Update 09-Test_File_Permission.md (#1092)

OWASP · Sep 8, 2023 · a86f350 · a86f350
1 parent a48807d
commit a86f350
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/...g/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission.md b/...g/02-Configuration_and_Deployment_Management_Testing/09-Test_File_Permission.md
@@ -8,7 +8,7 @@
 
 When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution, or sensitive user data.
 
-A clear example is an execution file that is executable by unauthorized users. For another example, account information or a token value to access an API - increasingly seen in modern web services or microservices - may be stored in a configuration file whose permissions are set to world-readable from the installation by default. Such sensitive data can be exposed by internal malicious actors of the host or by a remote attacker who compromised the service with other vulnerabilities but obtained only a normal user privilege.
+A clear example would be an executable file that can be run by unauthorized users. For another example, consider account information or a token value used to access an API. These are increasingly seen in modern web services and microservices, and may be stored in a configuration file that has world-readable permissions by default upon installation. Such sensitive data could be exposed either by malicious internal actors within the host system or by remote attackers. The latter may have compromised the service through other vulnerabilities, while gaining only normal user privileges.
 
 ## Test Objectives
 
@@ -20,20 +20,20 @@ In Linux, use `ls` command to check the file permissions. Alternatively, `namei`
 
 `$ namei -l /PathToCheck/`
 
-The files and directories that require file permission testing include but are not limited to:
+The files and directories that require file permission testing can include, but are not limited to, the following:
 
 - Web files/directory
 - Configuration files/directory
-- Sensitive files (encrypted data, password, key)/directory
-- Log files (security logs, operation logs, admin logs)/directory
-- Executables (scripts, EXE, JAR, class, PHP, ASP)/directory
+- Sensitive files(encrypted data, password, key)/directory
+- Log files(security logs, operation logs, admin logs)/directory
+- Executables(scripts, EXE, JAR, class, PHP, ASP)/directory
 - Database files/directory
-- Temp files /directory
+- Temp files/directory
 - Upload files/directory
 
 ## Remediation
 
-Set the permissions of the files and directories properly so that unauthorized users cannot access critical resources unnecessarily.
+Set the permissions of the files and directories properly so that unauthorized users cannot access critical resources.
 
 ## Tools
 

diff --git a/document/5-Reporting/02-Naming_Schemes.md b/document/5-Reporting/02-Naming_Schemes.md
@@ -86,7 +86,7 @@ Defined as a Dictionary of registered values provided by `NVD`. Each `CPE` code
 ### Examples
 
 - Microsoft Internet Explorer 8.0.6001 Beta (any edition): `wfn:[part="a",vendor="microsoft",product="internet_explorer", version="8\.0\.6001",update="beta",edition=ANY]` which binds to the following URL: `cpe:/a:microsoft:internet_explorer:8.0.6001:beta`.
-- Foo\Bar Big$Money Manager 2010 Special Edition for iPod Touch 80GB: `wfn:[part="a",vendor="foo\\bar",product="big\$money_manager_2010", sw_edition="special",target_sw="ipod_touch",target_hw="80gb"]`, which binds to the following URL: `cpe:/a:foo%5cbar:big%24money_manager_2010:::~~special~ipod_touch~80gb~`.
+- Foo\Bar Big$Money Manager 2010 Special Edition for iPod Touch 80GB: `wfn:[part="a",vendor="foo\\bar",product="big\$money_manager_2010", sw_edition="special",target_sw="ipod_touch",target_hw="80gb"]`, which binds to the following URL:`cpe:/a:foo%5cbar:big%24money_manager_2010:::~~special~ipod_touch~80gb~`.
 
 ## Package URL
 
@@ -127,7 +127,7 @@ The definition for each component is:
 
 ## References
 
-- [NISTIR 8060 - Guidelines for the Creation of Interoperable Software Identification (SWID) Tags (pdf)](https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8060.pdf)
+- [NISTIR 8060 - Guidelines for the Creation of Interoperable Software Identification (SWID) Tags (PDF)](https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8060.pdf)
 - [NISTIR 8085 - Forming Common Platform Enumeration (CPE) Names from Software Identification (SWID) Tags](https://csrc.nist.gov/CSRC/media/Publications/nistir/8085/draft/documents/nistir_8085_draft.pdf)
 - [ISO/IEC 19770-2:2015 - Information technology— Software asset management—Part2:Software identification tag](https://www.iso.org/standard/65666.html)
 - [Official Common Platform Enumeration (CPE) Dictionary](https://nvd.nist.gov/products/cpe)