/images/hQoe8A5N7oeObDNQ8m9L00lLMuI.png 1017w\",style:{aspectRatio:\"1017 / 698\"},width:\"508\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Leaked credentials leading to more buckets\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"It\u2019s probably fair to assume authenticated buckets contain more secrets than unauthenticated ones, due to the implied higher security bar authentication provides. This means attackers can likely use the first round of buckets to find keys that unlock an additional round of buckets and expose more keys, which could expose more buckets, etc. We did not use any of these keys or explore this possibility for obvious reasons, but this makes this type of attack \u201Cwormable\u201D, ie, one bucket can lead to another bucket, and so on, magnifying the impact of the leak.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"484\",src:\"https://framerusercontent.com/images/YDoBGRlTsmh4BtcigRUF3ICVvi8.png\",srcSet:\"https://framerusercontent.com/images/YDoBGRlTsmh4BtcigRUF3ICVvi8.png?scale-down-to=512 512w,https://framerusercontent.com/images/YDoBGRlTsmh4BtcigRUF3ICVvi8.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/YDoBGRlTsmh4BtcigRUF3ICVvi8.png 1552w\",style:{aspectRatio:\"1552 / 968\"},width:\"776\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Worming through S3 buckets\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"p\",{children:\"What\u2019s worse is some of these keys led to other large data stores that may have access to keys, such as Github API keys, and GCP Storage API keys.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"435\",src:\"https://framerusercontent.com/images/1KxalcvbJqhibYQZROkufYGzFU.png\",srcSet:\"https://framerusercontent.com/images/1KxalcvbJqhibYQZROkufYGzFU.png 811w\",style:{aspectRatio:\"811 / 870\"},width:\"405\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"em\",{children:\" Worming through multiple providers\"})}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"br\",{className:\"trailing-break\"})}),/*#__PURE__*/e(\"h2\",{children:\"Next Steps\"}),/*#__PURE__*/e(\"p\",{children:\"Naturally at this point we needed to disclose what we found to the affected companies. This proved challenging at times because often buckets don\u2019t have a lot of information connecting them with the bucket creator. We did hundreds of disclosures, and partnered with providers in some cases to get keys revoked for buckets where we couldn\u2019t identify owners.\\xa0 Disclosures ranged from dozens of fortune 500 companies, to NGOs and small startups.\\xa0\"}),/*#__PURE__*/e(\"p\",{children:\"At any scale, it\u2019s a good idea to have all of your buckets scanned routinely to prevent catastrophe.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(n,{href:\"https://trufflesecurity.com/blog?author=6124090bed6e337e8096c7c7\",motionChild:!0,nodeId:\"J2iOueWvI\",openInNewTab:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(i.a,{children:\"Guest User\"})})})]});\nexport const __FramerMetadata__ = {\"exports\":{\"richText2\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText1\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText3\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText4\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText8\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText7\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText5\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText11\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText10\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText13\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText6\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText12\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText9\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"__FramerMetadata__\":{\"type\":\"variable\"}}}"], "mappings": "wYAAqZ,IAAMA,EAAsBC,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,wKAAwK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,6BAA0CE,EAAEC,EAAE,CAAC,KAAK,mKAAmK,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,eAAe,CAAC,CAAC,CAAC,EAAE,qLAAgL,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,0PAAuQE,EAAEC,EAAE,CAAC,KAAK,oEAAoE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,qCAAqC,CAAC,CAAC,CAAC,EAAE,iHAA6F,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gFAA6FE,EAAEC,EAAE,CAAC,KAAK,6CAA6C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,sEAAsE,CAAC,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,qBAAqB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,uQAAkQ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,8FAA2GE,EAAEC,EAAE,CAAC,KAAK,wFAAwF,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,QAAqBF,EAAEC,EAAE,CAAC,KAAK,wEAAwE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,YAAY,CAAC,CAAC,CAAC,EAAE,uEAAoFF,EAAEC,EAAE,CAAC,KAAK,kEAAkE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,mBAAmB,CAAC,CAAC,CAAC,EAAE,2LAAiL,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,oMAAiNE,EAAE,SAAS,CAAC,SAAS,YAAY,CAAC,EAAE,uPAA6O,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAAiY,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAEC,EAAE,CAAC,KAAK,4CAA4C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,uDAAuD,CAAC,CAAC,CAAC,EAAE,4JAA4J,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,4FAAoGE,EAAEC,EAAE,CAAC,KAAK,2BAA2B,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,0BAA0B,CAAC,CAAC,CAAC,EAAE,8QAAyQ,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,oJAAoJ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0FAAgF,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,uDAAuD,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,6bAAwb,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+NAAqN,