diff --git a/README.md b/README.md
index cfd240d8..19e08f45 100644
--- a/README.md
+++ b/README.md
@@ -94,7 +94,7 @@ In the same place you will setup your domain and authorized redirect URIs. For e
# Local Authentication Setup Instructions
For small teams or pre-configured images Slack or Google authentication may not be an option. For this scenario you can configure authentication working with a local flat file.
-Check the wiki for more informations.
+Check the wiki for more information.
- Copy localUsers.json.sample to localUsers.json
- Add the line in config.json which specifies the localUsersPath
diff --git a/bluetesterapp/index.js b/bluetesterapp/index.js
index 6a1104b5..87b3f991 100644
--- a/bluetesterapp/index.js
+++ b/bluetesterapp/index.js
@@ -32,7 +32,7 @@ var masterSalt = "";
if(process.env.MASTER_SALT){
masterSalt=process.env.MASTER_SALT;
} else {
- console.log('Expected MASTER_SALT env varaible to be set');
+ console.log('Expected MASTER_SALT env variable to be set');
}
var dataCh1 = "form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]="
@@ -100,7 +100,7 @@ app.post('/attack',async (req, res) => {
responseMessage = err.message;
}
else{
- responseMessage = "An unknown error occured";
+ responseMessage = "An unknown error occurred";
}
console.log(responseMessage);
diff --git a/codereview101/categoryInputValidation.md b/codereview101/categoryInputValidation.md
index 1ff1c7e2..77240995 100644
--- a/codereview101/categoryInputValidation.md
+++ b/codereview101/categoryInputValidation.md
@@ -1,4 +1,4 @@
**Input Validation** is one of the basic tenets of software security. Verifying that the values provided to the application match the expected type or format, goes a long way in reducing the attack surface. Validation is a simple countermeasure with super results.
-It is important to note that a common mistake is to use `block lists` for validation. For example an application will prevent symbols that are known to cause trouble. The weakness of this appproach is that some symbols may be overlooked.
+It is important to note that a common mistake is to use `block lists` for validation. For example an application will prevent symbols that are known to cause trouble. The weakness of this approach is that some symbols may be overlooked.
diff --git a/codereview101/codeReview101Ctrl.js b/codereview101/codeReview101Ctrl.js
index 3d09ac88..dd9ba6b5 100644
--- a/codereview101/codeReview101Ctrl.js
+++ b/codereview101/codeReview101Ctrl.js
@@ -56,7 +56,7 @@ app.controller("codeReview101Ctrl", function($scope, $http, $location) {
}
},function(errorMessage){
console.error(errorMessage);
- $scope.errorMessage = `An HTTP error has occured: '${errorMessage.statusText}'!`;
+ $scope.errorMessage = `An HTTP error has occurred: '${errorMessage.statusText}'!`;
});
diff --git a/contributing.md b/contributing.md
index f86a5fb2..159ca1ba 100644
--- a/contributing.md
+++ b/contributing.md
@@ -18,7 +18,7 @@ Happy Secure Coding!
#### Git Config
-If you use an enterprise or private GitHub account be careful with the global settings when pushing your code to GitHub.com as it might submit the username and email you had setup in organizatin when you commit your changes. Check your current settings via:
+If you use an enterprise or private GitHub account be careful with the global settings when pushing your code to GitHub.com as it might submit the username and email you had setup in organization when you commit your changes. Check your current settings via:
`git config --global user.email`
diff --git a/hackerden/jwtlambda/index.js b/hackerden/jwtlambda/index.js
index dbdeada9..4e1a1e37 100644
--- a/hackerden/jwtlambda/index.js
+++ b/hackerden/jwtlambda/index.js
@@ -46,7 +46,7 @@ exports.foobarAuth = function(event, context) {
https.get(process.env.CHAT_USERS_FILE, (resp) => {
let data = '';
- // A chunk of data has been recieved.
