diff --git a/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc b/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc index a67953041..a606f3853 100644 --- a/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc +++ b/src/main/resources/lessons/cryptography/documentation/encoding_plan.adoc @@ -2,7 +2,7 @@ == Base64 Encoding -Encoding is not realy cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding. +Encoding is not really cryptography, but it is used a lot in all kinds of standards around cryptographic functions. Especially Base64 encoding. Base64 encoding is a technique used to transform all kinds of bytes to a specific range of bytes. This specific range is the ASCII readable bytes. This way you can transfer binary data such as secret or private keys more easily. You could even print these out or write them down. diff --git a/src/main/resources/lessons/cryptography/documentation/keystores.adoc b/src/main/resources/lessons/cryptography/documentation/keystores.adoc index 2f057b36f..6ce4a79e1 100644 --- a/src/main/resources/lessons/cryptography/documentation/keystores.adoc +++ b/src/main/resources/lessons/cryptography/documentation/keystores.adoc @@ -21,8 +21,8 @@ Some certificate authorities that are used to provide you with a server certific == Managed keystores in operating system, browser and other applications -When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorites is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed. -Not only the browser maitains a list of trusted certificate authorities, the operation system does so as well. And the Java runtime also has its own list which is kept in the cacerts file. Updates of the OS and Java JRE keep this list up to date. In coporate environments, these are usually maintained by the company and also contain company root certificates. +When you visit a website and your browser says that the certificates are fine, it means that the certificate used for the website is issued by a trusted certificate authority. But this list of trusted certificate authorities is managed. Some CA's might be revoked or removed. These updates happen in the background when browser updates are installed. +Not only the browser maintains a list of trusted certificate authorities, the operation system does so as well. And the Java runtime also has its own list which is kept in the cacerts file. Updates of the OS and Java JRE keep this list up to date. In corporate environments, these are usually maintained by the company and also contain company root certificates. == Extra check for website certificates using DNS CAA records diff --git a/src/main/resources/lessons/cryptography/documentation/postquantum.adoc b/src/main/resources/lessons/cryptography/documentation/postquantum.adoc index 7294575cb..3b8666c30 100644 --- a/src/main/resources/lessons/cryptography/documentation/postquantum.adoc +++ b/src/main/resources/lessons/cryptography/documentation/postquantum.adoc @@ -2,6 +2,6 @@ == Post quantum cryptography -Quantum computers are here and getting more power in available qubits each year. Quantum computers are and will be capable of decrypting information that was encrypted with algorithms that were thought to be safe. For some years now, a lot of encrypted communicatation using quantum vulnerable cryptoraphy is being recorded. This information will be decrypted when the quantum computers are powerful enough. Even though the information may be old, it still could contain valuable information that can be misused. Besides the fact that some private information will be known to parties it was not intended for. +Quantum computers are here and getting more power in available qubits each year. Quantum computers are and will be capable of decrypting information that was encrypted with algorithms that were thought to be safe. For some years now, a lot of encrypted communication using quantum vulnerable cryptography is being recorded. This information will be decrypted when the quantum computers are powerful enough. Even though the information may be old, it still could contain valuable information that can be misused. Besides the fact that some private information will be known to parties it was not intended for. Mathematics has answers for the post quantum era. New cryptography is already available and should be used NOW in order to minimize threats. You can read more on this on Wikipedia: https://en.wikipedia.org/wiki/Post-quantum_cryptography[Post quatum on Wikipedia,window=_blank] diff --git a/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc b/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc index 10424aa89..0a2b95255 100644 --- a/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc +++ b/src/main/resources/lessons/csrf/documentation/CSRF_Frameworks.adoc @@ -18,7 +18,7 @@ Remember the session cookie should always be defined with http-only flag. Another defense can be to add a custom request header to each call. This will work if all the interactions with the server are performed with JavaScript. On the server side you only need to check the presence of this header if this header is not present deny the request. -Some frameworks offer this implementation by default however researcer Alex Infuhr found out that this can be bypassed +Some frameworks offer this implementation by default however researcher Alex Infuhr found out that this can be bypassed as well. You can read about: https://insert-script.blogspot.com/2018/05/adobe-reader-pdf-client-side-request.html[Adobe Reader PDF - Client Side Request Injection] diff --git a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc index f5c5363d3..438961c11 100644 --- a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc +++ b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_GadgetChain.adoc @@ -1,5 +1,5 @@ == What is a Gadgets Chain -It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserializaded, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain". +It is weird (but it could happen) to find a gadget that runs dangerous actions itself when is deserialized. However, it is much easier to find a gadget that runs action on other gadget when it is deserialized, and that second gadget runs more actions on a third gadget, and so on until a real dangerous action is triggered. That set of gadgets that can be used in a deserialization process to achieve dangerous actions is called "Gadget Chain". Finding gadgets to build gadget chains is an active topic for security researchers. This kind of research usually requires to spend a big amount of time reading code. \ No newline at end of file diff --git a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc index 45aa89939..744d61872 100644 --- a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc +++ b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_SimpleExploit.adoc @@ -11,7 +11,7 @@ ObjectInputStream ois = new ObjectInputStream(is); AcmeObject acme = (AcmeObject)ois.readObject(); ---- -It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting ocurs. +It is expecting an `AcmeObject` object, but it will execute `readObject()` before the casting occurs. If an attacker finds the proper class implementing dangerous operations in `readObject()`, he could serialize that object and force the vulnerable application to perform those actions. === Class included in ClassPath diff --git a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc index 6e65617a7..2f96bde14 100755 --- a/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc +++ b/src/main/resources/lessons/deserialization/documentation/InsecureDeserialization_Task.adoc @@ -1,5 +1,5 @@ === Let's try -The following input box receives a serialized object (a string) and it deserialzes it. +The following input box receives a serialized object (a string) and it deserializes it. ``` rO0ABXQAVklmIHlvdSBkZXNlcmlhbGl6ZSBtZSBkb3duLCBJIHNoYWxsIGJlY29tZSBtb3JlIHBvd2VyZnVsIHRoYW4geW91IGNhbiBwb3NzaWJseSBpbWFnaW5l diff --git a/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc b/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc index aa9ae94ba..2029e888d 100644 --- a/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc +++ b/src/main/resources/lessons/idor/documentation/IDOR_editOtherProfile.adoc @@ -4,5 +4,5 @@ Older apps may follow different patterns, but RESTful apps (which is what's goin to perform different functions. Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile. -Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change the +Change the role to something lower (since higher privilege roles and users are usually lower numbers). Also change the user's color to 'red'. \ No newline at end of file diff --git a/src/main/resources/lessons/idor/documentation/temp.txt b/src/main/resources/lessons/idor/documentation/temp.txt index 3b4a38c86..f31bdbb50 100644 --- a/src/main/resources/lessons/idor/documentation/temp.txt +++ b/src/main/resources/lessons/idor/documentation/temp.txt @@ -1,6 +1,6 @@ -- Describe how the attack works / should be some outpu +- Describe how the attack works / should be some output

Concept / Topic To Teach:

This lesson teaches how to perform XML External Entity Attacks. diff --git a/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc b/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc index 9cb187f48..a2951f6a6 100644 --- a/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc +++ b/src/main/resources/lessons/jwt/documentation/JWT_structure.adoc @@ -11,7 +11,7 @@ The token is base64 encoded and consists of three parts: - claims - signature -Both header and claims consist are respresented by a JSON object. The header describes the cryptographic operations applied to the JWT and optionally, additional properties of the JWT. +Both header and claims consist are represented by a JSON object. The header describes the cryptographic operations applied to the JWT and optionally, additional properties of the JWT. The claims represent a JSON object whose members are the claims conveyed by the JWT. diff --git a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc index a1244d4f8..2be501c4f 100644 --- a/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc +++ b/src/main/resources/lessons/lessontemplate/documentation/lesson-template-attack.adoc @@ -22,7 +22,7 @@ public class SampleAttack extends AssignmentEndpoint { // <3> //return failed(this).feedback("lesson-template.sample-attack.failure-2").build(); } - //overly simple example for success. See other existing lesssons for ways to detect 'success' or 'failure' + //overly simple example for success. See other existing lessons for ways to detect 'success' or 'failure' if (secretValue.equals(param1)) { return success(this) // <7> .output("Custom Output ...if you want, for success") diff --git a/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc index 0fd73abab..9dc4fcbb2 100644 --- a/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc +++ b/src/main/resources/lessons/passwordreset/documentation/PasswordReset_mitigation.adoc @@ -18,7 +18,7 @@ For example: If you send a password reset link to a user via e-mail, do not incl Password reset tokens allow a user to reset a password without inherently safe information about the verification of the user. Hence they should be safe. It should be hard to guess such a token. The token should also be only valid for a short amount of time and should be invalid after the user successfully reset their password. === Logging user actions -Logging alone can't prevent any attacks but it can make it easier to determine that an attack happened and how the attacker tried to bypass security. You can also use logs to determine if an account really got hijacked and if it has to be returned the the rightful user. Actions you can log are: How did the security questions get answered? When did the access to the password reset link happen in comparison to the time the e-amil got sent? Were there failed attempts? +Logging alone can't prevent any attacks but it can make it easier to determine that an attack happened and how the attacker tried to bypass security. You can also use logs to determine if an account really got hijacked and if it has to be returned the the rightful user. Actions you can log are: How did the security questions get answered? When did the access to the password reset link happen in comparison to the time the e-mail got sent? Were there failed attempts? === Two factor authentication It is always safer to do an authentication process via two or more separate ways on two or more separate devices. If a user wants to reset their password you can ask them to enter verification codes sent to them via SMS, Messenger, or similar. This makes it hard for an attacker to bypass the verification process, because they need physical access to another device. diff --git a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc index ccab84775..7f16d952d 100644 --- a/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc +++ b/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_introduction_content10.adoc @@ -4,7 +4,7 @@ After successfully compromising confidentiality and integrity in the previous le There are many different ways to violate availability. If an account is deleted or its password gets changed, the actual owner cannot access this account anymore. Attackers could also try to delete parts of the database, or even drop the whole database, in order to make the data inaccessible. -Revoking the access rights of admins or other users is yet another way to compromise availability; this would prevent these users from accessing either specific parts of the database or even the entire database as a whdle. +Revoking the access rights of admins or other users is yet another way to compromise availability; this would prevent these users from accessing either specific parts of the database or even the entire database as a whole. === It is your turn! Now you are the top earner in your company.