Fixed typos

webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8.adoc

@@ -2,10 +2,10 @@
 
 
 === Why?
-Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in seession
+Hopefully we've covered that by now. Bottom line, you don't want someone else's code running in the context of your users and their logged-in session
 
 === What to encode?
-The basic premise of defending against XSS is *output endoding* any untrusted input that goes to the screen.
+The basic premise of defending against XSS is *output encoding* any untrusted input that goes to the screen.
 That may be changing with more sophisticated attacks, but is still the best defense we currently have. *AND* ... *context matters*
 
 Another word on 'untrusted input'. If in doubt, treat everything (even data you populated in your DB as untrusted).

webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_editOtherProfile.adoc

@@ -4,5 +4,5 @@ Older apps may follow different patterns, but RESTful apps (which is what's goin
 to perform different functions.
 
 Use that knowledge to take the same base request, change its method, path and body (payload) to modify another user's (Buffalo Bill's) profile.
-Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change modify the
+Change the role to something lower (since higher privilege roles and users are ususally lower numbers). Also change the
 user's color to 'red'.

webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_inputAltPath.adoc

@@ -1 +1 @@
-Please input the alternate path to the Url to view your own profile.  Please start witih 'WebGoat' (i.e. disregard 'http://localhost:8080/')
+Please input the alternate path to the Url to view your own profile.  Please start with 'WebGoat' (i.e. disregard 'http://localhost:8080/')

webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_intro.adoc

@@ -15,12 +15,12 @@ Examples of Direct Object References using the GET method may look something lik
 
 === Other Methods
 
-POST, PUT, DELETE or other methods are also potentially succeptible and mainly only differ in the method and the potential payload.
+POST, PUT, DELETE or other methods are also potentially susceptible and mainly only differ in the method and the potential payload.
 
 == *Insecure* Direct Object References
 
 These are considered insecure when the reference is not properly handled and allows for authorization bypasses or disclose private data that could be used to
-perform opreations or access data that the user should not be able to perform or access.
+perform operations or access data that the user should not be able to perform or access.
 Let's say that as a user, you go to view your profile and the URL looks something like:
 
 `https://some.company.tld/app/user/23398`

webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_login.adoc

@@ -1,6 +1,6 @@
 === Authenticate First, Abuse Authorization Later
 
-Many access control issues are succeptible to attack from an authenticated-but-unauthorized user. So, let's start by legitimately authenticating. Then, we will look for ways to bypass or abuse Authorization.
+Many access control issues are susceptible to attack from an authenticated-but-unauthorized user. So, let's start by legitimately authenticating. Then, we will look for ways to bypass or abuse Authorization.
 
 The id and password for the account in this case are 'tom' and 'cat' (It is an insecure app, right?).
 

webgoat-lessons/idor/src/main/resources/lessonPlans/en/IDOR_mitigation.adoc

@@ -38,7 +38,7 @@ For example, if a super-user or admin can edit other's profiles ... That is some
 examples would include detected violations or attempts to violate access control mechanisms.
 
 === Using Indrect References
-Not many applications employ it, but you can use *indirect* refrences. In this case you can run your references across a hahsing,
+Not many applications employ it, but you can use *indirect* references. In this case you can run your references across a hashing,
 encoding or other function on the server so that the id that the client sees is not the actual reference
 which the server handles.  This will reduce efficiency some (a common trade-off for security) and is still subject to being
 guessed, brute-forced or reverse engineered.

webgoat-lessons/webgoat-introduction/src/main/resources/lessonPlans/en/Introduction.adoc

@@ -10,8 +10,8 @@ unintended code gets into your applications.
 
 What better way to do that than with your very own scapegoat?
 
-Feel free to do what you will with Hack. Poke, prod and if it makes you feel better, scare him until your heart’s content.
-Go ahead, and Hack the goat. We promise he likes it.
+Feel free to do what you will with him. Hack, poke, prod and if it makes you feel better, scare him until your heart’s content.
+Go ahead, and hack the goat. We promise he likes it.
 
 Thanks for your interest!