Description
\nThe Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to clarify the language used within the community.
\nComplete Document
\n[PDF] size: 140 kilobytes<\/p>\n
Project leader: Robert Auger (contact @ webappsec org)<\/p>\n
Abuse of Functionality: An attack technique that uses the features and functionality of a web site to consume, defraud, or circumvent the site\u2019s access controls. See also \u201cDenial of Service\u201d.<\/p>\n
ActiveX controls: A program, called a \u201ccontrol\u201d, developed using ActiveX controls technologies. ActiveX controls controls can be downloaded and executed within technology-enabled Web browsers. ActiveX controls is a set of rules for how applications should share information. ActiveX controls controls can be developed in C, C++, Visual Basic, and Java. See also \u201cJava\u201d, \u201cJava Applets\u201d, \u201cJavaScript\u201d, \u201cWeb Browser\u201d.<\/p>\n
AJAX: AJAX stands for Asynchronous JavaScript and XML. This browser based technology allows a website to perform additional resource requests without refreshing the user page by utilizing the XMLHttpRequest Javascript object.<\/p>\n
Anti-Automation: Security measure that prevents automated programs from exercising web site functionality by administering the Turing Test to a user, which only a human could pass. See also \u201cVisual Verification\u201d.<\/p>\n
Application Server: A software server, normally using HTTP, which has the ability to execute dynamic web applications. Also known a middleware, this piece of software is normally installed on or near the web server where it can be called upon. See also \u201cWeb Application\u201d, \u201cWeb Server\u201d.<\/p>\n
Attack: A well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation<\/p>\n
Authentication: The process of verifying the identity or location of a user, service or application. Authentication is performed using at least one of three mechanisms: \u201csomething you have\u201d, \u201csomething you know\u201d or \u201csomething you are\u201d. The authenticating application may provide different services based on the location, access method, time of day, etc. See also \u201cInsufficient Authentication\u201d.<\/p>\n
Authorization: The determination of what resources a user, service or application has permission to access. Accessible resources can be URL\u2019s, files, directories, servlets, databases, execution paths, etc. See also \u201cInsufficient Authorization\u201d.<\/p>\n
Backup File Disclosure: (Obsolete) See \u201cPredictable File Location\u201d.<\/p>\n
Basic Authentication: A simple form of client-side authentication supported in HTTP. The http-client sends a request header to the web server containing a Base64 encoded username and password. If the username\/password combination is valid, the web server grants the client access to the requested resource. See also \u201cAuthentication\u201d, \u201cInsufficient Authentication\u201d.<\/p>\n
Brute Force: An automated process of trial and error used to guess the \u201csecret\u201d protecting a system. Examples of these secrets include usernames, passwords or cryptographic keys. See also \u201cAuthentication\u201d, \u201cInsufficient Authentication\u201d, \u201cPassword Recover System\u201d, \u201cWeak Password Recovery Validation\u201d.<\/p>\n
Buffer Overflow: An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer Overflows are a common cause of malfunctioning software. If the data written into a buffer exceeds its size, adjacent memory space will be corrupted and normally produce a fault. An attacker may be able to utilize a buffer overflow situation to alter an application’s process flow. Overfilling the buffer and rewriting memory-stack pointers could be used to execute arbitrary operating-system commands.<\/p>\n
CGI Scanner: Automated security program that searches for well-known vulnerabilities in web servers and off-the-shelf web application software. Often CGI Scanners are not very \u201cstateful\u201d in their analysis and only test a series HTTP requests against known CGI strings. See also, \u201cWeb Application Vulnerability Scanner.\u201d<\/p>\n
CGI Security: (Obsolete) See \u201cWeb Application Security\u201d.<\/p>\n
Client-Side Scripting: Web browser feature that extends the functionality and interactivity of static HyperText markup language (HTML) web pages. Examples of Client-Side Scripting languages are JavaScript, JScript and VBScript. See also \u201cActiveX controls\u201d, \u201cJava Applets\u201d.<\/p>\n
Common Gateway Interface: (Acronym – CGI) Programming standard for software to interface and execute applications residing on web servers. See also \u201cWeb Application\u201d, \u201cApplication Server\u201d, \u201cWeb Server\u201d.<\/p>\n
Configuration File Disclosure: (Obsolete) See \u201cPredictable File Location\u201d.<\/p>\n
Content Spoofing: An attack technique used to trick a user into thinking that fake web site content is legitimate data.<\/p>\n