+ // A chunk of data has been received.
resp.on('data', (chunk) => {
data += chunk;
});
diff --git a/hackerden/pinglambda/index.js b/hackerden/pinglambda/index.js
index 30a2d8c1..fb8b54f7 100644
--- a/hackerden/pinglambda/index.js
+++ b/hackerden/pinglambda/index.js
@@ -62,7 +62,7 @@ exports.handler = (event, context, callback) => {
var token = jwt.sign({"sub": challengeId}, process.env.SIGNER_SECRET, {expiresIn:5*60});
var challengeCodeUrl=process.env.CHALLENGE_CODE_URL+"#"+token;
resp = resp.replace(secret,challengeCodeUrl);
- //remobve all secrets from response
+ //remove all secrets from response
resp = resp.replace(process.env.SECRET1,"");
resp = resp.replace(process.env.SECRET2,"");
resp = resp.replace(process.env.SECRET3,"");
diff --git a/insecureinc/src/main/webapp/quiz.jsp b/insecureinc/src/main/webapp/quiz.jsp
index 1d1bbe82..1ef61d2e 100644
--- a/insecureinc/src/main/webapp/quiz.jsp
+++ b/insecureinc/src/main/webapp/quiz.jsp
@@ -152,7 +152,7 @@ What is the best method to avoid Authorization Bypass issues?
<%=getOption(answers,"q3","1","Conduct static analysis scans regularly.")%>
<%=getOption(answers,"q3","2","Refactor the code so resources are separated according to roles. Determine access to resources based on the user role.")%>
-<%=getOption(answers,"q3","3","Check the roles in each privileged section with if statements and perfom code reviews to ensure logical issues are avoided.")%>
+<%=getOption(answers,"q3","3","Check the roles in each privileged section with if statements and perform code reviews to ensure logical issues are avoided.")%>
<%=getOption(answers,"q3","4","Using platform authentication.")%>
@@ -162,7 +162,7 @@ What is the best method to avoid Authorization Bypass issues?
What is the best way to store user passwords in a database?
<%=getOption(answers,"q4","1","Use pbkdf2 with 10000 iterations and a salt.")%>
-<%=getOption(answers,"q4","2","Use asymetric encryption, RSA with 2048 key size.")%>
+<%=getOption(answers,"q4","2","Use asymmetric encryption, RSA with 2048 key size.")%>
<%=getOption(answers,"q4","3","Hash the passwords with a SHA-2 algorithm.")%>
<%=getOption(answers,"q4","4","Use MD5.")%>
diff --git a/trainingportal/challenges.js b/trainingportal/challenges.js
index 6f2a9c48..65b24fd7 100644
--- a/trainingportal/challenges.js
+++ b/trainingportal/challenges.js
@@ -56,7 +56,7 @@ function getModulePath(moduleId){
return path.join('static/lessons/', moduleId);
}
-function getDefinifionsForModule(moduleId){
+function getDefinitionsForModule(moduleId){
try {
var defs = Object.freeze(require(path.join(__dirname, getModulePath(moduleId), '/definitions.json')));
@@ -74,7 +74,7 @@ function getDefinifionsForModule(moduleId){
function init(){
modules = Object.freeze(loadModules());
for(let moduleId in modules){
- let moduleDefinitions = getDefinifionsForModule(moduleId);
+ let moduleDefinitions = getDefinitionsForModule(moduleId);
var modulePath = getModulePath(moduleId);
for(let level of moduleDefinitions){
challengeDefinitions.push(level);
@@ -129,10 +129,10 @@ exports.isPermittedModule = async (user, moduleId) => {
}
/**
- * Get the user level based on the ammount of passed challenges
+ * Get the user level based on the amount of passed challenges
*/
exports.getUserLevelForModule = async (user,moduleId) => {
- let moduleDefinitions = getDefinifionsForModule(moduleId);
+ let moduleDefinitions = getDefinitionsForModule(moduleId);
let passedChallenges = await db.getPromise(db.fetchChallengeEntriesForUser,user);
let userLevel=-1;
for(let level of moduleDefinitions){
@@ -163,7 +163,7 @@ exports.getPermittedChallengesForUser = async (user, moduleId) => {
var permittedLevel = await exports.getUserLevelForModule(user, moduleId) + 1;
- var moduleDefinitions = getDefinifionsForModule(moduleId);
+ var moduleDefinitions = getDefinitionsForModule(moduleId);
