Fix spelling errors across the entire codebase

README.md

@@ -94,7 +94,7 @@ In the same place you will setup your domain and authorized redirect URIs. For e
 # Local Authentication Setup Instructions
 For small teams or pre-configured images Slack or Google authentication may not be an option. For this scenario you can configure authentication working with a local flat file.
 
-Check the wiki for more informations.
+Check the wiki for more information.
 
 - Copy localUsers.json.sample to localUsers.json
 - Add the line in config.json which specifies the localUsersPath

bluetesterapp/index.js

@@ -32,7 +32,7 @@ var masterSalt = "";
 if(process.env.MASTER_SALT){ 
 	masterSalt=process.env.MASTER_SALT;
 } else {
-	console.log('Expected MASTER_SALT env varaible to be set');
+	console.log('Expected MASTER_SALT env variable to be set');
 }
 
 var dataCh1 = "form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]="
@@ -100,7 +100,7 @@ app.post('/attack',async (req, res) => {
 			responseMessage = err.message;
 		}
 		else{
-			responseMessage = "An unknown error occured";
+			responseMessage = "An unknown error occurred";
 		}
 
 		console.log(responseMessage);

codereview101/categoryInputValidation.md

@@ -1,4 +1,4 @@
 **Input Validation** is one of the basic tenets of software security. Verifying that the values provided to the application match the expected type or format, goes a long way in reducing the attack surface. Validation is a simple countermeasure with super results.
 
-It is important to note that a common mistake is to use `block lists` for validation. For example an application will prevent symbols that are known to cause trouble. The weakness of this appproach is that some symbols may be overlooked.
+It is important to note that a common mistake is to use `block lists` for validation. For example an application will prevent symbols that are known to cause trouble. The weakness of this approach is that some symbols may be overlooked.
 

codereview101/codeReview101Ctrl.js

@@ -56,7 +56,7 @@ app.controller("codeReview101Ctrl", function($scope, $http, $location) {
         }
     },function(errorMessage){
         console.error(errorMessage);
-        $scope.errorMessage = `An HTTP error has occured: '${errorMessage.statusText}'!`;            
+        $scope.errorMessage = `An HTTP error has occurred: '${errorMessage.statusText}'!`;            
     });
 
 

contributing.md

@@ -18,7 +18,7 @@ Happy Secure Coding!
 
 #### Git Config 
 
-If you use an enterprise or private GitHub account be careful with the global settings when pushing your code to GitHub.com as it might submit the username and email you had setup in organizatin when you commit your changes. Check your current settings via:
+If you use an enterprise or private GitHub account be careful with the global settings when pushing your code to GitHub.com as it might submit the username and email you had setup in organization when you commit your changes. Check your current settings via:
 
 `git config --global user.email`
 

hackerden/pinglambda/index.js

@@ -62,7 +62,7 @@ exports.handler = (event, context, callback) => {
                 var token = jwt.sign({"sub": challengeId}, process.env.SIGNER_SECRET, {expiresIn:5*60});
                 var challengeCodeUrl=process.env.CHALLENGE_CODE_URL+"#"+token;
                 resp = resp.replace(secret,challengeCodeUrl);
-                //remobve all secrets from response
+                //remove all secrets from response
                 resp = resp.replace(process.env.SECRET1,"");
                 resp = resp.replace(process.env.SECRET2,"");
                 resp = resp.replace(process.env.SECRET3,"");

insecureinc/src/main/webapp/quiz.jsp

@@ -152,7 +152,7 @@ What is the best method to avoid Authorization Bypass issues?
 </blockquote>
 <%=getOption(answers,"q3","1","Conduct static analysis scans regularly.")%>
 <%=getOption(answers,"q3","2","Refactor the code so resources are separated according to roles. Determine access to resources based on the user role.")%>
-<%=getOption(answers,"q3","3","Check the roles in each privileged section with if statements and perfom code reviews to ensure logical issues are avoided.")%>
+<%=getOption(answers,"q3","3","Check the roles in each privileged section with if statements and perform code reviews to ensure logical issues are avoided.")%>
 <%=getOption(answers,"q3","4","Using platform authentication.")%>
 <hr>
 
@@ -162,7 +162,7 @@ What is the best method to avoid Authorization Bypass issues?
 What is the best way to store user passwords in a database?
 </blockquote>
 <%=getOption(answers,"q4","1","Use pbkdf2 with 10000 iterations and a salt.")%>
-<%=getOption(answers,"q4","2","Use asymetric encryption, RSA with 2048 key size.")%>
+<%=getOption(answers,"q4","2","Use asymmetric encryption, RSA with 2048 key size.")%>
 <%=getOption(answers,"q4","3","Hash the passwords with a SHA-2 algorithm.")%>
 <%=getOption(answers,"q4","4","Use MD5.")%>
 <hr>

trainingportal/challenges.js

@@ -56,7 +56,7 @@ function getModulePath(moduleId){
     return path.join('static/lessons/', moduleId);
 }
 
