dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed typos

Browse Source
This commit is contained in:
xanderhades 2018-01-29 17:25:19 -05:00 committed by Nanne Baars
parent 3cd349bb4b
commit f21fe7f2c3
7 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc
View File

@ -2,10 +2,10 @@
=== Why? === Why?
Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in seession Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in session
=== What to encode? === What to encode?
The basic premise of defending against XSS is *output endoding* any untrusted input that goes to the screen. The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen.
That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters* That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters*
Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted). Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted).

2
webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc
View File

@ -4,5 +4,5 @@ Older apps may follow different patterns, but RESTful apps (which is what's goin
to perform different functions. to perform different functions.
Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile. Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile.
Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change modify the Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change the
user's color to 'red'. user's color to 'red'.

2
webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc
View File

@ -1 +1 @@
Please input the alternate path to the Url to view your own profile. Please start witih 'WebGoat' (i.e. disregard 'http://localhost:8080/') Please input the alternate path to the Url to view your own profile. Please start with 'WebGoat' (i.e. disregard 'http://localhost:8080/')

4
webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc
View File

@ -15,12 +15,12 @@ Examples of Direct Object References using the GET method may look something lik
=== Other Methods === Other Methods
POST, PUT, DELETE or other methods are also potentially succeptible and mainly only differ in the method and the potential payload. POST, PUT, DELETE or other methods are also potentially susceptible and mainly only differ in the method and the potential payload.
== *Insecure* Direct Object References == *Insecure* Direct Object References
These are considered insecure when the reference is not properly handled and allows for authorization bypasses or disclose private data that could be used to These are considered insecure when the reference is not properly handled and allows for authorization bypasses or disclose private data that could be used to
perform opreations or access data that the user should not be able to perform or access. perform operations or access data that the user should not be able to perform or access.
Let's say that as a user, you go to view your profile and the URL looks something like: Let's say that as a user, you go to view your profile and the URL looks something like:
`https://some.company.tld/app/user/23398` `https://some.company.tld/app/user/23398`

2
webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc
View File

@ -1,6 +1,6 @@
=== Authenticate First, Abuse Authorization Later === Authenticate First, Abuse Authorization Later
Many access control issues are succeptible to attack from an authenticated-but-unauthorized user. So, let's start by legitimately authenticating. Then, we will look for ways to bypass or abuse Authorization. Many access control issues are susceptible to attack from an authenticated-but-unauthorized user. So, let's start by legitimately authenticating. Then, we will look for ways to bypass or abuse Authorization.
The id and password for the account in this case are 'tom' and 'cat' (It is an insecure app, right?). The id and password for the account in this case are 'tom' and 'cat' (It is an insecure app, right?).

2
webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc
View File

@ -38,7 +38,7 @@ For example, if a super-user or admin can edit other's profiles ... That is some
examples would include detected violations or attempts to violate access control mechanisms. examples would include detected violations or attempts to violate access control mechanisms.
=== Using Indrect References === Using Indrect References
Not many applications employ it, but you can use *indirect* refrences. In this case you can run your references across a hahsing, Not many applications employ it, but you can use *indirect* references. In this case you can run your references across a hashing,
encoding or other function on the server so that the id that the client sees is not the actual reference encoding or other function on the server so that the id that the client sees is not the actual reference
which the server handles. This will reduce efficiency some (a common trade-off for security) and is still subject to being which the server handles. This will reduce efficiency some (a common trade-off for security) and is still subject to being
guessed, brute-forced or reverse engineered. guessed, brute-forced or reverse engineered.

4
webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc
View File

@ -10,8 +10,8 @@ unintended code gets into your applications.
What better way to do that than with your very own scapegoat? What better way to do that than with your very own scapegoat?
Feel free to do what you will with Hack. Poke, prod and if it makes you feel better, scare him until your hearts content. Feel free to do what you will with him. Hack, poke, prod and if it makes you feel better, scare him until your hearts content.
Go ahead, and Hack the goat. We promise he likes it. Go ahead, and hack the goat. We promise he likes it.
Thanks for your interest! Thanks for your interest!