for(let level of moduleDefinitions){
if (permittedLevel === level.level) {
@@ -186,7 +186,7 @@ exports.getChallengeDefinitionsForUser = async (user, moduleId) => {
if(util.isNullOrUndefined(modules[moduleId])) return [];
var modulePath = getModulePath(moduleId);
- var moduleDefinitions = getDefinifionsForModule(moduleId);
+ var moduleDefinitions = getDefinitionsForModule(moduleId);
for(let level of moduleDefinitions){
for(let challenge of level.challenges) {
@@ -254,7 +254,7 @@ exports.getDescription = function (challengeId) {
*/
exports.verifyModuleCompletion = async (user, moduleId) => {
var userLevel = await exports.getUserLevelForModule(user, moduleId);
- let moduleDefinitions = getDefinifionsForModule(moduleId);
+ let moduleDefinitions = getDefinitionsForModule(moduleId);
var lastLevel = moduleDefinitions[moduleDefinitions.length-1];
if(lastLevel.level===userLevel){
diff --git a/trainingportal/db.js b/trainingportal/db.js
index 12da5218..64fdcef8 100644
--- a/trainingportal/db.js
+++ b/trainingportal/db.js
@@ -15,7 +15,7 @@ var liteDB = null;
if(util.isNullOrUndefined(config.dbHost)){
sqlite3 = require('sqlite3');
- //use sqlite insted of mysql
+ //use sqlite instead of mysql
var dbPath = "";
var dbFileName = "securecodingdojo.db";
var dataDir = util.getDataDir();
diff --git a/trainingportal/server.js b/trainingportal/server.js
index 107ca1e5..0b9699d3 100644
--- a/trainingportal/server.js
+++ b/trainingportal/server.js
@@ -503,7 +503,7 @@ app.post('/api/teams', auth.ensureApiAuth, (req, res) => {
//team was created get the newly created team by name and return it in the response also update the user
db.getTeamWithMembersByName(teamName,
function(){
- util.apiResponse(req, res, 500, "An error occured fetching the newly created team, Check the logs.");
+ util.apiResponse(req, res, 500, "An error occurred fetching the newly created team, Check the logs.");
},
function(team){
req.user.teamId = team.id;
diff --git a/trainingportal/static/codeBlocks/authenticationByDefault.html b/trainingportal/static/codeBlocks/authenticationByDefault.html
index 1bd263a6..88e9330a 100644
--- a/trainingportal/static/codeBlocks/authenticationByDefault.html
+++ b/trainingportal/static/codeBlocks/authenticationByDefault.html
@@ -1,4 +1,4 @@
-In order to avoid mistakes the software should be designed in such a way that new fuctionality is
+
In order to avoid mistakes the software should be designed in such a way that new functionality is
automatically protected by authentication.
diff --git a/trainingportal/static/codeBlocks/checkBoundaries.html b/trainingportal/static/codeBlocks/checkBoundaries.html
index 251fd535..455d8abf 100644
--- a/trainingportal/static/codeBlocks/checkBoundaries.html
+++ b/trainingportal/static/codeBlocks/checkBoundaries.html
@@ -10,6 +10,6 @@
A simple comparison against a known limit constant can go a long way to prevent serious logical attacks.
Interesting fact, Boeing had to fix a Integer Overflow in the 787 Dreamliner which could cause it's electrical system to fail according to
- Engadget.
+ Engadget.
diff --git a/trainingportal/static/codeBlocks/integrityVerification.html b/trainingportal/static/codeBlocks/integrityVerification.html
index bf7540cd..d64a9d31 100644
--- a/trainingportal/static/codeBlocks/integrityVerification.html
+++ b/trainingportal/static/codeBlocks/integrityVerification.html
@@ -6,7 +6,7 @@
When security is involved developers should be concerned with attackers potentially intercepting update packages and replacing them with malware.
-This should be an expecially high concern for security software which are used to fight malware. The absence of integrity checks allows the manipulation of update packages.
+This should be an especially high concern for security software which are used to fight malware. The absence of integrity checks allows the manipulation of update packages.
