From cd2e1c1c09d47a504707484bdaad0fcc664da202 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 2 Nov 2021 11:16:05 +0100 Subject: [PATCH] Fix spelling issues --- .../en/missing-function-ac-01-intro.adoc | 8 ++++---- .../en/missing-function-ac-02-client-controls.adoc | 8 ++++---- .../en/missing-function-ac-03-users.adoc | 14 ++++++++++---- 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc index 3fa401c79..4616d8bbe 100644 --- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc +++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-01-intro.adoc @@ -1,9 +1,9 @@ == Missing Function Level Access Control -Access control, like preventing XSS with output encoding can be tricky to maintain. One needs to ensure it is enforced properly throughout the entire application, thus in every method/function. +Access control, like preventing XSS with output encoding, can be tricky to maintain. One must ensure it is adequately enforced throughout the entire application, thus in every method/function. === IDOR vs Missing Function Level Access Control -The fact is many people (including the author of this lesson) would combine function level access control and IDOR into 'Access Control'. For sake of OWASP Top 10 and these lessons, we will make a -distinction. The distinction most made is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality'. Even though, -the IDOR lesson here demonstrates how functionality may also be exposed, (at least to another user in the same role), we will look at other ways functionality might be exposed. +The fact is many people (including the author of this lesson) would combine function level access control and IDOR into 'Access Control.' For the sake of OWASP Top 10 and these lessons, we will make a +distinction. The distinction most made is that IDOR is more of a 'horizontal' or 'lateral' access control issue, and missing function level access control 'exposes functionality.' Even though +the IDOR lesson here demonstrates how functionality may also be exposed (at least to another user in the same role), we will look at other ways functionality might be exposed. diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc index 114ca7825..6c8441bcb 100644 --- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc +++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-02-client-controls.adoc @@ -1,11 +1,11 @@ == Relying on Obscurity -One could rely on HTML, CSS or javascript to hide links that users don't normally access. -In the past there has been a case where a network router tried to protect (hide) admin functionality with javascript in the UI: https://www.wired.com/2009/10/routers-still-vulnerable. +One could rely on HTML, CSS, or javascript to hide links that users don't normally access. +In the past, a network router tried to protect (hide) admin functionality with javascript in the UI: https://www.wired.com/2009/10/routers-still-vulnerable. === Finding Hidden Items -There are usually hints to finding functionality the UI does not openly expose in ... +There are usually hints to finding functionality the UI does not openly expose in: * HTML or javascript comments * Commented out elements @@ -13,4 +13,4 @@ There are usually hints to finding functionality the UI does not openly expose i === Your Mission -Find two invisible menu items in the menu below that are, or would be, of interest to an attacker/malicious user and submit the labels for those menu items (there are no links right now in the menus). +Find two invisible menu items in the menu below that are or would be of interest to an attacker/malicious user and submit the labels for those menu items (there are no links right now in the menus). \ No newline at end of file diff --git a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc index 9a7dfd52b..739f15dbf 100644 --- a/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc +++ b/webgoat-lessons/missing-function-ac/src/main/resources/lessonPlans/en/missing-function-ac-03-users.adoc @@ -1,9 +1,15 @@ -== Just Try It +== Try it -As the previous page described, sometimes applications rely on client-side controls to control access (obscurity). If you can find items which are invisible, just try them and see what happens. Yes, it can be that simple! +As the previous page described, sometimes applications rely on client-side controls to control access (obscurity). If you can find invisible items, try them and see what happens. Yes, it can be that simple! === Gathering User Info -Often data dumps originate from vulnerabilities such as sql injection, but they can also come from poor or lacking access control. +Often data dumps originate from vulnerabilities such as SQL injection, but they can also come from poor or lacking access control. -It will likely take multiple steps and multiple attempts to get this one. Pay attention to the comments and leaked info. And you'll need to do some guessing too. You may need to use another browser/account along the way. Start with the info you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'Hash' for your own user account. +It will likely take multiple steps and multiple attempts to get this one: + +- Pay attention to the comments and leaked info. +- You'll need to do some guessing too. +- You may need to use another browser/account along the way. + +Start with the information you already gathered (hidden menu items) to see if you can pull the list of users and then provide the 'Hash' for your user account. \ No newline at end of file