-function getDefinifionsForModule(moduleId){
+function getDefinitionsForModule(moduleId){
 
     try {
         var defs = Object.freeze(require(path.join(__dirname, getModulePath(moduleId), '/definitions.json')));
@@ -74,7 +74,7 @@ function getDefinifionsForModule(moduleId){
 function init(){   
     modules = Object.freeze(loadModules());
     for(let moduleId in modules){
-        let moduleDefinitions = getDefinifionsForModule(moduleId);
+        let moduleDefinitions = getDefinitionsForModule(moduleId);
         var modulePath = getModulePath(moduleId);
         for(let level of moduleDefinitions){
             challengeDefinitions.push(level);
@@ -129,10 +129,10 @@ exports.isPermittedModule = async (user, moduleId) => {
 }
 
 /**
- * Get the user level based on the ammount of passed challenges
+ * Get the user level based on the amount of passed challenges
  */
 exports.getUserLevelForModule = async (user,moduleId) => {
-    let moduleDefinitions = getDefinifionsForModule(moduleId);
+    let moduleDefinitions = getDefinitionsForModule(moduleId);
     let passedChallenges =  await db.getPromise(db.fetchChallengeEntriesForUser,user);
     let userLevel=-1;
     for(let level of moduleDefinitions){
@@ -163,7 +163,7 @@ exports.getPermittedChallengesForUser = async (user, moduleId) => {
 
     var permittedLevel = await exports.getUserLevelForModule(user, moduleId) + 1;
 
-    var moduleDefinitions = getDefinifionsForModule(moduleId);
+    var moduleDefinitions = getDefinitionsForModule(moduleId);
 
     for(let level of moduleDefinitions){
         if (permittedLevel === level.level) {
@@ -186,7 +186,7 @@ exports.getChallengeDefinitionsForUser = async (user, moduleId) => {
     if(util.isNullOrUndefined(modules[moduleId])) return [];
 
     var modulePath = getModulePath(moduleId);
-    var moduleDefinitions = getDefinifionsForModule(moduleId);
+    var moduleDefinitions = getDefinitionsForModule(moduleId);
 
     for(let level of moduleDefinitions){
         for(let challenge of level.challenges) {
@@ -254,7 +254,7 @@ exports.getDescription = function (challengeId) {
  */
 exports.verifyModuleCompletion = async (user, moduleId) => {
     var userLevel = await exports.getUserLevelForModule(user, moduleId);
-    let moduleDefinitions = getDefinifionsForModule(moduleId);
+    let moduleDefinitions = getDefinitionsForModule(moduleId);
     var lastLevel = moduleDefinitions[moduleDefinitions.length-1];
 
     if(lastLevel.level===userLevel){

trainingportal/db.js

@@ -15,7 +15,7 @@ var liteDB = null;
 if(util.isNullOrUndefined(config.dbHost)){
   sqlite3 = require('sqlite3');
 
-  //use sqlite insted of mysql
+  //use sqlite instead of mysql
   var dbPath = "";
   var dbFileName = "securecodingdojo.db";
   var dataDir = util.getDataDir();

trainingportal/server.js

@@ -503,7 +503,7 @@ app.post('/api/teams', auth.ensureApiAuth, (req, res) => {
         //team was created get the newly created team by name and return it in the response also update the user
         db.getTeamWithMembersByName(teamName,
           function(){
-            util.apiResponse(req, res, 500, "An error occured fetching the newly created team, Check the logs.");
+            util.apiResponse(req, res, 500, "An error occurred fetching the newly created team, Check the logs.");
           },
           function(team){
             req.user.teamId = team.id;

trainingportal/static/codeBlocks/authenticationByDefault.html

@@ -1,4 +1,4 @@
-<p>In order to avoid mistakes the software should be designed in such a way that new fuctionality is 
+<p>In order to avoid mistakes the software should be designed in such a way that new functionality is 
     automatically protected by authentication.
 </p>
 <p>

trainingportal/static/codeBlocks/checkBoundaries.html

@@ -10,6 +10,6 @@
 </p>
 <p>A simple comparison against a known limit constant can go a long way to prevent serious logical attacks.</p>
 <p>Interesting fact, Boeing had to fix a Integer Overflow in the 787 Dreamliner which could cause it's electrical system to fail according to 
-    <a taget="_blank" rel="noopener noreferrer" href="https://www.engadget.com/2015/05/01/boeing-787-dreamliner-software-bug/">Engadget</a>.</p>
+    <a target="_blank" rel="noopener noreferrer" href="https://www.engadget.com/2015/05/01/boeing-787-dreamliner-software-bug/">Engadget</a>.</p>
 