Simple checksums and digests can be bypassed through collisions. MD5 collisions can be identified in 1 day while
diff --git a/trainingportal/static/codeBlocks/principleOfLeastPrivilege.html b/trainingportal/static/codeBlocks/principleOfLeastPrivilege.html
index db22ec17..2d515cb1 100644
--- a/trainingportal/static/codeBlocks/principleOfLeastPrivilege.html
+++ b/trainingportal/static/codeBlocks/principleOfLeastPrivilege.html
@@ -3,7 +3,7 @@
and Incorrect Authorization
-The principle of least privilege says that users in a system should only be given neccesary access or roles to complete their function.
+The principle of least privilege says that users in a system should only be given necessary access or roles to complete their function.
Giving the user higher privileges by default exposes the application to logical attacks where the application fails to reach the block of
diff --git a/trainingportal/static/codeBlocks/requestForgeryPrevention.html b/trainingportal/static/codeBlocks/requestForgeryPrevention.html
index 55995b8c..e66cc8f4 100644
--- a/trainingportal/static/codeBlocks/requestForgeryPrevention.html
+++ b/trainingportal/static/codeBlocks/requestForgeryPrevention.html
@@ -29,7 +29,7 @@
The xsrfToken will be different for each user and an attacker will not be able to store the request in an external site because they won't know it.
-Even if they knew the token they could only target a single user and the request would expire with the session limiting the ammount of time for the attack.
+Even if they knew the token they could only target a single user and the request would expire with the session limiting the amount of time for the attack.
diff --git a/trainingportal/static/codeBlocks/safeMemoryManagement.html b/trainingportal/static/codeBlocks/safeMemoryManagement.html
index d28f3ee3..02dd85d1 100644
--- a/trainingportal/static/codeBlocks/safeMemoryManagement.html
+++ b/trainingportal/static/codeBlocks/safeMemoryManagement.html
@@ -21,10 +21,10 @@ Safe releasing memory
Safe compiler flags
-Compiler flags enable operating system defences such as ASLR in Windows or PIE/SSP in Linux.
+
Compiler flags enable operating system defenses such as ASLR in Windows or PIE/SSP in Linux.
They tell the operating system to employ countermeasures such as randomizing memory, which is making it hard for attackers to insert arbitrary code.
Even with compiler flags in place attackers can still crash the program so the main effect of compiler flags is reducing the impact of the attack.
- The best defence is to prevent the flaws in the code, from the start, by employing the best practices discussed in this article.
+ The best defense is to prevent the flaws in the code, from the start, by employing the best practices discussed in this article.
diff --git a/trainingportal/static/codeBlocks/useStrongDataEncryption.html b/trainingportal/static/codeBlocks/useStrongDataEncryption.html
index a38750ee..e12bd35c 100644
--- a/trainingportal/static/codeBlocks/useStrongDataEncryption.html
+++ b/trainingportal/static/codeBlocks/useStrongDataEncryption.html
@@ -91,7 +91,7 @@ Encryption of data in transit
It is also a vulnerability to ignore invalid server certificates.
-Here is a list of the few notable vulnerablity disclosures in SSL/TLS protocols and ciphers over the past few years.
+Here is a list of the few notable vulnerability disclosures in SSL/TLS protocols and ciphers over the past few years.
diff --git a/trainingportal/static/lessons/blackBelt/cwe120.sol.md b/trainingportal/static/lessons/blackBelt/cwe120.sol.md
index 32bb9d54..9b27df85 100644
--- a/trainingportal/static/lessons/blackBelt/cwe120.sol.md
+++ b/trainingportal/static/lessons/blackBelt/cwe120.sol.md
@@ -1,6 +1,6 @@
### Solution for the "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') and related flaws" challenge
-This challenge demonstrates a buffer overflow where the application uses the `gets` function and allows the attacker to control the size of the input buffer. This leads to the neighbouring memory locations being overriden.
+This challenge demonstrates a buffer overflow where the application uses the `gets` function and allows the attacker to control the size of the input buffer. This leads to the neighboring memory locations being overridden.