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,+DAA+D,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,2FAA2F,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,4GAA4G,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,qGAAgG,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,2CAA2C,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,8DAA8D,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,mEAAmE,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,qBAAqB,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4VAAoWE,EAAE,KAAK,CAAC,SAAS,SAAS,CAAC,EAAE,wBAAwB,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kKAA0KE,EAAEC,EAAE,CAAC,KAAK,mDAAmD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,kDAAkD,CAAC,CAAC,CAAC,EAAE,+SAA6SF,EAAEC,EAAE,CAAC,KAAK,oDAAoD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,mDAAmD,CAAC,CAAC,CAAC,EAAE,wLAAqMF,EAAE,KAAK,CAAC,SAAS,YAAY,CAAC,EAAE,kDAAkD,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+OAA+O,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,oBAAoB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,uQAAuQ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0VAA0V,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,yPAAyP,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,0CAA0C,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,6SAAmS,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sFAAmGE,EAAEC,EAAE,CAAC,KAAK,8EAA8E,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,YAAY,CAAC,CAAC,CAAC,EAAE,gZAA2Y,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,iMAAyME,EAAE,KAAK,CAAC,SAAS,iBAAiB,CAAC,EAAE,uCAAoDA,EAAE,KAAK,CAAC,SAAS,kBAAkB,CAAC,EAAE,IAAI,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8RAAoR,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,uBAAuB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4UAAuU,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qBAAsX,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,wfAAmf,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,CAAC,EAAE,iKAA8KA,EAAEC,EAAE,CAAC,KAAK,iCAAiC,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,yBAAoB,CAAC,CAAC,CAAC,EAAE,6SAA6S,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,4HAAuH,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8EAAoE,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,kCAAkC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4LAA4L,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,mKAAmK,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,kKAAkK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,CAAC,EAAE,kOAAkO,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,0MAAuNE,EAAE,KAAK,CAAC,SAAS,IAAI,CAAC,EAAE,0HAA0H,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,yOAAyO,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4DAAoEE,EAAEC,EAAE,CAAC,KAAK,mKAAmK,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAE,oLAA+K,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,yLAAoL,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,YAAY,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,6JAA0KE,EAAE,KAAK,CAAC,SAAS,KAAK,CAAC,EAAE,uIAAuI,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sEAAmFE,EAAE,KAAK,CAAC,CAAC,EAAE,mDAAgEA,EAAEC,EAAE,CAAC,KAAK,8CAA8C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,2BAA2B,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeO,EAAuBT,EAAIC,EAAS,CAAC,SAAS,CAAcD,EAAE,KAAK,CAAC,SAAS,CAAC,qCAAkDE,EAAEC,EAAE,CAAC,KAAK,gFAAgF,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,wCAAwC,CAAC,CAAC,CAAC,EAAE,0MAA2L,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,qGAAsF,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,uKAAuK,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,yHAAiIE,EAAEC,EAAE,CAAC,KAAK,mDAAmD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,kDAAkD,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,yTAAoT,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,wFAAwF,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,uHAAuH,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK,4EAA4E,SAAS,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,2IAAsI,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gUAA8TE,EAAE,SAAS,CAAC,SAAS,6EAA6E,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,kSAAwR,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0KAAgK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+SAA0S,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,0CAAgC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+RAA0R,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,qHAAgH,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qLAA6LE,EAAEC,EAAE,CAAC,KAAK,gLAAgL,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,+BAA+B,CAAC,CAAC,CAAC,EAAE,4EAAuE,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4BAAyCE,EAAE,KAAK,CAAC,CAAC,EAAeA,EAAEC,EAAE,CAAC,KAAK,yEAAyE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,wEAAwE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,sVAAiV,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,qBAAqB,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qBAAkCE,EAAEC,EAAE,CAAC,KAAK,6BAA6B,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,mBAAmB,CAAC,CAAC,CAAC,EAAE,0QAA0Q,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,6RAA6R,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,YAAY,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+ZAA2Y,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4GAA4G,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAEC,EAAE,CAAC,KAAK,oCAAoC,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAE,iFAA8FF,EAAEC,EAAE,CAAC,KAAK,iCAAiC,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,sBAAsB,CAAC,CAAC,CAAC,EAAE,+BAA+B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeM,EAAuBV,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,2JAAiJ,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,qBAAqB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0JAA2I,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mCAAgDE,EAAEC,EAAE,CAAC,KAAK,gDAAgD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAE,iLAAuK,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAcA,EAAE,KAAK,CAAC,SAAS,CAAC,gUAAwUE,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAEC,EAAE,CAAC,KAAK,4DAA4D,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAsBF,EAAE,KAAK,CAAC,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kEAA+EE,EAAE,SAAS,CAAC,SAAS,kBAAkB,CAAC,EAAE,qFAA6FA,EAAE,SAAS,CAAC,SAAS,mBAAmB,CAAC,EAAE,mBAAmB,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,mOAAmO,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,wEAAwE,OAAO,6EAA6E,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,uGAAkG,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,2CAA2C,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,uQAAkQ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gQAAgQ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,6DAA6D,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gLAA2K,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,yhBAA+gB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gKAA6KE,EAAE,SAAS,CAAC,SAAS,mDAAmD,CAAC,EAAE,sFAAsF,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mFAAgGE,EAAE,SAAS,CAAC,SAAS,kBAAkB,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+RAA0R,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sFAAmGE,EAAEC,EAAE,CAAC,KAAK,wEAAwE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,wCAAwC,CAAC,CAAC,CAAC,EAAE,wDAAwD,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gVAA2U,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,uLAAuL,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeS,EAAuBX,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,kLAAkL,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,2BAA2B,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,iQAA4P,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sBAAmCE,EAAEC,EAAE,CAAC,KAAK,gDAAgD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,+CAA+C,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,kBAAkB,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,2QAAwRE,EAAE,KAAK,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,CAAC,EAAE,mCAAmC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,uFAAuF,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,sFAAsF,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4DAAyEE,EAAEC,EAAE,CAAC,KAAK,6CAA6C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,WAAW,CAAC,CAAC,CAAC,EAAE,8BAA8B,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,aAAa,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,2QAAsQ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,uFAAuF,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,sFAAsF,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,4EAA4E,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,gBAAgB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8GAA8G,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,wEAAwE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,uEAAuE,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,iKAA4J,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,eAAe,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gRAA2Q,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,iGAAiG,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,gGAAgG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,YAAY,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,oEAAoE,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK,oIAAoI,SAAS,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,wFAAwF,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,gDAAgD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,+CAA+C,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,wKAAwK,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAeU,EAAuBZ,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,iJAA4I,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sBAAmCE,EAAEC,EAAE,CAAC,KAAK,+CAA+C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,8CAA8C,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,0KAA0K,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,qHAAqH,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,2MAAiM,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,WAAwBE,EAAEC,EAAE,CAAC,KAAK,gDAAgD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,YAAY,CAAC,CAAC,CAAC,EAAE,2WAAsW,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,gHAA6HE,EAAEC,EAAE,CAAC,KAAK,+CAA+C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,WAAW,CAAC,CAAC,CAAC,EAAE,oKAAoK,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,uHAAuH,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,qGAAqG,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,6GAA6G,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,+BAA4CE,EAAEC,EAAE,CAAC,KAAK,wCAAwC,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,0BAA0B,CAAC,CAAC,CAAC,EAAE,wMAAwM,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,qMAAqM,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,uSAAuS,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8RAAoR,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,oKAAoK,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,uDAAuD,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8MAA8M,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,uPAAuP,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,sKAAsK,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,qDAAqD,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4HAA4H,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4SAAuS,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+UAA+U,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gIAAgI,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+iBAAugB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,wKAAwK,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,wEAAwE,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,qTAAqT,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,wCAAgDE,EAAEC,EAAE,CAAC,KAAK,+CAA+C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,8CAA8C,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,gBAAgB,CAAC,CAAC,CAAC,CAAC,EAAeW,EAAuBb,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,sNAAiN,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,kEAAkE,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeY,EAAuBd,EAAIC,EAAS,CAAC,SAAS,CAAcD,EAAE,KAAK,CAAC,SAAS,CAAC,8HAA2IE,EAAEC,EAAE,CAAC,KAAK,gDAAgD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,YAAY,CAAC,CAAC,CAAC,EAAE,yHAAyH,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,kJAA6I,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4bAA4b,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sEAA8EE,EAAEC,EAAE,CAAC,KAAK,yFAAyF,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,6BAA6B,CAAC,CAAC,CAAC,EAAE,kCAA+CF,EAAEC,EAAE,CAAC,KAAK,mEAAmE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,SAAS,CAAC,CAAC,CAAC,EAAE,WAAwBF,EAAEC,EAAE,CAAC,KAAK,iFAAiF,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,SAAS,CAAC,CAAC,CAAC,EAAE,kKAAkK,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,kTAAqTE,EAAEC,EAAE,CAAC,KAAK,oBAAoB,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAE,4CAAyDF,EAAEC,EAAE,CAAC,KAAK,wBAAwB,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,IAAiBF,EAAEC,EAAE,CAAC,KAAK,+BAA+B,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,aAAa,CAAC,CAAC,CAAC,EAAE,IAAiBF,EAAEC,EAAE,CAAC,KAAK,sBAAsB,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,aAAa,CAAC,CAAC,CAAC,EAAE,IAAiBF,EAAEC,EAAE,CAAC,KAAK,oBAAoB,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAE,IAAiBF,EAAEC,EAAE,CAAC,KAAK,8BAA8B,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,aAAa,CAAC,CAAC,CAAC,EAAE,IAAiBF,EAAEC,EAAE,CAAC,KAAK,8BAA8B,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,cAAc,CAAC,CAAC,CAAC,EAAE,8CAA8C,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,0BAAuCE,EAAEC,EAAE,CAAC,KAAK,2GAA2G,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,2BAA2B,CAAC,CAAC,CAAC,EAAE,qGAAqG,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,2GAAwHE,EAAEC,EAAE,CAAC,KAAK,CAAC,UAAU,WAAW,EAAE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAE,0FAA0F,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,uDAAuD,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAea,EAAuBf,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,qKAA2J,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sBAAmCE,EAAEC,EAAE,CAAC,KAAK,iEAAiE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,gEAAgE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0HAA0H,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,uKAAuK,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,uEAAuE,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,mJAA8I,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qGAAkHE,EAAEC,EAAE,CAAC,KAAK,yDAAyD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,0KAAgK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kJAAqJE,EAAE,SAAS,CAAC,SAAS,gCAAgC,CAAC,EAAE,SAAS,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,KAAK,IAAI,uEAAuE,OAAO,wKAAwK,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,6CAA6C,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4LAAkL,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,sKAAsK,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,0CAA0C,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,yQAAoQ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,qRAAqR,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4PAAuP,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,6FAA0GE,EAAEC,EAAE,CAAC,KAAK,+DAA+D,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAE,sEAAsE,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,wCAAgDE,EAAEC,EAAE,CAAC,KAAK,iEAAiE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,gEAAgE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,+HAA+H,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gBAAgB,CAAC,CAAC,CAAC,CAAC,EAAec,EAAuBhB,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,6IAAwI,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAee,EAAuBjB,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,kHAAkH,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,wCAAwC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeY,EAAwBlB,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,yFAAyF,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,wLAAmL,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAea,EAAwBnB,EAAIC,EAAS,CAAC,SAAS,CAAcD,EAAE,KAAK,CAAC,SAAS,CAAC,YAAyBE,EAAEC,EAAE,CAAC,KAAK,qGAAqG,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,OAAO,CAAC,CAAC,CAAC,EAAE,mFAAmF,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,6DAA6D,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,mEAAmE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAegB,EAAwBpB,EAAIC,EAAS,CAAC,SAAS,CAAcD,EAAE,KAAK,CAAC,SAAS,CAAC,wEAAgFE,EAAEC,EAAE,CAAC,KAAK,gDAAgD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,YAAY,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,6RAAqSE,EAAEC,EAAE,CAAC,KAAK,yBAAyB,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,WAAW,CAAC,CAAC,CAAC,EAAE,kCAAkC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,uGAA+GE,EAAEC,EAAE,CAAC,KAAK,2GAA2G,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,WAAW,CAAC,CAAC,CAAC