Javascript to JavaScript

submissions/description/cross_site_scripting_xss/client_side_injection/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Client-side injection is a vulnerability that results from untrusted client-side data being interpreted and executed by the system without any checks. Within the application an attacker is able to inject data in the form of Javascript, or a binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine.
+Client-side injection is a vulnerability that results from untrusted client-side data being interpreted and executed by the system without any checks. Within the application an attacker is able to inject data in the form of JavaScript, or a binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine.
 
 ## Business Impact
 

submissions/description/cross_site_scripting_xss/cookie_based/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Cookie-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser in the context of this domain. This is possible as an attacker could chain this vulnerability with a Carrige Return Line Feed (CRLF) injection attack and split the HTTP response, allowing the attacker to write data into the HTTP response body. Alternatively, an attacker could socially engineer the user to add the cookie containing malicious JavaScript into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain.
+Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. Cookie-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser in the context of this domain. This is possible as an attacker could chain this vulnerability with a Carrige Return Line Feed (CRLF) injection attack and split the HTTP response, allowing the attacker to write data into the HTTP response body. Alternatively, an attacker could socially engineer the user to add the cookie containing malicious JavaScript into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain.
 
 From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
 

submissions/description/cross_site_scripting_xss/flash_based/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Flash-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser.
+Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. Flash-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser.
 
 From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
 

submissions/description/cross_site_scripting_xss/ie_only/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions.
+Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions.
 
 ## Business Impact
 

submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to input data into the URL that can be interpreted as a JavaScript payload. The data is then executed in the context of a domain which is off the primary domain. 
+Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to input data into the URL that can be interpreted as a JavaScript payload. The data is then executed in the context of a domain which is off the primary domain. 
 
 This carries the risk of an attacker being able to trigger an exploit on a seperate domain. By controlling code that is executed within a user’s browser, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions.
 

submissions/description/cross_site_scripting_xss/off_domain/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to control code that is executed within a user’s browser in the context of a domain which is off the primary domain.
+Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to control code that is executed within a user’s browser in the context of a domain which is off the primary domain.
 
 This carries the risk of an attacker being able to trigger an exploit on a separate domain, where only cookies scoped for that domain are at risk. By controlling code that is executed within a user’s browser, an attacker could carry out any action that the user is able to perform. This could include accessing any of the user's data and modifying information within the user’s permissions, assuming that there is a misconfiguration of the scoping for cookies and Cross-Origin Resource Sharing (CORS).
 

submissions/description/cross_site_scripting_xss/referer/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Referer-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. This occurs as the referer HTTP header is vulnerable to manipulation.
+Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. Referer-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. This occurs as the referer HTTP header is vulnerable to manipulation.
 
 From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
 

submissions/description/cross_site_scripting_xss/reflected/non_self/recommendations.md

@@ -4,7 +4,7 @@ There is no single technique to stop XSS from occurring. However, implementing t
 
 Where sources of information (input) are available, input should be sanitised to ensure only the desired information (and no special characters, or HTML) are being stored.  All user input fields should be sanitized based on what the field is likely to contain. For example, a date field `(01/01/2001)` should be stored using the appropriate data type, and not in a string based format.
 
-Additionally, where sinks of information (output) are being presented in the application, the output should be appropriately encoded to ensure that HTML or Javascript isn't able to be rendered, should it have been stored via an input source.
+Additionally, where sinks of information (output) are being presented in the application, the output should be appropriately encoded to ensure that HTML or JavaScript isn't able to be rendered, should it have been stored via an input source.
 
 It is also best practice to use appropriate HTTP response headers to ensure the browser correctly interprets responses. These should be customized specific to the application, and its environment. For example:
 

submissions/description/cross_site_scripting_xss/reflected/non_self/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user's browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL which when opened by a user will execute arbitrary Javascript within that user's browser in the context of this domain.
+Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user's browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL which when opened by a user will execute arbitrary JavaScript within that user's browser in the context of this domain.
 
 When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
 

submissions/description/cross_site_scripting_xss/reflected/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user’s browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL. When opened by a user,  this URL will execute arbitrary Javascript within that user’s browser in the context of the domain.
+Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user’s browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL. When opened by a user,  this URL will execute arbitrary JavaScript within that user’s browser in the context of the domain.
 
 When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
 

submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md

@@ -2,11 +2,11 @@
 
 ## Overview of the Vulnerability
 
-Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from no privileges to any user type, which could include an Administrator level user.
+Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from no privileges to any user type, which could include an Administrator level user.
 
 When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
 
-to create a crafted JavaScript payload. When a user navigates to the page,  the arbitrary Javascript executes within that user’s browser in the context of this domain.
+to create a crafted JavaScript payload. When a user navigates to the page,  the arbitrary JavaScript executes within that user’s browser in the context of this domain.
 
 ## Business Impact
 

submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and gain access to an account of a user with the same privilege level.
+Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and gain access to an account of a user with the same privilege level.
 
 When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
 

submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from a privileged user to a higher privileged user, which could include an Administrator level user. 
+Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from a privileged user to a higher privileged user, which could include an Administrator level user. 
 
 When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
 

submissions/description/cross_site_scripting_xss/stored/self/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Self-stored XSS can be found on this domain which allows an attacker to create crafted JavaScript payload. Additionally, the attacker needs to socially engineer the user to paste the JavaScript payload into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain.
+Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Self-stored XSS can be found on this domain which allows an attacker to create crafted JavaScript payload. Additionally, the attacker needs to socially engineer the user to paste the JavaScript payload into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain.
 
 When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.