OWASP AntiSamy | OWASP Foundation (2023)

OWASP AntiSamy | OWASP Foundation (2)

OWASP AntiSamy

AntiSamy was originally authored by Arshan Dabirsiaghi (arshan.dabirsiaghi [at] gmail.com) of Contrast Security with help from Jason Li (jason.li [at] owasp.org) and is currently maintained by Dave Wichers (dave.wichers [at] owasp.org) and Sebastian Passaro (sebastian.passaro [at] owasp.org).

Description

The OWASP AntiSamy project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application’s rules. Another way of saying that could be: It’s an API that helps you make sure that clients don’t supply malicious cargo code in the HTML they supply for their profile, comments, etc., that get persisted on the server. The term “malicious code” in regards to web applications usually means “JavaScript.” Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where “normal” HTML and CSS can be used in a malicious manner. So we take care of that too.

Philosophically, AntiSamy is a departure from contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to “learn” and “recon” the mechanism for weaknesses. These types of information leaks can also hurt in ways you don’t expect. A login mechanism that tells the user, “Username invalid” leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. We get that.

Unfortunately, that’s just not very usable in this situation. Typical Internet users are largely pretty bad when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

The OWASP licensing policy allows OWASP projects to be released under any approved open source license. Under these guidelines, AntiSamy is distributed under a BSD license.

What is AntiSamy?

OWASP AntiSamy provides:

This page shows a big-picture comparison betweenthe versions. Since it’s an unfunded open source project, the ports can’t be expected to mirror functionalityexactly. If there’s something a port is missing – let us know, and we’ll try to accommodate, or write a patch!

(Video) What is OWASP and OWASP Membership

Presentations

From OWASP & WASC AppSec U.S. 2007 Conference (San Jose, CA): AntiSamy: Picking a Fight with XSS (ppt) - by Arshan Dabirsiaghi - AntiSamy project lead

From OWASP AppSec Europe 2008 (Ghent, Belgium): The OWASP AntiSamy project (ppt) - by Jason Li - AntiSamy project contributor

From OWASP AppSec India 2008 (Delhi, India): Validating Rich User Content (ppt) - by Jason Li - AntiSamy project contributor

From Shmoocon 2009 (Washington, DC): AntiSamy - Picking a Fight with XSS (pptx) - by Arshan Dabirsiaghi - AntiSamy project lead

News and Events

[3 July 2021] Please update AntiSamy to 1.6.4 or later to avoid CVE-2021-35043, CVE-2017-14735, and CVE-2016-10006.

[10 Apr 2022] Please update AntiSamy to 1.6.7 or later to additionally avoid CVE-2022-28367 and CVE-2022-29577

We always recommend using the latest available release to not only eliminate direct vulnerabilities, but any vulnerabilities in dependencies that have been upgraded.

There are 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

(Video) OWASP Juice Shop Project - Björn Kimminich

  1. Download AntiSamy from Maven
  2. Choose one of the standard policy files that matches as close to the functionality you need:
    • antisamy-tinymce-X.X.X.xml
    • antisamy-slashdot-X.X.X.xml
    • antisamy-ebay-X.X.X.xml
    • antisamy-myspace-X.X.X.xml
    • antisamy-anythinggoes-X.X.X.xml
  3. Tailor the policy file according to your site’s rules
  4. Call the API from the code

Stage 1 - Downloading AntiSamy

First, add the dependency from Maven:

 <dependency> <groupId>org.owasp.antisamy</groupId> <projectId>antisamy</projectId> </dependency>

Stage 2 - Choosing a base policy file

Chances are that your site’s use case for AntiSamy is at least roughly comparable to one of the predefined policy files. They each represent a “typical” scenario for allowing users to provide HTML (and possibly CSS) formatting information. Let’s look into the different policy files:

1) antisamy-slashdot.xml

Slashdot is a techie news site that allows users to respond anonymously to news posts with very limited HTML markup. Now, Slashdot is not only one of the coolest sites around, it’s also one that’s been subject to many different successful attacks. Even more unfortunate is the fact that most of the attacks led users to the infamous goatse.cx picture (please don’t go look it up). The rules for Slashdot are fairly strict: users can only submit the following HTML tags and no CSS: <b>, <u>, <i>, <a>, <blockquote>.

