Fix typo and structure

API Key Leaks/README.md

@@ -1,4 +1,4 @@
-# API Key Leaks
+# API Key and Token Leaks
 
 > The API key is a unique identifier that is used to authenticate requests associated with your project. Some developers might hardcode them or leave it on public shares.
 

Business Logic Errors/README.md

@@ -15,54 +15,65 @@ Unlike other types of security vulnerabilities like SQL injection or cross-site
 
 Common examples of Business Logic Errors.
 
-* Review Feature Testing
-    * Assess if you can post a product review as a verified reviewer without having purchased the item.
-    * Attempt to provide a rating outside of the standard scale, for instance, a 0, 6 or negative number in a 1 to 5 scale system.
-    * Test if the same user can post multiple ratings for a single product. This is useful in detecting potential race conditions.
-    * Determine if the file upload field permits all extensions; developers often overlook protections on these endpoints.
-    * Investigate the possibility of posting reviews impersonating other users.
-    * Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens.
+### Review Feature Testing
 
-* Discount Code Feature Testing
-    * Try to apply the same discount code multiple times to assess if it's reusable.
-    * If the discount code is unique, evaluate for race conditions by applying the same code for two accounts simultaneously.
-    * Test for Mass Assignment or HTTP Parameter Pollution to see if you can apply multiple discount codes when the application is designed to accept only one.
-    * Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature.
-    * Attempt to apply discount codes to non-discounted items by manipulating the server-side request.
+* Assess if you can post a product review as a verified reviewer without having purchased the item.
+* Attempt to provide a rating outside of the standard scale, for instance, a 0, 6 or negative number in a 1 to 5 scale system.
+* Test if the same user can post multiple ratings for a single product. This is useful in detecting potential race conditions.
+* Determine if the file upload field permits all extensions; developers often overlook protections on these endpoints.
+* Investigate the possibility of posting reviews impersonating other users.
+* Attempt Cross-Site Request Forgery (CSRF) on this feature, as it's frequently unprotected by tokens.
 
-* Delivery Fee Manipulation
-    * Experiment with negative values for delivery charges to see if it reduces the final amount.
-    * Evaluate if free delivery can be activated by modifying parameters.
 
-* Currency Arbitrage
-    * Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit.
+### Discount Code Feature Testing
 
-* Premium Feature Exploitation
-    * Explore the possibility of accessing premium account-only sections or endpoints without a valid subscription.
-    * Purchase a premium feature, cancel it, and see if you can still use it after a refund.
-    * Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access.
-    * Review cookies or local storage for variables validating premium access.
+* Try to apply the same discount code multiple times to assess if it's reusable.
+* If the discount code is unique, evaluate for race conditions by applying the same code for two accounts simultaneously.
+* Test for Mass Assignment or HTTP Parameter Pollution to see if you can apply multiple discount codes when the application is designed to accept only one.
+* Test for vulnerabilities from missing input sanitization such as XSS, SQL Injection on this feature.
+* Attempt to apply discount codes to non-discounted items by manipulating the server-side request.
 
-* Refund Feature Exploitation
-    * Purchase a product, ask for a refund, and see if the product remains accessible.
-    * Look for opportunities for currency arbitrage.
-    * Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds.
 
-* Cart/Wishlist Exploitation
-    * Test the system by adding products in negative quantities, along with other products, to balance the total.
-    * Try to add more of a product than is available.
-    * Check if a product in your wishlist or cart can be moved to another user's cart or removed from it.
+### Delivery Fee Manipulation
 
-* Thread Comment Testing
-    * Check if there's a limit to the number of comments on a thread.
-    * If a user can only comment once, use race conditions to see if multiple comments can be posted.
-    * If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well.
-    * Attempt to post comments impersonating other users.
+* Experiment with negative values for delivery charges to see if it reduces the final amount.
+* Evaluate if free delivery can be activated by modifying parameters.
+
+
+### Currency Arbitrage
+
+* Attempt to pay in one currency, for example, USD, and request a refund in another, like EUR. The difference in conversion rates could result in a profit.
+    
+
+### Premium Feature Exploitation
+
+* Explore the possibility of accessing premium account-only sections or endpoints without a valid subscription.
+* Purchase a premium feature, cancel it, and see if you can still use it after a refund.
+* Look for true/false values in requests/responses that validate premium access. Use tools like Burp's Match & Replace to alter these values for unauthorized premium access.
+* Review cookies or local storage for variables validating premium access.
+
+
+### Refund Feature Exploitation
+
+* Purchase a product, ask for a refund, and see if the product remains accessible.
+* Look for opportunities for currency arbitrage.
+* Submit multiple cancellation requests for a subscription to check the possibility of multiple refunds.
+
+
+### Cart/Wishlist Exploitation
+
+* Test the system by adding products in negative quantities, along with other products, to balance the total.
+* Try to add more of a product than is available.
+* Check if a product in your wishlist or cart can be moved to another user's cart or removed from it.
+
+
+### Thread Comment Testing
+
+* Check if there's a limit to the number of comments on a thread.
+* If a user can only comment once, use race conditions to see if multiple comments can be posted.
+* If the system allows comments by verified or privileged users, try to mimic these parameters and see if you can comment as well.
+* Attempt to post comments impersonating other users.
 
-* Parameter Tampering
-    * Manipulate payment or other critical fields to alter their values.
-    * By exploiting HTTP Parameter Pollution & Mass Assignment, add extra or unexpected fields.
-    * Try to manipulate the response to bypass restrictions, such as 2FA.
 
 ## References
 

Client Side Path Traversal/README.md

@@ -51,7 +51,7 @@ Real-World Scenarios:
 
 * [Exploiting Client-Side Path Traversal to Perform Cross-Site Request Forgery - Introducing CSPT2CSRF - Maxence Schmitt - 02 Jul 2024](https://blog.doyensec.com/2024/07/02/cspt2csrf.html)
 * [Exploiting Client-Side Path Traversal - CSRF is dead, long live CSRF - Whitepaper- Maxence Schmitt](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_Whitepaper.pdf)
-* [Exploiting Client-Side Path Traversal - CSRF is Dead, Long Live CSRF - OWASP Global AppSec 2024 - Maxence Schmitt - June 24 2024][https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_OWASP_Appsec_Lisbon.pdf]
+* [Exploiting Client-Side Path Traversal - CSRF is Dead, Long Live CSRF - OWASP Global AppSec 2024 - Maxence Schmitt - June 24 2024](https://www.doyensec.com/resources/Doyensec_CSPT2CSRF_OWASP_Appsec_Lisbon.pdf)
 * [Leaking Jupyter instance auth token chaining CVE-2023-39968, CVE-2024-22421 and a chromium bug - Davwwwx -  30-08-2023](https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak/)
 * [Tweet - @HusseiN98D - 5 july 2024](https://twitter.com/HusseiN98D/status/1809164551822172616)
 * [On-site request forgery - Dafydd Stuttard - 03 May 2007](https://portswigger.net/blog/on-site-request-forgery)

XSS Injection/README.md

@@ -363,7 +363,7 @@ vbscript:msgbox("XSS")
 
 ## XSS in files
 
-** NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
+**NOTE:** The XML CDATA section is used here so that the JavaScript payload will not be treated as XML markup.
 
 ```xml
 <name>