 

trainingportal/static/codeBlocks/integrityVerification.html

@@ -6,7 +6,7 @@
 </p>
 <p>
 When security is involved developers should be concerned with attackers potentially intercepting update packages and replacing them with malware. 
-This should be an expecially high concern for security software which are used to fight malware. The absence of integrity checks allows the manipulation of update packages.
+This should be an especially high concern for security software which are used to fight malware. The absence of integrity checks allows the manipulation of update packages.
 </p>
 <p>
 Simple checksums and digests can be bypassed through <mark>collisions</mark>. MD5 collisions can be identified in 1 day while 

trainingportal/static/codeBlocks/principleOfLeastPrivilege.html

@@ -3,7 +3,7 @@
  and <strong>Incorrect Authorization</strong></p>
 
 <p>
-The principle of least privilege says that users in a system should only be given neccesary access or roles to complete their function. 
+The principle of least privilege says that users in a system should only be given necessary access or roles to complete their function. 
 </p>
 <p>
 Giving the user higher privileges by default exposes the application to logical attacks where the application fails to reach the block of 

trainingportal/static/codeBlocks/requestForgeryPrevention.html

@@ -29,7 +29,7 @@
 
 <p>
 The xsrfToken will be different for each user and an attacker will not be able to store the request in an external site because they won't know it.
-Even if they knew the token they could only target a single user and the request would expire with the session limiting the ammount of time for the attack.
+Even if they knew the token they could only target a single user and the request would expire with the session limiting the amount of time for the attack.
 
 </p>
 

trainingportal/static/codeBlocks/safeMemoryManagement.html

@@ -21,10 +21,10 @@ <h5>Safe releasing memory</h5>
 <h5>
     Safe compiler flags
 </h5>
-<p>Compiler flags enable operating system defences such as ASLR in Windows or PIE/SSP in Linux. 
+<p>Compiler flags enable operating system defenses such as ASLR in Windows or PIE/SSP in Linux. 
     They tell the operating system to employ countermeasures such as randomizing memory, which is making it hard for attackers to insert arbitrary code.
 </p>
 <p>
         Even with compiler flags in place attackers can still crash the program so the main effect of compiler flags is reducing the impact of the attack. 
-        The best defence is to prevent the flaws in the code, from the start, by employing the best practices discussed in this article.
+        The best defense is to prevent the flaws in the code, from the start, by employing the best practices discussed in this article.
 </p>

trainingportal/static/codeBlocks/useStrongDataEncryption.html

@@ -91,7 +91,7 @@ <h5>Encryption of data in transit</h5>
 
 It is also a vulnerability to ignore invalid server certificates.
 
-Here is a list of the few notable vulnerablity disclosures in SSL/TLS protocols and ciphers over the past few years.
+Here is a list of the few notable vulnerability disclosures in SSL/TLS protocols and ciphers over the past few years.
 
 <table class="table">
     <thead>

trainingportal/static/lessons/blackBelt/cwe120.sol.md

@@ -1,6 +1,6 @@
 ### Solution for the "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') and related flaws" challenge
 
-This challenge demonstrates a buffer overflow where the application uses the `gets` function and allows the attacker to control the size of the input buffer. This leads to the neighbouring memory locations being overriden.
+This challenge demonstrates a buffer overflow where the application uses the `gets` function and allows the attacker to control the size of the input buffer. This leads to the neighboring memory locations being overridden.
 
 To pass this challenge all you have to do is fill the buffer with zeros: `\0`. 
 

trainingportal/static/lessons/blackBelt/cwe190.sol.md

@@ -4,9 +4,9 @@ This challenge demonstrates the risk of not checking boundaries.
 
 This time the application employs an account lockout mechanism, however the number of account attempts can increase until the `MAX_UINT` limit is reached and the counter becomes `-MAX_UINT` because the first byte turns to 1.
 
-The attacker ran a bruteforce attack until they discovered the password, but the account is now locked.
+The attacker ran a brute force attack until they discovered the password, but the account is now locked.
 
 To solve the challenge do the following:
 
 - Keep entering an invalid password until the counter becomes negative.
-- Enter the password you have discoved in the previous challenge to login.
+- Enter the password you have discovered in the previous challenge to login.

trainingportal/static/lessons/blackBelt/cwe327.sol.md

@@ -2,7 +2,7 @@
 
 This challenge shows a case where security practices were employed, however they become outdated as computing power has increased, no longer matching cryptographic standards.
 