Accordingly, we’ve built a policy file that allows fairly similar functionality. All text-formatting tags that operate directly on the font, color or emphasis have been allowed.

2) antisamy-ebay.xml

eBay is the most popular online auction site in the universe, as far as I can tell. It is a public site so anyone is allowed to post listings with rich HTML content. It’s not surprising that given the attractiveness of eBay as a target that it has been subject to a few complex XSS attacks. Listings are allowed to contain much more rich content than, say, Slashdot- so it’s attack surface is considerably larger. The following tags appear to be accepted by eBay (they don’t publish rules): <a>, ...

3) antisamy-myspace.xml

(Video) OWASP Amass by Jeff Foley

MySpace was, at the time this project was born, arguably the most popular social networking site. Users were allowed to submit pretty much all HTML and CSS they want - as long as it doesn’t contain JavaScript. MySpace was using a word blacklist to validate users’ HTML, which is why they were subject to the infamous Samy worm: Article: The MySpace Worm that Changed the Internet Foreverand another In Samy’s own words. The Samy worm, which used fragmentation attacks combined with a word that should have been blacklisted (eval) - was the inspiration for the project.

4) antisamy-anythinggoes.xml

I don’t know of a possible use case for this policy file. If you wanted to allow every single valid HTML and CSS element (but without JavaScript or blatant CSS-related phishing attacks), you can use this policy file. Not even MySpace was this crazy. However, it does serve as a good reference because it contains base rules for every element, so you can use it as a knowledge base when using tailoring the other policy files.

Stage 3 - Tailoring the policy file

Smaller organizations may want to deploy AntiSamy in a default configuration, but it’s equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

You may also want to enable/modify some “directives”, which are basically advanced user options.This page tells you what the directives are and whichversions support them.

Stage 4 - Calling the AntiSamy API

Using AntiSamy is easy. Here is an example of invoking AntiSamy with a policy file:

import org.owasp.validator.html.*;Policy policy = Policy.getInstance(POLICY_FILE_LOCATION);AntiSamy as = new AntiSamy();CleanResults cr = as.scan(dirtyInput, policy);MyUserDAO.storeUserProfile(cr.getCleanHTML()); // some custom function

There are a few ways to create a Policy object. The getInstance() method can take any of the following:

  • a String filename
  • a File object
  • an InputStream

Policy files can also be referenced by filename by passing a second argument to the AntiSamy:scan() method as the following examples show:

(Video) OWASP ASVS Project - Josh Grossman

AntiSamy as = new AntiSamy();CleanResults cr = as.scan(dirtyInput, policyFilePath);

Finally, policy files can also be referenced by File objects directly in the second parameter:

AntiSamy as = new AntiSamy();CleanResults cr = as.scan(dirtyInput, new File(policyFilePath));

Stage 5 - Analyzing CleanResults

The CleanResults object provides a lot of useful stuff.

getErrorMessages() - a list of String error messagesgetCleanHTML() - the clean, safe HTML outputgetCleanXMLDocumentFragment() - the clean, safe XMLDocumentFragment which is reflected in getCleanHTML()getScanTime() - returns the scan time in seconds

The following ports of AntiSamy are known to exist:

Grails

Daniel Bower created a Grails plugin for AntiSamy. No updates since 2015 however.

2 related projects built on top of the OWASP ESAPI for Java library (which uses AntiSamy for Java under the hood) are:

.NET

A new (2020+) .NET port of AntiSamy is available at theOWASP AntiSamy .NET project. This version of AntiSamy is looking for afew good developers to help make it feature-synchronized with the Java version.

