DEV Community: Sahil Sharma

Top 7 websites to learn secure code development faster

Sahil Sharma — Fri, 18 Nov 2022 13:35:34 +0000

In this fast-paced world of development where new "next generation" frameworks, Libraries and tools are built and used every day. People often forget about one critical issue which is security of the software.

Here are some highly recommended trainings and resources you can use to improve code security:

Application Security Training by Kontra
Best way Accelerate Application Security Training and Software Security Education to all developers through Interactive Learning platform.
OWASP Checklist and Exercises
When it comes to security it is not possible to complete without talking about the OWASProject contributions. Here are two resources for code security.
- Secure practices reference guide
- Secure Coding Dojo
Snyk Security Resources and Tools
Snyk is the one tool required to build securely. It provides many security resources including best practices, tools, cheat sheets & checklists.
Secure Code Warrior
An enterprise product to shape developers to be more security-driven by teaching all skills needed to produce secure code. It also offers some free exercises.
Avatao Interactive Secure Coding Training
Avatao’s secure coding training enables developers and managers to prevent vulnerabilities, saving your company time and reducing business risks.
Veracode Secure Code Training
A secure code program designed specifically for developers with hands-on training helps you fix and prevent new security flaws. You can choose between self-paced online or instructor-led training.
SANS Developer Security Awareness Training
Learn how to secure five modern programming languages, which are NodeJS, PHP, Java, Python and C#, from OWASP Top 10 vulnerabilities.

Bonus Resources

If you found this article helpful 👇🏻

Follow me @sam5epi0l. Check out other articles.
Buy Me a Coffee
Comment your queries and best resources.

5 pro tools which make you unstoppable on Linux command line

Sahil Sharma — Tue, 04 Oct 2022 11:50:51 +0000

For a Linux user of any experience level, I have 5 most useful commands/tools which makes it straightforward to start with the Linux command line and become a advanced user.

These commands will be most effective for newbie Linux users. Every Linux system includes similar command line interface , if anyone is good at command line then becoming a expert Linux user is no pain.

navi

It is an interactive cheatsheet tool. navi allows you to browse through cheatsheets (that you may write yourself or download from maintainers) and execute commands. It also comes with power of fzf tool.

Official demo

Github link — https://github.com/denisidoro/navi

fish

fish is a smart and user-friendly command line shell for macOS, Linux, and the rest of the family. fish includes features like syntax highlighting, autosuggest-as-you-type, and fancy tab completions that just work, with no configuration required.

Github link — https://github.com/fish-shell/fish-shell

which

which is a simple tool. It shows the full path of shell commands. It does this by searching for an executable or script in the directories listed in the environment variable PATH.

More info and installation commmands — https://command-not-found.com/which

cheat.sh

It is most powerful cheatsheet database with over 12k+ command available. With so many features which makes it the only cheatsheet you need.

Learn more about cheat.sh and usage here— https://github.com/chubin/cheat.sh#features

man-db

It consists of manual pages which provides full description of programs, utilities and functions. man-db package has to main command man (access manpages) and apropos (search manpages).

Read more about man-db here — https://www.man7.org/linux/man-pages/man1/man.1.html

Wrapping up

Thank you so much for reading this article. I hope these commands will help in your Linux journey and make you productive at Linux command line. Feel free to add some helpful resources in the comments.

Please leave some reactions if you found this article useful and don’t forget to follow me for more useful content related to Linux, Programming, Webapp hacking. Peace!

What is Cross-Site Scripting vulnerability? How to find it? How to prevent a XSS attack?

Sahil Sharma — Mon, 25 Jul 2022 13:36:14 +0000

In this article, I’ll explain a critical web security risk known as Cross-site scripting, indications, types and how to prevent an XSS attack.

What is cross-site scripting?

**Cross-Site Scripting **is a type of injection attack which allows an attacker to inject malicious client-side code (executed by victims) that leads to impersonating users to get privileged access to the web application, perform cross site request forgery attacks to other vulnerable website, redirect victims to an attackers site, download malicious files, etc. XSS can be chained to other vulnerabilities to get full access to the target system.

