diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc index 921fe7126..3fa401c79 100644 --- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc +++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc @@ -1,9 +1,9 @@ == Missing Function Level Access Control -Access control, like output encoding XSS can be tricky to maintain and ensure it is enforced properly throughout an application, including at each method/function. +Access control, like preventing XSS with output encoding can be tricky to maintain. One needs to ensure it is enforced properly throughout the entire application, thus in every method/function. === IDOR vs Missing Function Level Access Control -The fact is many people (including the author of this lesson) would lump function level access control and IDOR into 'Access Control'. For sake of OWASP, Top 10 and these lessons, we will make a -distinction. The distinction most make is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality'. Even though, -the IDOR lesson here demonstrates how functionality may also be exposed, (at least to another user in the same role), we will look at other ways functionality might be exposed. \ No newline at end of file +The fact is many people (including the author of this lesson) would combine function level access control and IDOR into 'Access Control'. For sake of OWASP Top 10 and these lessons, we will make a +distinction. The distinction most made is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality'. Even though, +the IDOR lesson here demonstrates how functionality may also be exposed, (at least to another user in the same role), we will look at other ways functionality might be exposed.