To pass this challenge all you have to do is fill the buffer with zeros: `\0`.
diff --git a/trainingportal/static/lessons/blackBelt/cwe190.sol.md b/trainingportal/static/lessons/blackBelt/cwe190.sol.md
index 444f1662..4c13f2be 100644
--- a/trainingportal/static/lessons/blackBelt/cwe190.sol.md
+++ b/trainingportal/static/lessons/blackBelt/cwe190.sol.md
@@ -4,9 +4,9 @@ This challenge demonstrates the risk of not checking boundaries.
This time the application employs an account lockout mechanism, however the number of account attempts can increase until the `MAX_UINT` limit is reached and the counter becomes `-MAX_UINT` because the first byte turns to 1.
-The attacker ran a bruteforce attack until they discovered the password, but the account is now locked.
+The attacker ran a brute force attack until they discovered the password, but the account is now locked.
To solve the challenge do the following:
- Keep entering an invalid password until the counter becomes negative.
-- Enter the password you have discoved in the previous challenge to login.
\ No newline at end of file
+- Enter the password you have discovered in the previous challenge to login.
\ No newline at end of file
diff --git a/trainingportal/static/lessons/blackBelt/cwe327.sol.md b/trainingportal/static/lessons/blackBelt/cwe327.sol.md
index 295c9f70..25f7bc01 100644
--- a/trainingportal/static/lessons/blackBelt/cwe327.sol.md
+++ b/trainingportal/static/lessons/blackBelt/cwe327.sol.md
@@ -2,7 +2,7 @@
This challenge shows a case where security practices were employed, however they become outdated as computing power has increased, no longer matching cryptographic standards.
-Did you know collisions to the MD5 hashing algorithm can be calculated within 1 day at modern computing power? This means that if an attacker knows the hash they could generate a string that will result in the same hash within 1 day. The SHA-1 algorithm has also been proven be prone to collissions, although it requires more computing power.
+Did you know collisions to the MD5 hashing algorithm can be calculated within 1 day at modern computing power? This means that if an attacker knows the hash they could generate a string that will result in the same hash within 1 day. The SHA-1 algorithm has also been proven be prone to collisions, although it requires more computing power.
However there's an even easier way to exploit these algorithms. The site **CrackStation.net** has a large database of precalculated hashes (also known as rainbow tables). Because MD5 and SHA-1 require less computing power it is easier to pre-calculate hashes for such algorithms.
diff --git a/trainingportal/static/lessons/blackBelt/cwe502.html b/trainingportal/static/lessons/blackBelt/cwe502.html
index 9de2b9d4..c781d02b 100644
--- a/trainingportal/static/lessons/blackBelt/cwe502.html
+++ b/trainingportal/static/lessons/blackBelt/cwe502.html
@@ -13,7 +13,7 @@
In a deserialization vulnerability, the application accepts a serialized object as input, loads it into memory and operates on it. The potential damage depends entirely upon how the object is used. For example, if code
in your application were to call System.exec() on data stored in the object, then an attacker-controlled command
would execute on your host, under your application's privileges. As it turns out,
-some third party libraries automatically do this for you!
+some third party libraries automatically do this for you!
The combination of using unpatched 3rd party components and the unsafe use of deserialization can be fatal.
@@ -30,8 +30,8 @@
This vulnerability was originally reported against the Java-native deserialization vulnerability, but it
doesn't end there. Your application can have this vulnerability if it does any deserialization - even
custom deserialization of JSON objects. If your object allows input (user input, remote systems, files or
-database entries that anyone else may have written, etc) to arbirarially control which class your code will
-instantiate, then you probably have a desearialization vulnerability.
+database entries that anyone else may have written, etc) to arbitrarily control which class your code will
+instantiate, then you probably have a deserialization vulnerability.
diff --git a/trainingportal/static/lessons/blackBelt/cwe759.sol.md b/trainingportal/static/lessons/blackBelt/cwe759.sol.md
index 0d5aa0ce..6ce3880c 100644
--- a/trainingportal/static/lessons/blackBelt/cwe759.sol.md
+++ b/trainingportal/static/lessons/blackBelt/cwe759.sol.md
@@ -8,6 +8,6 @@ In order to prevent such attacks, passwords are salted with a random value which
To pass this challenge:
- List the user password by leveraging the Missing Authorization vulnerability just like in the previous case.