Cookie: Small amount of data sent by the web server, to a web client, which can be stored and retrieved at a later time. Typically cookies are used to keep track of a user\u2019s state as they traverse a web site. See also \u201cCookie Manipulation\u201d.<\/p>\n
Cookie Manipulation: Altering or modification of cookie values, on the client\u2019s web browser, to exploit security issues within a web application. Attackers will normally manipulate cookie values to fraudulently authenticate themselves to a web site. This is an example of the problem of trusting the user to provide reasonable input. See also \u201cCookie\u201d.<\/p>\n
Cookie Poisoning: (Obsolete) See \u201cCookie Manipulation\u201d.<\/p>\n
Cross-Site Scripting: (Acronym \u2013 XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a user\u2019s web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). See also \u201cClient-Side Scripting\u201d.<\/p>\n
Debug Commands: Application debugging features or commands that assist in identifying programming errors during the software development process.<\/p>\n
Denial of Service: (Acronym \u2013 DoS) An attack technique that consumes all of a web site\u2019s available resources with the intent of rendering legitimate use impossible. Resources include CPU time, memory utilization, bandwidth, disk space, etc. When any of these resources reach full capacity, the system will normally be inaccessible to normal user activity. See also \u201cAbuse of Functionality\u201d.<\/p>\n
Directory Browsing: (Obsolete) See \u201cDirectory Indexing\u201d.<\/p>\n
Directory Enumeration: (Obsolete) See \u201cPredictable File Location\u201d.<\/p>\n
Directory Indexing: A feature common to most popular web servers, that exposes contents of a directory when no index page is present. See also \u201cPredictable File Location\u201d.<\/p>\n
Directory Traversal: A technique used to exploit web sites by accessing files and commands beyond the document root directory. Most web sites restrict user access to a specific portion of the file-system, typically called the document root directory or CGI root directory. These directories contain the files and executables intended for public use. In most cases, a user should not be able to access any files beyond this point.<\/p>\n
DOM Based Cross Site Scrpiting: DOM based cross-site scripting (or “DOM based XSS” in short) is a \u201ccross-site scripting\u201d attack that makes use of insecure Javascript (or in general – client side) programming that takes place in response pages, to effectively incur an XSS condition. In DOM based XSS, the attacker affects the Javascript execution in a target page (in the attacked domain) by providing it with data in the URL or the Referer, which the script insecurely uses. The script may apply the eval() function to the malicious data, or embed it in the DOM (thus making the browser potentially render it as Javascript and run it). This is in contrast to “standard” XSS, where the malicious data is embedded to the page at the server side. In some cases, DOM based XSS can even be conducted in such way that the malicious payload doesn’t even reach the server, which makes this attack more unobtrusive.<\/p>\n
Encoding Attacks: An exploitation technique that aids an attack by changing the format of user-supplied data to bypass sanity checking filters. See also \u201cNull Injection\u201d.<\/p>\n
Extension Manipulation: (Obsolete) See \u201cFilename Manipulation\u201d.<\/p>\n
File Enumeration: (Obsolete) See \u201cPredictable File Location\u201d.<\/p>\n
Filename Manipulation: An attack technique used to exploit web sites by manipulating URL filenames to cause application errors, discover hidden content, or display the source code of an application. See also \u201cPredictable File Location\u201d.<\/p>\n
Filter-Bypass Manipulation: See \u201cEncoding Attacks\u201d.<\/p>\n
Forced Browsing: See \u201cPredictable File Location\u201d.<\/p>\n
Form Field Manipulation: Altering or modification of HTML Form-Field input values or HTTP post-data to exploit security issues within a web application. See also \u201cParameter Tampering\u201d, \u201cCookie Manipulation\u201d.<\/p>\n
Format String Attack: An exploit technique that alters the flow of an application by using string formatting library features to access other memory space.<\/p>\n
Frame Spoofing: (Obsolete) See \u201cContent Spoofing\u201d.<\/p>\n
HyperText Transfer Protocol: (Acronym \u2013 HTTP) A protocol scheme used on the World Wide Web. HTTP describes the way a web-client requests data and how a web server responds to those requests. See also \u201cWeb Server\u201d, \u201cWeb Browser\u201d.<\/p>\n
HTTP Request Smuggling: HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices\/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks ? \u201cweb cache poisoning\u201d, \u201csession hijacking\u201d, \u201ccross-site scripting\u201d as well as the ability to bypass web application firewall protection. The attacker sends multiple specially-crafted HTTP requests that cause the two attacked entities (e.g. a proxy server and a web server, or a firewall and a web server) to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.<\/p>\n