If it doesn’t suit your needs, consider Microsoft’s AntiXSS library. However, this library is now end of life too. Microsoft states: “In .NET 4.0 a version of AntiXSS was included in the framework and could be enabled via configuration. In ASP.NET v5 a white list based encoder will be the only encoder.”

Python

A port of AntiSamy to Python was attempted, but has been abandoned since 2010. Michael Coates suggests you check out project Bleach instead.

(Video) The How and Why of the OWASP Top Ten 2021 - Brian Glas

PHP

Although a PHP version was initially planned, we now suggestHTMLPurifier for safe rich input validation for PHP applications.

FAQs

Which OWASP Top 10 item is considered the most severe? ›

OWASP Top 10 Vulnerabilities
  • Sensitive Data Exposure. ...
  • XML External Entities. ...
  • Broken Access Control. ...
  • Security Misconfiguration. ...
  • Cross-Site Scripting. ...
  • Insecure Deserialization. ...
  • Using Components with Known Vulnerabilities. ...
  • Insufficient Logging and Monitoring.

What are top 10 OWASP attacks? ›

OWASP Top Vulnerabilities
  • Injection.
  • Insecure Design.
  • Security Misconfiguration.
  • Vulnerable and Outdated Components.
  • Identification and Authentication Failures.
  • Software and Data Integrity Failures.
  • Security Logging and Monitoring Failures.
  • Server-Side Request Forgery.

What is OWASP cheat sheet? ›

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics.

What does the OWASP Top 10 list name the classification for this vulnerability hack the box? ›

The OWASP top 10 vulnerabilities are listed below in order of severeness:
  • 1 – Injection. ...
  • 2 – Broken Authentication. ...
  • 3 – Sensitive Data Exposure. ...
  • 4 – XML External Entities. ...
  • 5 – Broken Access Control. ...
  • 6 – Security Misconfiguration. ...
  • 7 – Cross-site Scripting (XSS) ...
  • 8 – Insecure Deserialization.
Oct 30, 2021

What are the top 10 vulnerabilities that we should patch why? ›

Top 10 Vulnerabilities for 2022
  • Broken Access Control. ...
  • Cryptographic Failures. ...
  • Injection. ...
  • Insecure Design. ...
  • Security Misconfiguration. ...
  • Vulnerable and Outdated Components. ...
  • Identification and Authentication Failures. ...
  • Software and Data Integrity Failures.
Aug 31, 2022

What is the most critical vulnerability? ›

The most dangerous vulnerabilities exploited in 2022
  • ProxyLogon (CVE-2021-26855)
  • ZeroLogon (CVE-2020-1472)
  • Log4Shell (CVE-2021-44228)
  • VMware vSphere client (CVE-2021-21972)
  • PetitPotam (CVE-2021-36942)
  • Final Thoughts.
  • Sources:
Aug 17, 2022

How do you test against OWASP Top 10 vulnerabilities? ›

Using Burp to Test for the OWASP Top Ten
  • Injection. Using Burp to Test For Injection Flaws. ...
  • Broken Authentication and Session Management. ...
  • Cross-Site Scripting (XSS) ...
  • Insecure Direct Object References. ...
  • Security Misconfiguration. ...
  • Sensitive Data Exposure. ...
  • Missing Function Level Access Control. ...
  • Cross-Site Request Forgery (CSRF)

What does OWASP stand for? ›

OWASP Foundation, the Open Source Foundation for Application Security. OWASP Foundation. Mobile Application Security.

What vulnerability ranked #1 on the OWASP Top 10? ›

OWASP Top 10 Security Vulnerabilities – How To Mitigate Them
  • #1) Injection.
  • #2) Broken Authentication.
  • #3) Sensitive Data Exposure.
  • #4) XXE Injection.
  • #5) Broken Access Control.
  • #6) Security Misconfiguration.
  • #7) Cross-Site Scripting.
  • #8) Insecure Deserialization.
Oct 25, 2022

What are the top 3 items in the OWASP Top 10? ›

OWASP Top 10 Vulnerabilities
  • Broken Access Controls. Website security access controls should limit visitor access to only those pages or sections needed by that type of user. ...
  • Cryptographic Failures. ...
  • Injection. ...
  • Insecure Design. ...
  • Security Misconfiguration. ...
  • Vulnerable and Outdated Components.

