Skip to content

Commit

Permalink
[DOCS] Fix typo in A4 app
Browse files Browse the repository at this point in the history
  • Loading branch information
@marcelomagina
marcelomagina committed Jun 6, 2019
1 parent 1bf8006 commit ae0d0ee
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions owasp-top10-2017-apps/a4/vinijr-blog/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,18 +39,18 @@ Then simply visit [localhost:10080][App] ! 😆

To properly understand how this application works, you can follow these simple steps:

- Visit it's homepage!
- Visit its homepage!
- Try sending ViniJR a message.

## Attack narrative

Now that you know the purpose of this app, what could possibly go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or it's users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜
Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or its users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜

### 👀

#### Non sanitized input field allows for an attacker to retrieve sensitive information

After reviewing the inputs from the app, it is possible to identify that the section "GET IN TOUCH" allows users send messages to the server, as shown in the following picture:
After reviewing the inputs from the app, it is possible to identify that the section "GET IN TOUCH" allows users to send messages to the server, as shown in the following picture:

<img src="images/attack-1.png" align="center"/>

Expand Down Expand Up @@ -112,7 +112,7 @@ curl -d @evilxml.xml localhost:10080/contact.php ; echo

How would you mitigate this vulnerability? After your changes, an attacker should not be able to:

* Extract data from the server through the method shown above.
* Extract data from the server through the method showed above.

## PR solutions

Expand All @@ -124,4 +124,4 @@ We encourage you to contribute to SecDevLabs! Please check out the [Contributing

[Docker Install]: https://docs.docker.com/install/
[Docker Compose Install]: https://docs.docker.com/compose/install/
[App]: http://localhost:10080
[App]: http://localhost:10080

0 comments on commit ae0d0ee

Please sign in to comment.