HTTP Response Smuggling: HTTP response smuggling is an enhancement of the basic \u201cHTTP response splitting\u201d technique, which can evade anti- HTTP response splitting measures. HTTP response smuggling makes use of \u201cHTTP request smuggling\u201d-like techniques to exploit the discrepancies between what an anti- HTTP Response Splitting mechanism would consider to be the HTTP response stream, and the response stream as parsed by a proxy server (or a browser). So, while an anti- HTTP response splitting mechanism may consider a particular response stream harmless (single HTTP response), a proxy\/browser may still parse it as two HTTP responses, and hence be susceptible to all the outcomes of the original HTTP response splitting technique. For example, some anti- HTTP response splitting mechanisms in use by some application engines forbid the application from inserting a header containing CR+LF to the response. Yet an attacker can force the application to insert a header containing CRs, thereby circumventing the defense mechanism. Some proxy servers may still treat CR (only) as a header (and response) separator, and as such the combination of web server and proxy server will still be vulnerable to an attack that may poison the proxy’s cache.<\/p>\n
HTTP Response Splitting: An HTTP response splitting attack causes the web server to send out two HTTP responses, where it typically only sends out one HTTP response (hence the name – “response splitting”). This can be described as HTTP response injection, and is typically conducted by injecting malicious data into an HTTP response header, and using CR+LF characters to shape and terminate the first response, and then completely shape and control the additional response. Having this second, “unexpected” response enables the attacker to fool a client that receives this extra response by forcing this client to first emit a second request. The client then matches the second, attacker-controlled response to the second, attacker-controlled request. The net result (looking at the second request-response pair) is that the client is forced to send an arbitrary request to the vulnerable server, and in response, the client receives an arbitrary response crafted by the attacker. This condition enables \u201ccross-site scripting\u201d and \u201ccache poisoning\u201d.<\/p>\n
Impact: Consequences for an organization or environment when an attack is realized, or weakness is present.<\/p>\n
Information Leakage: When a web site reveals sensitive data, such as developer comments or error messages, which aids an attacker in exploiting the system. See also \u201cVerbose Messages\u201d.<\/p>\n
Insufficient Authentication: When a web site permits an attacker to access sensitive content or functionality without verifying their identity. See also \u201cAuthentication\u201d.<\/p>\n
Insufficient Authorization: When a web site permits an attacker to access sensitive content or functionality that should require increased access control restrictions. See also \u201cAuthorization\u201d.<\/p>\n
Insufficient Session Expiration: When a web site permits an attacker to reuse old session credentials or session ID\u2019s for authorization. See also \u201cSession Replay\u201d, \u201cSession Credential\u201d, \u201cSession ID\u201d, \u201cSession Manipulation\u201d.<\/p>\n
Insufficient Process Validation: When a web site permits an attacker to bypass or circumvent the intended flow control of an application.<\/p>\n
Java: A popular programming language developed by Sun Microsystems(tm). See also \u201cActiveX controls\u201d, \u201cWeb Browser\u201d, \u201cJavaScript\u201d, \u201cClient-Side Scripting\u201d.<\/p>\n
Java Applets: An applet is a program written in the Java programming language that can be included in a web page. When a Java enabled web browser views a page containing an applet, the code is executed by the Java Virtual Machine (JVM). See also \u201cWeb Browser\u201d, \u201cJava\u201d, \u201cActiveX controls\u201d, \u201cJavaScript\u201d, \u201cClient-Side Scripting\u201d.<\/p>\n
JavaScript: A popular web browser client-side scripting language used to create dynamic web page content. See also \u201cActive X\u201d, \u201cJava Applets\u201d, \u201cClient-Side Scripting\u201d.<\/p>\n
Known CGI file: See \u201cPredictable File Location\u201d.<\/p>\n
Known Directory: See \u201cPredictable File Location\u201d.<\/p>\n
LDAP Injection: A technique for exploiting a web site by altering backend LDAP statements through manipulating application input. Similarly to the methodology of SQL Injection. See also \u201cParameter Tampering\u201d, \u201cForm Field Manipulation\u201d.<\/p>\n
Meta-Character Injection: An attack technique used to exploit web sites by sending in meta-characters, which have special meaning to a web application, as data input. Meta-characters are characters that have special meaning to programming languages, operating system commands, individual program procedures, database queries, etc. These special characters can adversely alter the behavior of a web application. See also \u201cNull Injection\u201d, \u201cParameter Tampering\u201d, \u201cSQL Injection\u201d, \u201cLDAP Injection\u201d, \u201cCross-Site Scripting\u201d.<\/p>\n