-- Search for the hash on **CrackStation.net**. Notice that the detected hashing algorithm is SHA256 but that the password was stil found.
+- Search for the hash on **CrackStation.net**. Notice that the detected hashing algorithm is SHA256 but that the password was still found.
- Logout and re-login as '**user**' with the cracked password to solve the challenge.
diff --git a/trainingportal/static/lessons/blackBelt/cwe863.sol.md b/trainingportal/static/lessons/blackBelt/cwe863.sol.md
index 66c71bb6..499940b3 100644
--- a/trainingportal/static/lessons/blackBelt/cwe863.sol.md
+++ b/trainingportal/static/lessons/blackBelt/cwe863.sol.md
@@ -1,14 +1,14 @@
### Solution for the "Incorrect Authorization" challenge
In this challenge the developer implement the same JSP page both on user and admin page.
-This is an architectural mistake that leads to `spagetti code` and allows for logical errors to be made since authorization decisions are done using `if else` statements.
+This is an architectural mistake that leads to `spaghetti code` and allows for logical errors to be made since authorization decisions are done using `if else` statements.
Focus on the `logoutParameter` condition in the provided sample code.
In order to pass this challenge try following steps.
1. Login as the demo user.
2. You can see the page is under **cwe863loggedin.jsp**
-3. Analize the logout link, and notice the parameter `?logout=true`
+3. Analyze the logout link, and notice the parameter `?logout=true`
4. Looking at the code you will notice that the situation where the **logout** parameter is present but **not equal** to `true` is **not** handled.
diff --git a/trainingportal/static/lessons/blueTeam/blue_ch2.md b/trainingportal/static/lessons/blueTeam/blue_ch2.md
index b7a4a918..e9922dc5 100644
--- a/trainingportal/static/lessons/blueTeam/blue_ch2.md
+++ b/trainingportal/static/lessons/blueTeam/blue_ch2.md
@@ -1,5 +1,5 @@
-The vulnerable image also contains a unkown vulnerability specific to the web application running on the second port.
-Configure your IPS policy include generic attacks suchs as the OWASP Top 10
+The vulnerable image also contains a unknown vulnerability specific to the web application running on the second port.
+Configure your IPS policy include generic attacks such as the OWASP Top 10
Identify the IPS rules that prevent the following:
diff --git a/trainingportal/static/lessons/blueTeam/blue_ch3.md b/trainingportal/static/lessons/blueTeam/blue_ch3.md
index 3cabcaa0..7392ee26 100644
--- a/trainingportal/static/lessons/blueTeam/blue_ch3.md
+++ b/trainingportal/static/lessons/blueTeam/blue_ch3.md
@@ -3,7 +3,7 @@ Review container scanner results for a different type of vulnerability that may
#### Instructions for Completing the Challenge
- Find the sensitive information
-- Use this information to authenticate to the Lambda funcion and sign your challenge salt
+- Use this information to authenticate to the Lambda function and sign your challenge salt
##### Tip
To view files in the docker container you can do the following:
diff --git a/trainingportal/static/lessons/redTeam/red_ch1.md b/trainingportal/static/lessons/redTeam/red_ch1.md
index 806bef21..9039b53f 100644
--- a/trainingportal/static/lessons/redTeam/red_ch1.md
+++ b/trainingportal/static/lessons/redTeam/red_ch1.md
@@ -1,4 +1,4 @@
-Use nmap to scan for open ports of the host provided at the play link below, identify applications running on each port, use Metaploit or a exploit script you find online to take advantage of the first vulnerability.
+Use nmap to scan for open ports of the host provided at the play link below, identify applications running on each port, use Metasploit or a exploit script you find online to take advantage of the first vulnerability.
#### Instructions for Completing the Challenge
@@ -46,8 +46,8 @@ If you have Docker installed you can simply run the metasploit container image.
##### Running Docker
* Start Docker with: `sudo service docker start`
-* Add permissions to your userto pull and run container images: `sudo usermod -a -G docker ec2-user`
-* Logout and relogin.
+* Add permissions to your user to pull and run container images: `sudo usermod -a -G docker ec2-user`
+* Logout and re-login.
