From ffe31e0f9498fb48a7422b10108518e76c158665 Mon Sep 17 00:00:00 2001
From: LauraRosePorter <33936650+LauraRosePorter@users.noreply.github.com>
Date: Thu, 26 Sep 2019 12:25:41 +0100
Subject: [PATCH 1/4] Propose changes in How To Detect Section

---
 2019/en/src/0xa1-broken-object-level-authorization.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/2019/en/src/0xa1-broken-object-level-authorization.md b/2019/en/src/0xa1-broken-object-level-authorization.md
index 9d9a0545e..f06c7839e 100644
--- a/2019/en/src/0xa1-broken-object-level-authorization.md
+++ b/2019/en/src/0xa1-broken-object-level-authorization.md
@@ -56,7 +56,7 @@ modify other users' account data.
 
 ## How to Detect
 
-Access control weaknesses are best detected by **manual** means. **Code review**
+Access control weaknesses are best detected by **manual** means. By simply searching for variables such as UserID's and account numbers that could possibly be ennumerated or URL paths that can be manipulated. **Code review**
 and **pentesting** are a great way to detect these issues. Some automation may
 be used to detect the absence of access controls.
 

From 507861d713a604d1f272434fbf7e20eed40d5acc Mon Sep 17 00:00:00 2001
From: LauraRosePorter <33936650+LauraRosePorter@users.noreply.github.com>
Date: Tue, 1 Oct 2019 18:26:36 +0100
Subject: [PATCH 2/4] A2 Propose changes in How To Detect Section

Manual test section added.
---
 2019/en/src/0xa2-broken-authentication.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/2019/en/src/0xa2-broken-authentication.md b/2019/en/src/0xa2-broken-authentication.md
index cf495feca..d0008e004 100644
--- a/2019/en/src/0xa2-broken-authentication.md
+++ b/2019/en/src/0xa2-broken-authentication.md
@@ -72,7 +72,7 @@ within a few minutes.
 
 **Code review** will help to identify authentication issues. **Automated tests**
 are useful to test the implementation against automated attacks such as
-brute-force and credential stuffing.
+brute-force and credential stuffing. **Manual tests** will help to identify this issue, by sniffing the traffic and understanding the authentication/authorization workflows. Another method is checking for tokens which can be used to authenticate into the API, JWT tokens are commonly used but can also be easily decrypted, so in reverse we can encypt a JWT token with enumerated information to access the API.
 
 ## References
 

From 15d4718f18032280b410a8bba78ee43689d6bfa1 Mon Sep 17 00:00:00 2001
From: LauraRosePorter <33936650+LauraRosePorter@users.noreply.github.com>
Date: Tue, 1 Oct 2019 18:34:36 +0100
Subject: [PATCH 3/4] A3 Propose changes in How To Detect Section

Added a bit more to manual testing area.
---
 2019/en/src/0xa3-excessive-data-exposure.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/2019/en/src/0xa3-excessive-data-exposure.md b/2019/en/src/0xa3-excessive-data-exposure.md
index 0e8902f6c..6729fc3b5 100644
--- a/2019/en/src/0xa3-excessive-data-exposure.md
+++ b/2019/en/src/0xa3-excessive-data-exposure.md
@@ -45,7 +45,7 @@ the site.
 
 ## How to Detect
 
-Excessive data exposure is better detected by **manual** means. Mock data can be
+Excessive data exposure is best detected by **manual** means, by simply scanning the responses from the API and looking for any sensitive information or variables that can be enumerated. Mock data can be
 used to automate some testing.
 
 ## References

From e2c11a6d99b43ba6c4195161b25899111a906e7a Mon Sep 17 00:00:00 2001
From: LauraRosePorter <33936650+LauraRosePorter@users.noreply.github.com>
Date: Tue, 1 Oct 2019 18:42:24 +0100
Subject: [PATCH 4/4] A4 Propose changes in How To Detect Section

Extended the existing section
---
 2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md b/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md
index 48f129e00..f3d89b87d 100644
--- a/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md
+++ b/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md
@@ -57,9 +57,8 @@ errors.
 
 ## How to Detect
 
-Typically it requires **automated tools** to simulate high workloads.
-**Scanners** usually provide such features, highlighting the lack of resources
-and rate limiting. Scanners are commonly used during **pentesting**.
+**Scanners** usually provide features to simulate large workloads, highlighting the lack of resources
+and rate limiting built in, but this can also be found through automated tools that, similar to scanners, lest the pentester generate large customs workloads to overwhelm the API. Scanners are commonly used during **pentesting**.
 
 ## References