,EAAE,4CAAyDF,EAAEC,EAAE,CAAC,KAAK,yDAAyD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,4EAAyFE,EAAEC,EAAE,CAAC,KAAK,8CAA8C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,oBAAoB,CAAC,CAAC,CAAC,EAAE,mCAAmC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,4RAA6Q,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,uGAAuG,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,qWAAqW,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,MAAM,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8NAAqM,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sMAAoME,EAAEC,EAAE,CAAC,KAAK,2BAA2B,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,mIAA8H,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4YAA4Y,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,wdAAmd,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0IAAqI,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,iBAAiB,YAAY,YAAY,YAAY,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,sEAAsE,SAASC,GAAgBJ,EAAEM,EAAE,CAAC,GAAGF,EAAE,KAAK,MAAM,WAAW,GAAG,UAAU,iBAAiB,IAAI,8BAA8B,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,kKAA6J,CAAC,CAAC,CAAC,CAAC,EAAemB,EAAwBrB,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,YAAY,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,ydAAod,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,qHAAqH,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,+BAA+B,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,oHAAoH,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,iHAAiH,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,gCAAgC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,yZAA+Y,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,aAAa,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,2PAA8PE,EAAEC,EAAE,CAAC,KAAK,6CAA6C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,oDAAoD,CAAC,CAAC,CAAC,EAAE,oKAAoK,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,wKAAwK,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,oBAAiCE,EAAEC,EAAE,CAAC,KAAK,sCAAsC,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,gBAAgB,CAAC,CAAC,CAAC,EAAE,gnBAAulB,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,SAAS,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gCAA6CE,EAAE,SAAS,CAAC,SAAS,MAAM,CAAC,EAAE,+GAA4HA,EAAE,SAAS,CAAC,SAAS,KAAK,CAAC,EAAE,wCAAqDA,EAAE,SAAS,CAAC,SAAS,KAAK,CAAC,EAAE,qBAAqB,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,mHAAmH,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8DAA8D,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,sBAAsB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,uCAAuC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,mBAAmB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,eAAe,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,sBAAsB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,oBAAoB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,iBAAiB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,sBAAsB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,0BAA0B,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,2BAA2B,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,6BAA6B,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,sBAAsB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,4BAA4B,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,sBAAsB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,oBAAoB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,oBAAoB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,uBAAuB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,yBAAyB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,oBAAoB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,sBAAsB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,yCAAyC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,uBAAuB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,wBAAwB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,6BAA6B,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,qBAAqB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,+BAA+B,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,qJAAgJ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,sKAAsK,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,iDAAiD,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,yKAAyK,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,2EAA2E,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gkBAAijB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,+GAA+G,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,yJAAoJ,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,2EAA2E,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,SAAS,2DAA2D,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,KAAK,CAAC,UAAU,gBAAgB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,YAAY,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,6cAAmc,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,2GAAsG,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAEC,EAAE,CAAC,KAAK,mEAAmE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAC10gGkB,EAAqB,CAAC,QAAU,CAAC,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,WAAa,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,WAAa,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,WAAa,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,WAAa,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,SAAW,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,mBAAqB,CAAC,KAAO,UAAU,CAAC,CAAC", "names": ["richText", "u", "x", "p", "Link", "motion", "ComponentPresetsConsumer", "t", "CodeBlock_default", "Youtube", "richText1", "richText2", "richText3", "richText4", "richText5", "richText6", "richText7", "richText8", "richText9", "richText10", "richText11", "richText12", "richText13", "__FramerMetadata__"] }