##### Running the Metasploit Image
@@ -79,7 +79,7 @@ If your target is running on an encrypted port then you need to enable SSL
`set SSL true`
-Set the host IP and port for the machine running Metasploit. This machine should be publcly available and accessible over ports 4444-4450
+Set the host IP and port for the machine running Metasploit. This machine should be publicly available and accessible over ports 4444-4450
`set LHOST `
@@ -120,7 +120,7 @@ Go to the project folder and install the library dependencies:
`sudo gem install highline`
-You should be able to excute the exploit like so:
+You should be able to execute the exploit like so:
`./exploit.rb {VICTIM_IP_OR_URL:VICTIM_PORT}`
diff --git a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017brokenauth.html b/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017brokenauth.html
index f8c48349..80d7d914 100644
--- a/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017brokenauth.html
+++ b/trainingportal/static/lessons/secondDegreeBlackBelt/owasp2017brokenauth.html
@@ -34,7 +34,7 @@ Challenge Tips and Tricks
broken authentication). The JWT token is stored in the browser session storage.
The application is using JWT for authentication. JWT contains a JSON object signed with a secret or RSA private key in the best cases.
- Getting a hold of the JWT secret can proove devastating because attackers can impersonate anyone and can generate 'eternal' session identifiers
+ Getting a hold of the JWT secret can prove devastating because attackers can impersonate anyone and can generate 'eternal' session identifiers
(which never expire).
The JWT secret in this case is very weak so you can easily crack it by writing a script that tries some of the most insecure passwords.
diff --git a/trainingportal/static/lessons/securityCodeReviewMaster/data.md b/trainingportal/static/lessons/securityCodeReviewMaster/data.md
index 373b319b..2f45dc8c 100644
--- a/trainingportal/static/lessons/securityCodeReviewMaster/data.md
+++ b/trainingportal/static/lessons/securityCodeReviewMaster/data.md
@@ -18,12 +18,12 @@ But what if you still need to work with the data? For example, what if you wante
You could transform the data in a non-reversible way. This can be done through a cryptographic operation known as hashing.
Hashing algorithms, such as the SHA-2 class of algorithms, convert data in a way that cannot be reversed. However this doesn’t prevent one from trying a large amount of possible values in order to reach the same outcome. This is known as cracking. Cracking takes a long time and requires a lot of computing resources. Hackers maintain lists of pre-computed hashes, known as rainbow tables, in order to avoid the computing cost.
-The defence employed against rainbow tables is to complicate the calculation by adding a salt. A salt is a random value that is added to the data being transformed in order to alter the resulting hash.
+The defense employed against rainbow tables is to complicate the calculation by adding a salt. A salt is a random value that is added to the data being transformed in order to alter the resulting hash.
"ABCDEFG" + "-32524..." -> sha256("ABCDEFG-32524...") -> 97AF3...
original salt
-Another defence against cracking is adaptive hashing. This involves re-hashing the data for a large amount of iterations, each iteration taking longer than the previous. This increases the computing time. For a single hash the time is negligible but for a cracking attack it results in millions of years. A largely adopted adaptive hashing algorithm is PBKDF2.
+Another defense against cracking is adaptive hashing. This involves re-hashing the data for a large amount of iterations, each iteration taking longer than the previous. This increases the computing time. For a single hash the time is negligible but for a cracking attack it results in millions of years. A largely adopted adaptive hashing algorithm is PBKDF2.
Secure hashing may be employed for various other types of data. For example if an application needs to uniquely identify users for analytics purposes, it could construct a unique, non-reversible hash from the user name and their IP address. This process is known as **Tokenization**.
@@ -37,7 +37,7 @@ When a website uses clear text to communicate with its users, _man-in-the-middle
Communication security protocols, indicated by `https://` URLs, prevent man-in-the-middle attacks by encrypting the transmission and verifying the identity of the two parties involved in the communication. There are many details to transmission security but one aspect that may come up during a code review is ensuring that `https://` URLs are used.