What is the OWASP Top 10 list and why is it important? ›

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Globally recognized by developers as the first step towards more secure coding.

Is OWASP still relevant? ›

There is merit to these arguments, but the OWASP Top 10 is still the leading forum for addressing security-aware coding and testing. It's easy to understand, it helps users prioritise risk, and its actionable. And for the most part, it focuses on the most critical threats, rather than specific vulnerabilities.

What are the 4 main types of vulnerability in cyber security? ›

Security Vulnerability Types
  • Network Vulnerabilities. These are issues with a network's hardware or software that expose it to possible intrusion by an outside party. ...
  • Operating System Vulnerabilities. ...
  • Human Vulnerabilities. ...
  • Process Vulnerabilities.

What is the name of the biggest risk identified by the OWASP Top 10 2017? ›

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information.

How many security risks does OWASP Top 10? ›

The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks. The report is put together by a team of security experts from all over the world.

What is the #1 most commonly reported web vulnerability? ›

1. SQL Injection. SQL injection is a widely known web security vulnerability, in which threat actors target the application's back-end. The attackers attempt to manipulate the SQL statements through user-supplied data.

What are the 4 stages of identifying vulnerabilities? ›

The vulnerability management process can be broken down into the following four steps:
  • Identifying Vulnerabilities.
  • Evaluating Vulnerabilities.
  • Treating Vulnerabilities.
  • Reporting Vulnerabilities.

Which security vulnerability is hardest to discover? ›

Buffer Overflow. Sometimes difficult to discover and often difficult to exploit, buffer overflow vulnerabilities are still common due to the variety of ways these vulnerabilities can occur and the error-prone approaches used to prevent them.

Which vulnerability is most frequently exploited by hackers? ›

Top 6 Vulnerabilities Most Exploited by Hackers
  • Cyber Security Vulnerability 1: Exposed External Websites or APIs.
  • Cyber Security Vulnerability 2: Misconfigured DNS.
  • Cyber Security Vulnerability 3: Splatting / Social Engineering.
  • Cyber Security Vulnerability 4: Insecure Security Frameworks.
Apr 21, 2020

What is the biggest vulnerability in cybersecurity? ›

5 Most Common Cybersecurity Vulnerabilities
  • Misconfiguration of Firewalls / OS. ...
  • Old Malware. ...
  • Lack of Cybersecurity Awareness. ...
  • Absence of Data Sanitization or Encryption Measures. ...
  • Legacy or Unpatched Software.
Nov 9, 2022

What are the 3 criteria for assessing vulnerability? ›

The assessment framework involves three dimensions: engagement, intent and capability, which are considered separately.

What is the best method to verify that the access controls are not broken OWASP? ›

Access control issues are typically not detectable by dynamic vulnerability scanning and static source-code review tools as they require an understanding of how certain pieces of data are used within the web app. Manual testing is the best way to detect missing or broken access controls.

How do you test and fix vulnerabilities in security flaws? ›

Following is the step by step process on How to do Vulnerability Assessment:
  1. Step 1) Setup: Begin Documentation. ...
  2. Step 2) Test Execution: Run the Tools. ...
  3. Step 3) Vulnerability Analysis: Defining and classifying network or System resources. ...
  4. Step 4) Reporting.
  5. Step 5) Remediation: The process of fixing the vulnerabilities.
Dec 23, 2022

What is used to protect your application from OWASP Top 10 exploits? ›

Zero-Trust approach must be adopted whether it is users, employees, vendors, or third-party service providers. This helps in protecting against a majority of OWASP Top 10 vulnerabilities including brute force attacks, XSS attacks, injections, and so on.

What is the main objective of OWASP? ›

The Open Web Application Security Project (OWASP) is a non-profit organization founded in 2001, with the goal of helping website owners and security experts protect web applications from cyber attacks. OWASP has 32,000 volunteers around the world who perform security assessments and research.

