update documentation

webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/2fa-bypass.adoc

@@ -1,15 +1,15 @@
 
 == 2FA Password Reset
 
-A recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass) is a great example of authentication bypass. He was unable to receive an SMS with a code, so he opted for the provided
-alternative method, which involved security questions.  Using a proxy, removed the parameters entirely ... and won.
+An excellent example of authentication bypass is a recent (2016) example (https://henryhoggard.co.uk/blog/Paypal-2FA-Bypass). He could not receive an SMS with a code, so he opted for
+an alternative method, which involved security questions.  Using a proxy, removed the parameters entirely and won.
 
 image::images/paypal-2fa-bypass.png[Paypal 2FA bypass,1397,645,style="lesson-image"]
 
 
 === The Scenario
 
-You are resetting your password, but doing it from a location or device that your provider does not recognize. So you need to answer the security questions you set up.  The other issue is
-that those security questions are also stored on another device (not with you) and you don't remember them.
+You reset your password, but do it from a location or device that your provider does not recognize. So you need to answer the security questions you set up.  The other issue is
+Those security questions are also stored on another device (not with you), and you don't remember them.
 
-You have already provided your username/email and opted for the alternative verification method.
+You have already provided your username/email and opted for the alternative verification method.

webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/bypass-intro.adoc

@@ -1,15 +1,15 @@
 == Authentication Bypasses
 
-Authentication Bypasses happen in many ways, but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
+Authentication Bypasses happen in many ways but usually take advantage of some flaw in the configuration or logic. Tampering to achieve the right conditions.
 
 === Hidden inputs
 
-The simplest form is a reliance on a hidden input that is in the web page/DOM.
+The simplest form is a reliance on a hidden input in the web page/DOM.
 
 === Removing Parameters
 
-Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove the parameter from the submission altogether to see what happens.
+Sometimes, if an attacker doesn't know the correct value of a parameter, they may remove it from the submission altogether to see what happens.
 
 === Forced Browsing
 
-If an area of a site is not protected properly by configuration, that area of the site may be accessed by guessing/brute-forcing.
+If an area of a site is not appropriately protected by configuration, that area of the site may be accessed by guessing/brute-forcing.

webgoat-lessons/auth-bypass/src/main/resources/lessonPlans/en/lesson-template-video.adoc

@@ -1,7 +1,7 @@
 === More Content, Video too ...
 
-You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this though.
+You can structure and format the content however you like. You can even include video if you like (but may be subject to browser support). You may want to make it more pertinent to web application security than this, though.
 
 video::video/sample-video.m4v[width=480,start=5]
 
-see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax
+see http://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#videos for more detail on video syntax