WebHacking: README, urllib2 scripts

Web_Security/OS_Command_Injection/README.md

@@ -10,11 +10,14 @@
 
 
 * For example for snippet:
+
 ```
 String cmd = new String("cmd.exe /K processReports.bat clientId=" + input.getValue("ClientId"));
 Process proc = Runtime.getRuntime().exec(cmd);
 ```
+
 For a client id equal **444**, we would have the following string:
+
 ```
 cmd.exe /K processReports.bat clientId=444
 ```
@@ -25,7 +28,7 @@ However, an attacker could run use the client id equal **444 && net user hacked
 cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 ```
 
-## Examples of Injectuon Payloads:
+## Examples of Injection Payloads:
 
 * Control characters and common attack strings:
 	- '-- SQL injection
@@ -39,7 +42,7 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 
 ## Fuzz Testing Web Applications
 
-* Focus on the relevant attack sruface of the web application.
+* Focus on the relevant attack surface of the web application.
 * Typically HTTP request parameters:
 	- QueryString
 	- POST data
@@ -49,10 +52,10 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 * Other entry points with request structures:
 	- XML web services
 	- WCF, GWT, AMF
-	- Remote Method Invoation (RMI)
+	- Remote Method Invocation (RMI)
 
 * Fixing injection flaws:
-	- Comphehensive, consistent server-side input validation
+	- Comprehensive, consistent server-side input validation
 	- User Safe command APIs
 	- Avoid concatenating strings passed to an interpreter
 	- Use strong data types in favor of strings
@@ -77,7 +80,7 @@ cmd.exe /K processReports.bat clientId=444 && net user hacked hacked /add
 
 #### Evading Blacklist filters
 
-Exploit payloads: 
+Exploit payloads:
 
 ```
 ';exec xp_cmdshell 'dir';--