-Did you know collisions to the MD5 hashing algorithm can be calculated within 1 day at modern computing power? This means that if an attacker knows the hash they could generate a string that will result in the same hash within 1 day. The SHA-1 algorithm has also been proven be prone to collissions, although it requires more computing power.
+Did you know collisions to the MD5 hashing algorithm can be calculated within 1 day at modern computing power? This means that if an attacker knows the hash they could generate a string that will result in the same hash within 1 day. The SHA-1 algorithm has also been proven be prone to collisions, although it requires more computing power.
 
 However there's an even easier way to exploit these algorithms. The site **CrackStation.net** has a large database of precalculated hashes (also known as rainbow tables). Because MD5 and SHA-1 require less computing power it is easier to pre-calculate hashes for such algorithms.
 

trainingportal/static/lessons/blackBelt/cwe502.html

@@ -13,7 +13,7 @@
 <p>In a deserialization vulnerability, the application accepts a serialized object as input, loads it into memory and operates on it. The potential damage depends entirely upon how the object is used.  For example, if code 
 in your application were to call System.exec() on data stored in the object, then an attacker-controlled command
 would execute on your host, under your application's privileges.   As it turns out, 
-<a targer="_blank" rel="noopener noreferer" href="https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=deserialization&search_type=all">some third party libraries automatically do this for you!</a>  
+<a target="_blank" rel="noopener noreferer" href="https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=deserialization&search_type=all">some third party libraries automatically do this for you!</a>  
 
 <p>
 The combination of using unpatched 3rd party components and the unsafe use of deserialization can be fatal. 
@@ -30,8 +30,8 @@
 <p>This vulnerability was originally reported against the Java-native deserialization vulnerability, but it
 doesn't end there.  Your application can have this vulnerability if it does <em>any</em> deserialization - even 
 custom deserialization of JSON objects.  If your object allows input (user input, remote systems, files or 
-database entries that anyone else may have written, etc) to arbirarially control which class your code will 
-instantiate, then you probably have a desearialization vulnerability.
+database entries that anyone else may have written, etc) to arbitrarily control which class your code will 
+instantiate, then you probably have a deserialization vulnerability.
 </p>
 
 <ul>

trainingportal/static/lessons/blackBelt/cwe759.sol.md

@@ -8,6 +8,6 @@ In order to prevent such attacks, passwords are salted with a random value which
 To pass this challenge: 
 
 - List the user password by leveraging the Missing Authorization vulnerability just like in the previous case.
-- Search for the hash on **CrackStation.net**. Notice that the detected hashing algorithm is SHA256 but that the password was stil found.
+- Search for the hash on **CrackStation.net**. Notice that the detected hashing algorithm is SHA256 but that the password was still found.
 - Logout and re-login as '**user**' with the cracked password to solve the challenge.
 

trainingportal/static/lessons/blackBelt/cwe863.sol.md

@@ -1,14 +1,14 @@
 ### Solution for the "Incorrect Authorization" challenge
 
 In this challenge the developer implement the same JSP page both on user and admin page.
-This is an architectural mistake that leads to `spagetti code` and allows for logical errors to be made since authorization decisions are done using `if else` statements.
+This is an architectural mistake that leads to `spaghetti code` and allows for logical errors to be made since authorization decisions are done using `if else` statements.
 Focus on the `logoutParameter` condition in the provided sample code.
 
 In order to pass this challenge try following steps.
 
 1. Login as the demo user.
 2. You can see the page is under **cwe863loggedin.jsp**
-3. Analize the logout link, and notice the parameter `?logout=true`
+3. Analyze the logout link, and notice the parameter `?logout=true`
 4. Looking at the code you will notice that the situation where the **logout** parameter is present but **not equal** to `true` is **not** handled. 
 
 

trainingportal/static/lessons/blueTeam/blue_ch2.md

@@ -1,5 +1,5 @@
-The vulnerable image also contains a unkown vulnerability specific to the web application running on the second port.
-Configure your IPS policy include generic attacks suchs as the OWASP Top 10
+The vulnerable image also contains a unknown vulnerability specific to the web application running on the second port.
+Configure your IPS policy include generic attacks such as the OWASP Top 10
 
 Identify the IPS rules that prevent the following:
 

trainingportal/static/lessons/blueTeam/blue_ch3.md

@@ -3,7 +3,7 @@ Review container scanner results for a different type of vulnerability that may
 #### Instructions for Completing the Challenge
 
 - Find the sensitive information
-- Use this information to authenticate to the Lambda funcion and sign your challenge salt
+- Use this information to authenticate to the Lambda function and sign your challenge salt
 
 ##### Tip
 To view files in the docker container you can do the following: