Update first instances of SSL

Updated all first instances of SSL to read as Secure Sockets Layer (SSL)

submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/recommendations.md

@@ -1,6 +1,6 @@
 # Recommendation(s)
 
-It is recommended to implement SSL certificate pinning for the application.
+It is recommended to implement Sockets Layer (SSL) certificate pinning for the application.
 
 It is also recommended that the mobile application’s security is managed through a repeatable configuration process which covers application hardening, updates, and patches. There should be a verification process through the development and delivery cycles which tests the effectiveness of the configurations and settings.
 

submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md

@@ -1,8 +1,8 @@
-# Mobile Security Misconfiguration (SSL Certificate Pinning Absent)
+# Absent Sockets Layer (SSL) Certificate Pinning
 
 ## Overview of the Vulnerability
 
-Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy.
+Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. Sockets Layer (SSL) pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy.
 
 Without SSL certificate pinning, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users.
 

submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/recommendations.md

@@ -1,6 +1,6 @@
 # Recommendation(s)
 
-It is recommended to securely implement SSL certificate pinning for the application.
+It is recommended to securely implement Sockets Layer (SSL) certificate pinning for the application.
 
 It is also recommended that the mobile application’s security is managed through a repeatable configuration process which covers application hardening, updates, and patches. There should be a verification process through the development and delivery cycles which tests the effectiveness of the configurations and settings.
 

submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md

@@ -1,8 +1,8 @@
-# Mobile Security Misconfiguration (SSL Certificate Pinning Defeatable)
+# Defeatable Secure Sockets Layer (SSL) Certificate Pinning
 
 ## Overview of the Vulnerability
 
-Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy.
+Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. Sockets Layer (SSL) pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy.
 
 When SSL certificate pinning is defeatable, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users.
 

submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/recommendations.md

@@ -1,6 +1,6 @@
 # Recommendation(s)
 
-It is recommended to securely implement SSL certificate pinning for the application.
+It is recommended to securely implement Secure Sockets Layer (SSL) certificate pinning for the application.
 
 It is also recommended that the mobile application’s security is managed through a repeatable configuration process which covers application hardening, updates, and patches. There should be a verification process through the development and delivery cycles which tests the effectiveness of the configurations and settings.
 

submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md

@@ -1,8 +1,8 @@
-# Mobile Security Misconfiguration (SSL Certificate Pinning)
+# Secure Sockets Layer (SSL) Certificate Pinning
 
 ## Overview of the Vulnerability
 
-Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy.
+Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. Secure Sockets Layer (SSL) pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy.
 
 When SSL certificate pinning is misconfigured, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users.
 

submissions/description/sensitive_data_exposure/pii_leakage_exposure/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Personally Identifiable Information (PII) exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When PII is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: Social Security Numbers (SSN), medical data, banking information, and login credentials.
+Personally Identifiable Information (PII) exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When PII is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, Secure Sockets Layer (SSL) not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: Social Security Numbers (SSN), medical data, banking information, and login credentials.
 
 Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors.
 

submissions/description/sensitive_data_exposure/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Sensitive data exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: personally identifiable information (PII), Social Security numbers, medical data, banking information, and login credentials.
+Sensitive data exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, Secure Sockets Layer (SSL) not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: personally identifiable information (PII), Social Security numbers, medical data, banking information, and login credentials.
 
 Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors.
 

submissions/description/server_security_misconfiguration/insecure_ssl/insecure_cipher_suite/template.md

@@ -2,8 +2,8 @@
 
 ## Overview of the Vulnerability
 
-Cipher suites are the encryption algorithms used to negotiate the security of the TLS handshake between a client and a server, as well as the transfer of data. There are multiple cipher suites which vary depending on order of use and which TLS protocol is supported. Insecure cipher suites are those with known vulnerabilities which can lead to client and server connection being vulnerable.
-An attacker can use the weak cipher suite implementation for this application to break the chain of trust between the client and the server and execute a Denial of Service (DoS) attack, or Person-in-The-Middle (PitM) the connection to view or manipulate data in transit.
+Cipher suites are the encryption algorithms used to negotiate the security of the Transport Layer Security (TLS) handshake between a client and a server, as well as the transfer of data. There are multiple cipher suites which vary depending on order of use and which TLS protocol is supported. Insecure cipher suites are those with known vulnerabilities which can lead to client and server connection being vulnerable.
+An attacker can use the weak cipher suite implementation for this application to break the chain of trust between the client and the server and execute a Denial of Service (DoS) attack, or Man-in-the-Middle (MitM) the connection to view or manipulate data in transit.
 
 ## Business Impact
 
@@ -18,6 +18,6 @@ Insecure cipher suites can lead to reputational damage for the business due to a
 
 ## Proof of Concept (PoC)
 
-The screenshot below demonstrates the insecure cipher suite:
-
-{{screenshot}}
+The screenshot(s) below demonstrate(s) the vulnerability:
+>
+> {{screenshot}}

submissions/description/server_security_misconfiguration/insecure_ssl/recommendations.md

@@ -4,6 +4,6 @@ It is recommended that only strong protocols, such as TLS 1.3, and strong cipher
 
 For more information, please see:
 
-- <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices>
 - <https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html>
 - <https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/01-Testing_for_Weak_Transport_Layer_Security>
+- <https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices>

submissions/description/server_security_misconfiguration/insecure_ssl/template.md

@@ -1,10 +1,10 @@
-# Insecure SSL
+# Insecure Secure Socket Layer (SSL)
 
 ## Overview of the Vulnerability
 
-Insecure SSL refers to implementation flaws within the configuration of Secure Socket Layer (SSL)/Transport Layer Security (TLS), the security of the transport layer through encryption.
+Transport Layer Security (TLS) is the successor to Secure Sockets Layer (SSL). Insecure SSL refers to implementation flaws within the configuration of TLS, or use of the insecure SSL protocols.
 
-The insecure configuration of  SSL within this application can lead to the connection between client and server being vulnerable. An attacker can use this weakness to execute a Denial of Service (DoS) attack, or Person-in-The-Middle (PiTM) the connection between the client and server to view or manipulate data in transit.
+The insecure configuration of TLS within this application can lead to the connection between client and server being vulnerable. An attacker can use this weakness to execute a Denial of Service (DoS) attack, or Man-in-the-Middle (MitM) the connection between the client and server to view or manipulate data in transit.
 
 ## Business Impact
 
@@ -19,6 +19,6 @@ Insecure SSL can lead to reputational damage for the business due to a loss in c
 
 ## Proof of Concept (PoC)
 
-The screenshot below demonstrates the insecure SSL:
+The screenshot(s) below demonstrate(s) the vulnerability:
 
 {{screenshot}}

submissions/description/server_security_misconfiguration/ssl_attack_breach_poodle_etc/template.md

@@ -1,8 +1,8 @@
-# SSL Attack BREACH and POODLE
+# Secure Sockets Layer (SSL) Attack BREACH or POODLE
 
 ## Overview of the Vulnerability
 
-Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext (BREACH) and Padding Oracle On Downgraded Legacy Encryption (POODLE) are vulnerabilities in SSL and TLS that allows a malicious attacker to injection plaintext into a victim's request or force an SSL downgrade to decrypt encrypted data over thousands of requests. This application is vulnerable to a BREACH/POODLE attack as it supports outdated versions of SSL or TLS.
+Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext (BREACH) and Padding Oracle On Downgraded Legacy Encryption (POODLE) are vulnerabilities in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) that allows a malicious attacker to injection plaintext into a victim's request or force an SSL downgrade to decrypt encrypted data over thousands of requests. This application is vulnerable to a BREACH/POODLE attack as it supports outdated versions of SSL or TLS.
 
 ## Business Impact
 

submissions/description/unvalidated_redirects_and_forwards/open_redirect/flash_based/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A flash-based open redirect was identified which can impact users’ ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.
+Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A flash-based open redirect was identified which can impact users’ ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid Secure Sockets Layer (SSL) certificate can be used within the phishing link.
 
 This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users’ credentials or gain users’ OAuth access.
 

submissions/description/unvalidated_redirects_and_forwards/open_redirect/get_based/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A GET-based open redirect was identified which can impact users' ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.
+Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A GET-based open redirect was identified which can impact users' ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid Secure Sockets Layer (SSL) certificate can be used within the phishing link.
 
 This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users' credentials or gain users' OAuth access by relaying them through an Open Redirection, to a server they control (and can see the inbound requests from).
 

submissions/description/unvalidated_redirects_and_forwards/open_redirect/header_based/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A header-based open redirection was identified which can impact users’ ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.
+Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A header-based open redirection was identified which can impact users’ ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid Secure Sockets Layer (SSL) certificate can be used within the phishing link.
 
 This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users’ credentials or gain users’ OAuth access.
 

submissions/description/unvalidated_redirects_and_forwards/open_redirect/post_based/template.md

@@ -2,7 +2,7 @@
 
 ## Overview of the Vulnerability
 
-Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A POST-based open redirection was identified which can impact users’ ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.
+Open redirects enable an attacker to manipulate a user by redirecting them to a malicious site. A POST-based open redirection was identified which can impact users’ ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid Secure Sockets Layer (SSL) certificate can be used within the phishing link.
 
 This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users’ credentials or gain users’ OAuth access.