Why is OWASP important? ›

OWASP is a free and open security community project that provides an absolute wealth of knowledge, tools to help anyone involved in the creation, development, testing, implementation and support of a web application to ensure that security is built from the start and that the end product is as secure as possible.

Who owns OWASP? ›

Mark Curphey started OWASP on September 9, 2001. Jeff Williams served as the volunteer Chair of OWASP from late 2003 until September 2011. As of 2015, Matt Konda chaired the Board. The OWASP Foundation, a 501(c)(3) non-profit organization in the US established in 2004, supports the OWASP infrastructure and projects.

What is top 1 vulnerability type according to OWASP in 2022? ›

1. Broken access control. Access control implements strategies to prevent users from operating beyond the scope of their specified permissions. Due to access vulnerabilities, unauthenticated or unwanted users may access classified data and processes and user privilege settings.

What are OWASP standards? ›

The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

What is the OWASP #1 IoT threat? ›

Weak, guessable, or hardcoded passwords

One of the most common security risks that can affect IoT devices is weak or easily guessed passwords. Many IoT devices come with factory-default passwords that are either easy-to-guess, publicly available, or unchangeable.

What are the two new OWASP components? ›

With these two new requirements (RASP and IAST) for application security being added to the NIST framework, it's really time to rethink how your organization is doing application security.

What are the top 10 security threats? ›

The Top Security Threats Of 2022
  • Man-in-the-middle attack. ...
  • Phishing. ...
  • Ransomware. ...
  • Watering hole attack. ...
  • Spyware. ...
  • Social engineering attack. ...
  • DDoS attack. ...
  • Cloud cryptomining.
Mar 1, 2022

What are the vulnerabilities in OWASP? ›

A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug, that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application.

Which OWASP Top 10 weakness can be prevented using role based access control? ›

Role-Based Access control helps prevent this OWASP Top 10 weakness.
  • Failure to restrict URL Access.
  • Unvalidated Redirect or Forward.
  • Security Misconfiguration.
  • Insufficient Transport Layer Protection.
Mar 22, 2022

What is the seventh vulnerability of the OWASP Top 10? ›

In addition, Cross-Site Scripting, which was seventh on the previous list, has been rolled into the Injection Flaws category. A number of categories have been renamed to more accurately reflect the type of vulnerability encountered in today's application.

Is OWASP credible? ›

Since OWASP is a non-profit foundation, most of the tools are free and open, not to mention reliable, sources. In addition, it's reliable. That is probably one of the main reasons that OWASP has reached its mass usage size, reputation, and importance today. As a non-profit foundation, OWASP accepts donations.

Are people the weakest link in security? ›

So, it is common for employees to increase their digital footprint without being aware of the risks involved. We hear this repeatedly: “Humans are the weakest link in cybersecurity.” This negative characterization of human nature is deeply ingrained in the cybersecurity industry.

Which is most insecure protocol? ›

Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.

What are the 5 C's of cyber security? ›

The five C's of cyber security are five areas that are of significant importance to all organizations. They are change, compliance, cost, continuity, and coverage. The top priority of organizations all over is having security protective of their digital and physical assets.

What are the 5 pillars of security? ›

About us. The five pillars of security for evaluating a corporation's security are Physical, People, Data, and Infrastructure Security, and Crisis Management.

What are the 3 pillars of cybersecurity? ›

Some organizations build their cyber defenses by acquiring best-in-class technology, but their security team lacks the staffing or knowledge to fully implement it.

Who are the top 5 targets of ransomware? ›

Here are the most targeted industries.
  • Banking and Financial Services. The reasons for targeting banking and financial services companies are fairly clear. ...
  • Education. ...
  • Energy and Utilities. ...
  • Government. ...
  • Manufacturing. ...
  • Valuable Data. ...
  • Lack of Security Infrastructure. ...
  • Money for a Ransom.
Dec 1, 2022

Which vulnerability was removed from OWASP 2013? ›

Removal of unvalidated redirects and forwards category

The category “A-10 Unvalidated Redirects and Forwards” in the OWASP Top 10 2013 has been removed from the Top 10 2017 because the statistical data of OWASP indicated that the vulnerability is not highly prevalent anymore.

