From 7b5bb6d6f19b475b5474aacd1a050ba1db240bf3 Mon Sep 17 00:00:00 2001 From: xanderhades Date: Mon, 29 Jan 2018 17:25:19 -0500 Subject: [PATCH] Fixed typos --- .../resources/lessonPlans/en/CrossSiteScripting_content8.adoc | 4 ++-- .../main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc | 2 +- .../src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc | 2 +- .../idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc | 4 ++-- .../idor/src/main/resources/lessonPlans/en/IDOR_login.adoc | 2 +- .../src/main/resources/lessonPlans/en/IDOR_mitigation.adoc | 2 +- .../src/main/resources/lessonPlans/en/Introduction.adoc | 4 ++-- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc index 80a3c7a25..a39af74c3 100644 --- a/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc +++ b/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc @@ -2,10 +2,10 @@ === Why? -Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in seession +Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in session === What to encode? -The basic premise of defending against XSS is *output endoding* any untrusted input that goes to the screen. +The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen. That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters* Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted). diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc index 5cfa0c262..aa9ae94ba 100644 --- a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc +++ b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc @@ -4,5 +4,5 @@ Older apps may follow different patterns, but RESTful apps (which is what's goin to perform different functions. Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile. -Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change modify the +Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change the user's color to 'red'. \ No newline at end of file diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc index 1de5253e6..43b472529 100644 --- a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc +++ b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc @@ -1 +1 @@ -Please input the alternate path to the Url to view your own profile. Please start witih 'WebGoat' (i.e. disregard 'http://localhost:8080/') \ No newline at end of file +Please input the alternate path to the Url to view your own profile. Please start with 'WebGoat' (i.e. disregard 'http://localhost:8080/') \ No newline at end of file diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc index ecf28b0b0..5e48954b1 100644 --- a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc +++ b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc @@ -15,12 +15,12 @@ Examples of Direct Object References using the GET method may look something lik === Other Methods -POST, PUT, DELETE or other methods are also potentially succeptible and mainly only differ in the method and the potential payload. +POST, PUT, DELETE or other methods are also potentially susceptible and mainly only differ in the method and the potential payload. == *Insecure* Direct Object References These are considered insecure when the reference is not properly handled and allows for authorization bypasses or disclose private data that could be used to -perform opreations or access data that the user should not be able to perform or access. +perform operations or access data that the user should not be able to perform or access. Let's say that as a user, you go to view your profile and the URL looks something like: `https://some.company.tld/app/user/23398` diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc index df1cfdd09..f9eb76f7e 100644 --- a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc +++ b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc @@ -1,6 +1,6 @@ === Authenticate First, Abuse Authorization Later -Many access control issues are succeptible to attack from an authenticated-but-unauthorized user. So, let's start by legitimately authenticating. Then, we will look for ways to bypass or abuse Authorization. +Many access control issues are susceptible to attack from an authenticated-but-unauthorized user. So, let's start by legitimately authenticating. Then, we will look for ways to bypass or abuse Authorization. The id and password for the account in this case are 'tom' and 'cat' (It is an insecure app, right?). diff --git a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc index 8614f16e0..7c76de365 100644 --- a/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc +++ b/webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc @@ -38,7 +38,7 @@ For example, if a super-user or admin can edit other's profiles ... That is some examples would include detected violations or attempts to violate access control mechanisms. === Using Indrect References -Not many applications employ it, but you can use *indirect* refrences. In this case you can run your references across a hahsing, +Not many applications employ it, but you can use *indirect* references. In this case you can run your references across a hashing, encoding or other function on the server so that the id that the client sees is not the actual reference which the server handles. This will reduce efficiency some (a common trade-off for security) and is still subject to being guessed, brute-forced or reverse engineered. diff --git a/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc b/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc index f1ac477d3..6660ab169 100644 --- a/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc +++ b/webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc @@ -10,8 +10,8 @@ unintended code gets into your applications. What better way to do that than with your very own scapegoat? -Feel free to do what you will with Hack. Poke, prod and if it makes you feel better, scare him until your heart’s content. -Go ahead, and Hack the goat. We promise he likes it. +Feel free to do what you will with him. Hack, poke, prod and if it makes you feel better, scare him until your heart’s content. +Go ahead, and hack the goat. We promise he likes it. Thanks for your interest!