-Sometimes developers change the code to ignore invalid certificates because the test environment they are using does not have a valid web server certificate. This is a bad practice because it practically violates the server identity verification and allows man-in-the-middle attackers to pretend they are the target website. It is recommended to configure the development environment to trust the test certificate instead of altering the program behaviour.
+Sometimes developers change the code to ignore invalid certificates because the test environment they are using does not have a valid web server certificate. This is a bad practice because it practically violates the server identity verification and allows man-in-the-middle attackers to pretend they are the target website. It is recommended to configure the development environment to trust the test certificate instead of altering the program behavior.
#####Reversible Encryption
diff --git a/trainingportal/static/lessons/securityCodeReviewMaster/paramStatements.md b/trainingportal/static/lessons/securityCodeReviewMaster/paramStatements.md
index 62283943..9c5e49bb 100644
--- a/trainingportal/static/lessons/securityCodeReviewMaster/paramStatements.md
+++ b/trainingportal/static/lessons/securityCodeReviewMaster/paramStatements.md
@@ -14,7 +14,7 @@ Let’s take a look at the following code snippet.
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);
-The variable lastName contains input coming from the user. It is `concatenated` to a constant SQL query string and the resulting command is passed to the database server. This means that a user entering O’Brien would cause an SQL syntax error, which is a bug. However a malicious user would take advantage of this behaviour. What would happen if the user entered something like the string below?
+The variable lastName contains input coming from the user. It is `concatenated` to a constant SQL query string and the resulting command is passed to the database server. This means that a user entering O’Brien would cause an SQL syntax error, which is a bug. However a malicious user would take advantage of this behavior. What would happen if the user entered something like the string below?
'; DROP TABLE users; --
diff --git a/trainingportal/static/lessons/securityCodeReviewMaster/xss.md b/trainingportal/static/lessons/securityCodeReviewMaster/xss.md
index f21ca246..20f71159 100644
--- a/trainingportal/static/lessons/securityCodeReviewMaster/xss.md
+++ b/trainingportal/static/lessons/securityCodeReviewMaster/xss.md
@@ -10,7 +10,7 @@ Example URL with XSS payload:
To prevent the attack the application must **neutralize the user input**. This means that the input will be inserted in the page without being rendered or executed. Most modern JavaScript frameworks such as **Angular** or **React** do this implicitly.
-In the Angular example below the `fullName` parameter is embeded in the link innerText, a safe context.
+In the Angular example below the `fullName` parameter is embedded in the link innerText, a safe context.
Logout {{fullName}}
diff --git a/trainingportal/static/main-app.js b/trainingportal/static/main-app.js
index 5f1788a9..c0708c73 100644
--- a/trainingportal/static/main-app.js
+++ b/trainingportal/static/main-app.js
@@ -157,7 +157,7 @@ app.controller('mainCtrl', ['$rootScope','$http','$location','dataSvc', function
}
},function(errorResponse){
$scope.isTeamSaveError = true;
- $scope.teamSaveErrorMessage = "A http error has occured.";
+ $scope.teamSaveErrorMessage = "A http error has occurred.";
});
}
@@ -239,7 +239,7 @@ app.controller('mainCtrl', ['$rootScope','$http','$location','dataSvc', function
}
},function(errorResponse){
$scope.isTeamSaveError = true;
- $scope.teamSaveErrorMessage = "A http error has occured.";
+ $scope.teamSaveErrorMessage = "A http error has occurred.";
});
}
@@ -270,7 +270,7 @@ app.controller('mainCtrl', ['$rootScope','$http','$location','dataSvc', function
}
},function(errorResponse){
$scope.isTeamSaveError = true;
- $scope.teamSaveErrorMessage = "An http error has occured.";
+ $scope.teamSaveErrorMessage = "An http error has occurred.";
});
}
diff --git a/trainingportal/util.js b/trainingportal/util.js
index 448a188d..78e28d8c 100644
--- a/trainingportal/util.js
+++ b/trainingportal/util.js
@@ -98,7 +98,7 @@ exports.isAlphanumericOrUnderscore = (string) => {
}
/**
- * Util function to conver markdown to html
+ * Util function to convert markdown to html
*/
exports.parseMarkdown = (text) => {
let html = markdown.toHTML(text);