Null Injection: An exploitation technique used to bypass sanity checking filters by adding URL encoded null-byte characters to user-supplied data. When developers create web applications in a variety of programming languages, these web applications often pass data to underlying lower level C-functions for further processing and functionality. If a user-supplied string contains a null character (\\0), the web application may stop processing the string at the point of the null. Null Injection is a form of a meta-character Injection attack. See also \u201cEncoding Attacks\u201d, \u201cParameter Tampering\u201d, \u201cMeta Character Injection\u201d.<\/p>\n
OS Command Injection: See \u201cOS Commanding\u201d.<\/p>\n
OS Commanding: An attack technique used to exploit web sites by executing operating-system commands through manipulating application input. See also \u201cParameter Tampering\u201d, \u201cForm Field Manipulation\u201d.<\/p>\n
Page Sequencing: (Obsolete) See \u201cInsufficient Process Validation\u201d.<\/p>\n
Parameter Tampering: Altering or modification of the parameter name and value pairs in a URL. Also known as \u201cURL Manipulation\u201d. See also \u201cUniform Resource Locator\u201d.<\/p>\n
Password Recovery System: An automated process that allows a user to recover or reset his password in the event that it has been lost or forgotten. See also \u201cWeak Password Recovery Validation\u201d.<\/p>\n
Predictable File Location: A technique used to access hidden web site content or functionality by making educated guesses, manually or automatically, of the names and locations of files. Predictable file locations may include directories, CGI\u2019s, configuration files, backup files, temporary files, etc.<\/p>\n
Secure Sockets Layer: (Acronym \u2013 SSL) An industry standard public-key protocol used to create encrypted tunnels between two network-connected devices. See also \u201cTransport Layer Security\u201d.<\/p>\n
Session Credential: A string of data provided by the web server, normally stored within a cookie or URL, which identifies a user and authorizes them to perform various actions. See also \u201cSession ID\u201d.<\/p>\n
Session Fixation: An attack technique that forces a user\u2019s session credential or session ID to an explicit value. See also \u201cSession Credential\u201d, \u201cSession ID\u201d.<\/p>\n
Session Forging: See \u201cSession Prediction\u201d.<\/p>\n
Session Hi-Jacking: The result of a user\u2019s session being compromised by an attacker. The attacker could reuse this stolen session to masquerade as the user. See also \u201cSession Prediction\u201d, \u201cSession Credential\u201d, \u201cSession ID\u201d.<\/p>\n
Session ID: A string of data provided by the web server, normally stored within a cookie or URL. A Session ID tracks a user\u2019s session, or perhaps just his current session, as he traverse the web site.<\/p>\n
Session Manipulation: An attack technique used to hi-jack another user\u2019s session by altering a session ID or session credential value. See also \u201cSession Prediction\u201d, \u201cSession Hi-Jacking\u201d, \u201cSession Credential\u201d, \u201cSession ID\u201d.<\/p>\n
Session Prediction: An attack technique used to create fraudulent session credentials or guess other user\u2019s current session ID\u2019s. If successful, an attacker could reuse this stolen session to masquerade as another user. See also \u201cSession Credential\u201d, \u201cSession ID\u201d, \u201cSession Hi-Jacking\u201d.<\/p>\n
Session Replay: When a web site permits an attacker to reuse old session credentials or session ID\u2019s for authorization. See also \u201cSession ID\u201d, \u201cSession Credential\u201d, \u201cInsufficient Session Expiration\u201d.<\/p>\n
Session Tampering: See \u201cSession Manipulation\u201d<\/p>\n
SQL Injection: An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input. See also \u201cParameter Tampering\u201d, \u201cForm Field Manipulation\u201d.<\/p>\n
SSI Injection: A server-side exploit technique that allows an attacker to send code into a web application, which will be executed by the web server. See also “Meta-Character Injection”, \u201cParameter Tampering\u201d, \u201cForm Field Manipulation\u201d.<\/p>\n
Transport Layer Security: (Acronym \u2013 TLS) The more secure successor to SSL. The TLS protocol provides communications privacy over the Internet. The protocol allows client\/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. TLS is based on the SSL protocol, but the two systems are not interoperable. See also \u201cSecure Sockets Layer\u201d.<\/p>\n
Universal Resource Locator: (Acronym \u2013 URL) A standard way of specifying the location of an object, normally a web page, on the Internet. See also \u201cParameter Tampering\u201d.<\/p>\n
Unvalidated Input: When a web application does not properly sanity-check user-supplied data input.<\/p>\n
URL Manipulation: Altering or modification of a web applications parameter name and value pairs. Also known as \u201cParameter Tampering\u201d.<\/p>\n