Proof of concept (PoC)

XSS just simply adds arbitrary html and javascript code in response if developers do not sanitize users input properly and encode html characters in the response. You can start by injecting some innocent HTML playloads like <u>,** <br>, <p>. And then use a javascript function inside HTML tags to confirm a XSS bug. **alert() **was used as a proof of concept of an XSS bug for decades but now it’s replaced by **print(), alert(document.domain) and alert(window.origin).

Type of cross-site scripting vulnerability

Reflected XSS - When the XSS payload in request gets reflected immediately in the response. It’s not permanently saved on the server. Example - Let’s say the request link is sent to the victim by phishing or embedded in any other website.
```
// REQUEST URL
https://website.com/profile.php?show=<script>print()</script> 
// RESPONSE
<script>print()</script>
```
Stored XSS - When the XSS payload is saved to the server and executed for every other user accessing the vulnerable web page. The code is saved permanently in the website's database and could be used to create a worm. Example - Victim uses the website and gets malicious code executed.
```
<p><script>print()</script></p>
```
DOM-based XSS - When the bug is found in the source code of the vulnerable web page and the files attached to it. The Document Object Model is a convention used to represent and work with objects in an HTML document as well as in other document types.
```
<script>
 var pos=document.URL.indexOf("context=")+8;
 document.write(document.URL.substring(pos,document.URL.length));
</script>
```

How to prevent XSS attacks? 🛡️

Cross-site scripting has been among OWASP top 10 security risk list since 2010 so it is important for developers to write secure code and prevent XSS attacks. As XSS is an injection vulnerability the key to prevent these attacks is to never trust user input. Also a non-practical answer would be never let user provided data rendered into a webpage.

XSS prevention methods 📃

Use a Web Application Firewall
1. Firewall immediately blocks certain malicious payloads and tags in HTTP requests.
2. Firewall can be bypassed in some cases but it could get very frustrating for the attacker.
DevSecOps
1. Snyk.io
  1. Find and automatically fix vulnerabilities in your code, open source dependencies, containers, and infrastructure as code.
  2. Use snyk’s extensions for your IDE.
  3. Scan for vulnerable docker containers.
Validate and sanitize user-provided data
1. User data should be validated on the front end of sites for correctness (e.g. username, email, domain and phone number formatting), but it should also always be validated and sanitized on the backend for security.
2. Depending on the application, you may be able to whitelist alphanumeric characters and blacklist all other characters. However, this solution is not foolproof.
HTML Encoding
1. Any time that you are rendering user-provided data into the body of the document (e.g. with the innerHTML attribute in JavaScript), you should HTML encode the data.
2. Some examples of HTML encoding are:
  1. & &
  2. < <
  3. > >
  4. " "
  5. ' '
Use a security encoding library
1. For many languages and frameworks, there are security encoding libraries that can help prevent XSS.
2. Use updated frameworks.
Use iframe tags
1. You can use an iframe tag to prevent stealing cookies/sessions, privileged access.
2. Google blogger platform uses iframe tags to render code on different subdomains and prevent XSS on the main webapp.

Wrapping Up

Key takeaways:

XSS is a critical injection vulnerability by which an attacker manipulates server response and executes arbitrary javascript code in the user's web browser.
There are 3 types of XSS: Reflected, DOM-based, and stored.
XSS attacks can be used to download malicious files, do cross site requests, steal authentication information, hijack sessions, steal sensitive data, and deface websites.
Prevent XSS by sanitizing user data on the backend, HTML-encode user-provided data that’s rendered into the template, and use a security encoding library or WAF.

Related Links:

OWASP top 10 - https://owasp.org/www-project-top-ten/
OWASP cheatsheet - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Portswigger prevention - https://portswigger.net/web-security/cross-site-scripting/preventing
Article on Reviewing Code for Cross-site scripting Vulnerabilities - https://wiki.owasp.org/index.php/Reviewing_Code_for_Cross-site_scripting
Portswigger research - https://portswigger.net/research/alert-is-dead-long-live-print

I hope this article is helpful for you. Thank you for reading.

Everything you need to know about Creating files in LINUX-Based Operating Systems

Sahil Sharma — Mon, 25 Jul 2022 08:12:10 +0000

The Linux file-system considers everything as a file. From text/media/binary files and directories to hardware devices connected physically, everything is a file in linux. If it is not a file then it must be a process. In Linux, files form a tree-structure to manage the data. There are so many ways to create a file in linux, so let's look at some conventional ways to do that.

Rules for files to exist in a Linux file-system

Files are *case sensitive *(unlike Windows). So, temp.txt, Temp.txt and TEMP.txt all are different files.
Users should have permissions to create a file on the parent folder.
1. Check permission with ls -al command.
2. Make sure you are the user or from the group.
You can use other special characters such as blank space, but they are hard to use and it is better to avoid them.
filenames may contain any character except / , which is reserved as the separator between files and directories in a pathname. You cannot use the null character.
use a dot based filename extension to identify files. For example:
1. .sh = Shell file
2. .tar.gz = Compressed archive
Most modern Linux and UNIX limit filenames to 255 characters (255 bytes). However, some older versions of the UNIX system limit filenames to 14 characters only.
A filename must be unique inside its directory. For example, inside /root directory you cannot create a file.txt file and file.txt directory name
Avoid these characters from including in file names /><|:&
Enclose the file name with single-quote 'file.txt'.

Little snippet of experiment with creating files in Linux:

root@aaf52077a089:/# cd /root
root@aaf52077a089:~# touch '!@#$%^&*(()_+-{}[]":></?><'
touch: cannot touch '!@#$%^&*(()_+-{}[]":></?><': No such file or directory
root@aaf52077a089:~# touch '!@#$%^&*(()_+-'
root@aaf52077a089:~# touch file.txt
root@aaf52077a089:~# touch  File.txt
root@aaf52077a089:~# mkdir file.txt
mkdir: cannot create directory 'file.txt': File exists
root@aaf52077a089:~# ls -al
total 16
-rw-r--r-- 1 root root    0 Jul 16 11:19 '!@#$%^&*(()_+-'
drwx------ 1 root root 4096 Jul 16 11:20  .
drwxr-xr-x 1 root root 4096 Jul 16 11:17  ..
-rw-r--r-- 1 root root 3106 Oct 15  2021  .bashrc
-rw-r--r-- 1 root root  161 Jul  9  2019  .profile
-rw-r--r-- 1 root root    0 Jul 16 11:20  File.txt
-rw-r--r-- 1 root root    0 Jul 16 11:20  file.txt

Conventional ways to create files in Linux

We can easily create files with the default file manager (GUI). But there is no fun in it. Let’s dive into some interesting command-line ways to create files.

touch - Use the dedicated command to create files.
1. Everyone's method - touch file.txt.
2. Advance usage.

```# Create a new empty file(s) or

change the times for existing file(s) to the current time:

touch path/to/file

Set the times on a file to a specific date and time:

touch -t YYYYMMDDHHMM.SS path/to/file

Set the time on a file to one hour in the past:

touch -d "-1 hour" path/to/file

Use the times from a file to set the times on a second file:

touch -r path/to/file1 path/to/file2

Create multiple files:

touch path/to/file{1,2,3}.txt

Credit: cheat.sh```

Text editors - nano, vim, vi, neovim.
1. These will create files at current timestamps.
2. Syntax: text_editor path/to/file.txt.
Using the cat , echo or any other command with the > or >> operator. We can use STDOUT to create/append file.
1. You can use simple bash tricks to use cat/bat to create files.
2. Syntax: cat > file.txt , cat >> file.txt.

root@aaf52077a089:~/dir_test# cat file.txt
cat: file.txt: No such file or directory
root@aaf52077a089:~/dir_test# cat > file.txt
Creating and writing a file with cat command is so cool.
Writing on 2nd line    
^C
root@aaf52077a089:~/dir_test# cat file.txt
Creating and writing a file with cat command is so cool.
Writing on 2nd line
root@aaf52077a089:~/dir_test# cat >> file.txt
Writing on 3rd line
^C
root@aaf52077a089:~/dir_test# cat file.txt
Creating and writing a file with cat command is so cool.
Writing on 2nd line
Writing on 3rd line
root@aaf52077a089:~/dir_test# ls -al
total 12
drwxr-xr-x 2 root root 4096 Jul 16 11:55 .
drwx------ 1 root root 4096 Jul 16 11:55 ..
-rw-r--r-- 1 root root   97 Jul 16 11:57 file.txt

Cool non practical methods

Insert a hardware device into a Linux device. It will create a file.
Create files of fixed size. (10MB)

fallocate -l $((10*1024*1024)) file.txt
# This option doesn't use input/output overhead, the space will be allocated immediately.

truncate -s 10M file.txt
# This creates a file full of null bytes.

dd if=/dev/urandom of=ostechnix.txt bs=10MB count=1
# This command will create a non-sparse file full of null bytes.

head -c 10MB /dev/urandom > file.txt
# This command will create a non-sparse file full of null bytes.

Thank you so much for reading this article. Follow me for more!

Intercept android app traffic in Burp Suite: From root to hack [ULTIMATE GUIDE for bug hunters]

Sahil Sharma — Sun, 17 Jul 2022 01:43:04 +0000

In this article, You’ll learn how to root an android device, configure burp proxy, install ca certificate to intercept https traffic, bypass SSL pinning and root detection. You can also use android emulators like genimotion.

Why bother learning this stuff? Simple reason is to compete with less number of hackers than webapps. Also, there no easy guide for all devices.

Disclaimer:- This whole process could take 15 minutes to whole day depending upon the device (android sdk) and the app. So, please be patient and read everything carefully. Also, this whole thing is for educational purposes only.

The dumb part which is similar as webapps

Let’s start with easiest and basic part to capture http, https traffic of web browser and the apps which don’t have SSL Pinning enabled.

Follow these steps

Connect your PC (with Burp Suite installed) and Android to the same network. > Note — Here my PC’s IP is 192.168.43.20 and Android’s IP is 192.168.43.180
Start Burp Suite and set proxy to listen on all interfaces.
Set manual proxy in Android’s WIFI settings.
In web browser, go to http://burp/ and download the ca certificate. Rename the der extension to cer.
Go to settings and search for certificate and install the certificate.

Now you’ll be able to intercept HTTP/HTTPS traffic from web browsers and a very few apps which do not have SSL Pinning enabled.

Advanced — bypassing SSL pinning

If the app has SSL Pinning enabled we have to root the android device to bypass it (root detection also). Follow these steps-

Root Android Device

It is basically unlocking the bootloader. You need to search specifically for your device to do that because it is different for every Android phone companies. Use google, youtube, xda forums (king) to get navigation.

Install custom recovery

There are two main Android recovery projects — TWRP and OrangeFox. It would be great if they provide official recovery for your device. Otherwise you can use XDA forums to get unofficial but working recoveru image. Now, follow these steps-

Boot your Android device into fastboot/download/flash mode.
Connect your android device with a USB cable to your PC. (also install required drivers)
Install fastboot in your PC
Use android platform tools in Windows. Extract the zip file. and place recovery .img files downloaded earlier in same folder.
For Linux run these commands — apt install adb fastboot -y
open powershell/terminal and go to that same folder used above. and run this command. fastboot boot recovery.img

Install Magisk Manager

It is an open source tool to manager root access for apps, install modules, flash images, etc. Follow these steps-

Get the official apk file of magisk manager from Github.
Change the extension from .apk to .zip.
Got to custom recovery by following above steps.
Tap install and go to magisk file location and flash it. Reboot device.
Change magisk extension back to .apk. Install the app.

Install Xposed installer (and edXposed manager)

At last our main goal to bypass SSL Pinning is to install Xposed installer.

method 1 — Simple installation

Follow these steps-

Download Xposed installer from official website for your android version.
Click install and wait for download to complete, then install it.
If you see the green banner, then you can skip next methods.

method 2 — using Magisk module (Android oreo & newer 8.0+)
Follow these steps-

Download two magisk modules from here1 and here2. One extra module if you like here3.
Install module from storage and reboot the device. > Note: If failed download Xposed Get the zip files for your sdk from the redirected website.

method 3 — flash using custom recovery (TWRP/OrangeFox)

Follow these steps-

Download the zip files from the redirected links for your android SDK version. also download this extra zip file from here.
Boot to recovery with steps mentioned above.
Click install and reboot to the system.
Check Xposed installer status again. Click activate slide if not already.

Now you should have Xposed installed on your system.

Install Xposed modules.

Go to downloads with menu button on top left corner.
Download and install three modules. — RootCloak, SSL Pinning Bypass and Trust Me.
Activate these modules and Soft reboot the device.
go to SSL Pinning Bypass app. Click on the app to bypass SSL pinning on it.

Wrapping Up

I hope you find a bug after successfully bypassing SSL pinning. If you found this article useful, don’t forget to clap (≤50). For more hacking related articles follow me here.

You can also follow me on twitter to get useful resources to learn ethical hacking. that’s all i have got for today. I will see you in the next one.

Thank you for reading, Have a creative day!

Host TOR Hidden service (DARK WEB website) on a smartphone !!

Sahil Sharma — Thu, 26 May 2022 03:47:40 +0000

DARK WEB websites — TOR hidden services or the .onion sites which can only be accessed by connecting to TOR relay.

In this blog, We will host a TOR hidden service using termux in Android. This is incredibly cool, takes only a few minutes to setup…you’ve gotta try this!!

If you prefer a video tutorial, click here

If you don’t want to learn the process, I have my script to do the work for you. Check it here — https://github.com/sam5epi0l/onionX/

Follow these steps -

Get official termux app from F-DROID — https://f-droid.org/en/packages/com.termux/
update packages

pkg update -y
Install dependencies

pkg i termux-api tor git -y
create torrc configuration

cp /data/data/com.termux/files/usr/etc/tor/torrc . echo "HiddenServiceDir /data/data/com.termux/files/home/hidden_service/" >> torrc echo "HiddenServicePort 80 127.0.0.1:1337" >> torrc

Start TOR hidden service

tor -f torrc
Check URL in hostname file

cat /data/data/com.termux/files/home/hidden_service/hostname
(OPTIONAL) Start your Apache/nginx web server at port 1337

I’m using python http server at 127.0.0.1:1337

python3 -m http.server 1337

Hurray! you finished all steps and the host is up and running DARK WEB website. Thank you so much for reading.

Fall in Love with TERMUX

Sahil Sharma — Tue, 26 Apr 2022 16:48:49 +0000

Make your Termux look better within 5 minutes

About — We’re going to install awesome tools like ohmyzsh, neovim, dotfiles, etc.with just one script

If you prefer video tutorial click here

Installation Dependencies

Termux must be F-Droid Version because Termux from Playstore no longer maintained because there are some problems with the Playstore publishing

Update Repository & Upgrade Package
pkg update && pkg upgrade

git & bc

Package git for cloning or downloading repository
Package bc for calculate repository size which will be cloning or downloading

  pkg i -y git bc

Installation myTermux

Clone or Download This Repository

  git clone --depth=1 https://github.com/mayTermux/myTermux.git

Run Script Installer

Move to Folder

  cd myTermux

export variable COLUMNS and LINES

This variable function so that the installer script can read the
column and row widths of Termux Application so that later it
matches the output during the installation process.

  export COLUMNS LINES

Execute Installer

  ./install.sh

If you get error message Please Zoom Out.
Zoom Out on Termux Application then run again the script

If the row and column widths of the application are correct,
the script will automatically run, like this:

Then follow the installation until it's finished

📸 Screenshots

This screenshot take by Awesomeshot and system fetch by rxfetch-termux

System Fetch

rxfetch

neofetch

Colorscheme (Theme)

Change colorscheme or theme with command:

  chcolor

Show Preview

Fonts

Change font used with command:

  chfont

ZSH Theme

Change ZSH Theme with command:

  chzsh

[NVIM] - Text Editor

Show Theme

SuiteCRM installation in Ubuntu Server 20.04.4 LTS VPS [2022 Guide]

Sahil Sharma — Thu, 10 Mar 2022 01:32:32 +0000

SuiteCRM is an open-source Customer Relationship Management (CRM) software solution. An application which loads the sales, markets, and services administration of a company. It also helps to organize all the processes concerning these activities translating this into process improvements and time-saving. Learn how to install SuiteCRM on Ubuntu 20.04 here

Note: If can't follow along this process, feel free to reach out to me! (Social media links are attached Below)

Prerequisites

SSH root access or a regular system user (use sudo) with sudo privileges
Fully-updated system.

Install Apache Webserver

Install Apache server using this command
apt install apache2

Use These command with SUID permissions to start, enable and restart the apache2 server
systemctl start apache2 systemctl enable apache2 systemctl restart apache2

Go to browser and type server IP or LocalHost, you should be able to view Apache2 Ubuntu Default Page

Install PHP, Composer & extenstions

To install PHP, composer(package manager for PHP) and the required PHP extensions, run the following command:
sudo apt install php composer php-cli php-imagick php-fpm php-mysql php-common php-gd php-imap php-json php-curl php-zip php-xml php-mbstring php-bz2 php-intl php-gmp php-curl php-gd php-zip php-imap php-dom php-intl php-opache php-soap

Install and create database on MySQL server

Install MySQL server
apt install mysql-server

Create a Database for suitecrm using these commands
CREATE DATABASE suitecrm; CREATE USER 'suitecrm'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON suitecrm.* TO 'suitecrm'@'localhost'; FLUSH PRIVILEGES; EXIT;

Download SuiteCRM on Ubuntu 20.04 and Configure it

Download the latest stable version by executing the following command on your server.
wget https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.zip

Unzip to default directory or subdomain directory
unzip SuiteCRM-8.0.3.zip -d /var/www/html/suitecrm

CD to suitecrm directory Add sub tree to folder
cd /var/www/suitecrm mkdir cache mkdir vendor touch config_override.php

Set correct permissions to Files and Folders:
chown -R www-data:www-data /var/www/suitecrm/ chmod -R 755 . chmod -R 775 cache custom modules themes data upload

Install composer packages with this command:
composer install

Add sites-available in apache configurations

Open nano editor using this command:
nano /etc/apache2/sites-available/suitecrm.conf

Add this text into config file

<VirtualHost *:80>
  ServerName suitecrm.example.com
  DocumentRoot /var/www/suitecrm/

  ErrorLog ${APACHE_LOG_DIR}/suitecrm_error.log
  CustomLog ${APACHE_LOG_DIR}/suitecrm_access.log combined

  <Directory />
    Options FollowSymLinks
    AllowOverride All
  </Directory>

  <Directory /var/www/suitecrm/>
    Options FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

Include /etc/apache2/conf-available/php7.4-fpm.conf

</VirtualHost>

Increase Upload Limit in php configurations

sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 20M/g' /etc/php/7.4/fpm/php.ini systemctl restart php7.4-fpm

Now enable suitecrm site:
a2ensite suitecrm.conf

Restart apache server and you are done with CLI
systemctl restart apache2

Fire up your web browser to localhost

You should add subdomain to /etc/hosts if any.

Accept terms and continue to installation
Login with database user and pass suitecrm:password
Create admin user for suitecrm login page.

As you can see suitecrm is successfully installed in our Ubuntu Server or VPS

Wrapping Up

I hope this tutorial helped you install SuiteCRM on Ubuntu 20.04. You can also check out SuiteCRM user manual to learn how to use it. If you found this post useful, then you can follow me on other social media platform to get more tips and tricks. Take care 🙂

BotTuber, automates compilation videos YouTube Channel Completely. Check it out on GitHub.🔽(Video Tutorial Included)

Sahil Sharma — Sun, 23 Jan 2022 01:21:19 +0000

Features😶‍🌫️ -

Interactive Auto/Manual mode

Makes Compilation (Intro & Outro)

Auto Title, Description & Tags

Auto TimeStamps & Credits (Username & Caption from Video)

Edit description.txt when in manual mode

GitHub👩‍🚀 - https://github.com/sam5epi0l/BotTuber.git
Releases👨‍💻 - https://github.com/sam5epi0l/BotTuber/releases/tag/v1.21.0
by sam5epi0l - https://twitter.com/sam5epi0l

Please Comment Below if You found Bugs

📄Quick Start

git clone https://github.com/sam5epi0l/BotTuber.git cd BotTuber (add instagram credentials in config.py) (add YouTube API v3 credentials to googleAPI.json (check instructions)) pip3 install -r requirements.txt python3 botTuber.py

Usage✅

python3 botTuber.py -i # interactive mode python3 botTuber.py -a # Full automation python3 botTuber.py -m # manual mode python3 botTuber.py -h # help menu

Video Installation Tutorial - https://youtu.be/BbPErvcqXyw