Update clickjacking.md

pentesting-web/clickjacking.md

@@ -24,11 +24,11 @@ Clickjacking is an attack that **tricks** a **user** into **clicking** a webpage
 
 ### Prepopulate forms trick
 
-Sometimes is possible to **fill the value of fields of a form using GET parameters when loading a page**. An attacker may abuse this behaviours to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.
+Sometimes is possible to **fill the value of fields of a form using GET parameters when loading a page**. An attacker may abuse this behaviour to fill a form with arbitrary data and send the clickjacking payload so the user press the button Submit.
 
 ### Populate form with Drag\&Drop
 
-If you need the user to **fill a form** but you don't want to directly ask him to write some specific information (like your email or and specific password that you know), you can just ask him to **Drag\&Drop** something that will write your controlled data like in [**this example**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).
+If you need the user to **fill a form** but you don't want to directly ask him to write some specific information (like the email and or specific password that you know), you can just ask him to **Drag\&Drop** something that will write your controlled data like in [**this example**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).
 
 ### Basic Payload
 
@@ -111,10 +111,10 @@ background: #F00;
 
 ### XSS + Clickjacking
 
-If you have identified a **XSS attack that requires a user to click** on some element to **trigger** the XSS and the page is **vulnerable to clickjacking**, you could abuse it to trick the user into clicking the button/link.\
+If you have identified an **XSS attack that requires a user to click** on some element to **trigger** the XSS and the page is **vulnerable to clickjacking**, you could abuse it to trick the user into clicking the button/link.\
 Example:\
-_You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set this details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with GET parameters._\
-\_\_An attacker could prepared a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submited** and the values are modified, the **user will execute the XSS**.
+_You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters._\
+\_\_An attacker could prepare a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submitted** and the values are modified, the **user will execute the XSS**.
 
 ## How to avoid Clickjacking
 
@@ -125,7 +125,7 @@ It's possible to execute scripts on the client side that perform some or all of
 * check and enforce that the current application window is the main or top window,
 * make all frames visible,
 * prevent clicking on invisible frames,
-* intercept and flag potential clickjacking attacks to the user.
+* intercept and flag potential clickjacking attacks on a user.
 
 #### Bypass
 
@@ -137,7 +137,7 @@ As frame busters are JavaScript then the browser's security settings may prevent
 
 Both the `allow-forms` and `allow-scripts` values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviours while allowing functionality within the targeted site.
 
-Depending on the type of Clickjaking attack performed **you may also need to allow**: `allow-same-origin` and `allow-modals` or [even more](https://www.w3schools.com/tags/att\_iframe\_sandbox.asp). When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.
+Depending on the type of Clickjacking attack performed **you may also need to allow**: `allow-same-origin` and `allow-modals` or [even more](https://www.w3schools.com/tags/att\_iframe\_sandbox.asp). When preparing the attack just check the console of the browser, it may tell you which other behaviours you need to allow.
 
 ### X-Frame-Options
 
@@ -167,8 +167,8 @@ See the following documentation for further details and more complex examples:
 
 ### Limitations <a href="#limitations" id="limitations"></a>
 
-* **Browser support:** CSP frame-ancestors is not supported by all the major browsers yet.
-* **X-Frame-Options takes priority:** [Section "Relation to X-Frame-Options" of the CSP Spec](https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options) says: "_If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored_", but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
+* **Browser support:** CSP frame-ancestors are not supported by all the major browsers yet.
+* **X-Frame-Options takes priority:** [Section "Relation to X-Frame-Options" of the CSP Spec](https://w3c.github.io/webappsec/specs/content-security-policy/#frame-ancestors-and-frame-options) says: "_If a resource is delivered with a policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored_", but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.
 
 ## References