User-Agent Manipulation: A technique used to bypass web site browser requirement restrictions by altering the value sent within an HTTP User-Agent header. See also \u201cCookie Manipulation\u201d.<\/p>\n
Verbose Messages: Detailed pieces of information revealed by a web site, which could aid an attacker in exploiting the system.<\/p>\n
Visual Verification: Visual oriented method of anti-automation that prevents automated programs from exercising web site functionality by determining if there is presence of mind. See also \u201cAnti-Automation\u201d.<\/p>\n
Vulnerability: “An occurrence of a weakness (or multiple weaknesses) within software, in which the weakness can be used by a party to cause the software to modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness.” – CWE (http:\/\/cwe.mitre.org\/documents\/glossary\/index.html#Vulnerability)<\/p>\n
Weakness: “A type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software. This term applies to mistakes regardless of whether they occur in implementation, design, or other phases of the SDLC.” – CWE (http:\/\/cwe.mitre.org\/documents\/glossary\/index.html#Weakness)<\/p>\n
Weak Password Recovery Validation: When a web site permits an attacker to illegally obtain, change or recover another user\u2019s password. See also \u201cPassword Recovery System\u201d.<\/p>\n
Web Application: A software application, executed by a web server, which responds to dynamic web page requests over HTTP. See also \u201cWeb Server\u201d, \u201cWeb Application\u201d, \u201cWeb Service\u201d.<\/p>\n
Web Application Scanner: See \u201cWeb Application Vulnerability Scanner\u201d.<\/p>\n
Web Application Security: Science of information security relating to the World Wide Web, HTTP and web application software. Also known as \u201cWeb Security\u201d.<\/p>\n
Web Application Firewall: An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack. See also \u201cWeb Application Security\u201d, \u201cWeb Server\u201d.<\/p>\n
Web Application Vulnerability Scanner: An automated security program that searches for software vulnerabilities within web applications. See also \u201cWeb Application Security\u201d.<\/p>\n
Web Browser: A program used to display HyperText markup language (HTML) web pages sent by a web server. See also \u201cActiveX controls\u201d, \u201cCookie\u201d, \u201cJava Applets\u201d, \u201cJavaScript\u201d, \u201cClient-Side Scripting\u201d.<\/p>\n
Web (or browser) cache poisoning: The act of adding\/overwriting a cache entry (of a caching proxy server, or a browser) with forged and possibly malicious data is called cache poisoning. In its most potent form, an attacker can force an arbitrary entry (URL of choice, page contents of choice) to the cache. In HTTP response splitting [LINK], the attacker can choose the URL’s path and query (the host, port and scheme must be the vulnerable host’s), and the entire page contents. In HTTP request smuggling, the attacker can choose URL as in HTTP response splitting, but the page contents must be obtained from a URL on the site. At any rate, cache poisoning can be considered a form of defacement, whose scope is determined by the coverage of the cache (i.e. browser – 1 user, forward proxy – 1 ISP\/organization, reverse proxy – all users), and the strength of the attack (full page control over \/index.html vs. partial control).<\/p>\n
Web Security: See \u201cWeb Application Security\u201d.<\/p>\n
Web Security Assessment: A process of performing a security review of a web application by searching for design flaws, vulnerabilities and inherent weaknesses. See also \u201cWeb Application Security\u201d.<\/p>\n
Web Security Scanner: See \u201cWeb Application Vulnerability Scanner\u201d.<\/p>\n
Web Server: A general-purpose software application that handles and responds to HTTP requests. A web server may utilize a web application for dynamic web page content. See also \u201cWeb Application\u201d, \u201cApplication Server\u201d, \u201cHyperText Transfer Protocol\u201d.<\/p>\n
Web Service: A software application that uses Extensible Markup Language (XML) formatted messages to communicate over HTTP. Typically, software applications interact with web services rather than normal users. See also \u201cWeb Server\u201d, \u201cWeb Application\u201d, \u201cApplication Server\u201d, \u201cHyperText Transfer Protocol\u201d.<\/p>\n","protected":false},"excerpt":{"rendered":"
Description The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to clarify the language used within the community. Complete Document [PDF] size: 140 kilobytes<\/p>\n
Project leader: Robert Auger (contact @ webappsec org)<\/p>\n
Abuse of Functionality: An attack technique that uses the […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2669"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2669"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2669\/revisions"}],"predecessor-version":[{"id":2670,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/2669\/revisions\/2670"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}