Can you explain OWASP Top 10? ›

The OWASP Top 10 provides rankings of—and remediation guidance for—the top 10 most critical web application security risks. Leveraging the extensive knowledge and experience of the OWASP's open community contributors, the report is based on a consensus among security experts from around the world.

What are high severity vulnerabilities? ›

Severity Level: High

Vulnerabilities that score in the high range usually have some of the following characteristics: The vulnerability is difficult to exploit. Exploitation could result in elevated privileges. Exploitation could result in a significant data loss or downtime.

What is the biggest vulnerability to security data? ›

The biggest security vulnerability in any organization is its own employees. Whether it's the result of intentional malfeasance or an accident, most data breaches can be traced back to a person within the organization that was breached. For example, employees may abuse their access privileges for personal gain.

What are the 4 main types of security vulnerability? ›

Security Vulnerability Types
  • Network Vulnerabilities. These are issues with a network's hardware or software that expose it to possible intrusion by an outside party. ...
  • Operating System Vulnerabilities. ...
  • Human Vulnerabilities. ...
  • Process Vulnerabilities.

What are the 6 types of vulnerability? ›

In a list that is intended to be exhaustively applicable to research subjects, six discrete types of vulnerability will be distinguished—cognitive, juridic, deferential, medical, allocational, and infrastructural.

What are the three main areas of vulnerabilities for security? ›

In that list, they categorize three main types of security vulnerabilities based their more extrinsic weaknesses:
  • Porous defenses.
  • Risky resource management.
  • Insecure interaction between components.
Aug 28, 2019

What are the three biggest data breaches of all time? ›

Top 23 Biggest Data Breaches in US History
  • 1. Yahoo! Date: 2013-2016. ...
  • Microsoft. Date: January 2021. ...
  • First American Financial Corp. Date: May 2019. ...
  • 4. Facebook. Date: April 2021. ...
  • LinkedIn. Date: April 2021. ...
  • JPMorgan Chase. Date: June 2014. ...
  • Home Depot. Date: April 2014. ...
  • MySpace. Date: June 2013.
Jan 5, 2023

What is the #1 threat to information security? ›

1. Insider threats. An insider threat occurs when individuals close to an organization who have authorized access to its network intentionally or unintentionally misuse that access to negatively affect the organization's critical data or systems.

Videos

1. OWASP SAMM 2 Your Dynamic Software Security Journey John Ellingsworth
(OWASP Foundation)
2. OWASP WrongSecrets We Have a Secret for Everyone! - Jeroen Willemsen & Ben de Haan
(OWASP Foundation)
3. OWASP Top 10 - What Is The OWASP Top 10 (Security Risks and Vulnerabilities)
(Vinsloev Academy)
4. OWASP Cheatsheets Project - Jim Manico
(OWASP Foundation)
5. OWASP Flagship Projects: OWASP Mobile Security Testing Guide - Carlos Holguera & Sven Schleier
(OWASP Foundation)
6. OWASP Open Application Security Curriculum Project - Adrian Winckles
(OWASP Foundation)
Top Articles
Latest Posts
Article information

Author: Laurine Ryan

Last Updated: 02/12/2023

Views: 6448

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Laurine Ryan

Birthday: 1994-12-23

Address: Suite 751 871 Lissette Throughway, West Kittie, NH 41603

Phone: +2366831109631

Job: Sales Producer

Hobby: Creative writing, Motor sports, Do it yourself, Skateboarding, Coffee roasting, Calligraphy, Stand-up comedy

Introduction: My name is Laurine Ryan, I am a adorable, fair, graceful, spotless, gorgeous, homely, cooperative person who loves writing and wants to share my knowledge and understanding with you.