smaller improvements in docs

Author: st0ffregen

documentation/README.md

@@ -74,6 +74,8 @@ embedding model and storing them in a vector database for efficient retrieval. A
 is embedded, similar vectors are retrieved from the database with their textual representation, and those results are passed to an LLM to generate a 
 context-aware response. 
 
+### Vulnerability
+
 This attack vector is designed to mimic a genuine embedding-inversion attack. 
 Classic inversion attacks reconstruct portions of a sentence by training a model to reverse the embedding vector, 
 an approach that depends on each word’s semantic meaning being preserved in the embedding space.
@@ -87,7 +89,8 @@ In shared chat sessions, the embeddings can be read by the users who imported th
 by embedding all possible flag characters through the service and storing the resulting vectors. 
 The flag can then be reconstructed.
 
-### Attack Flow Chart
+### Exploit
+In order to exploit, the following steps are performed:
 ```mermaid
 flowchart TD
     A["Get flag hint session ID"] --> B["Register an attacker user"]
@@ -117,6 +120,8 @@ In praxis, this means that the model would produce an Out-Of-Vocabulary (OOV) ve
 ### Background
 This vulnerability exists in the custom authentication handshake, that is performed
 to obtain a special JWT that acts as authentication for MCP (Model Context Protocol) requests.
+
+### Vulnerability
 The service implements a challenge-response authentication computing first a session key from the shared secret (the created access token), client and server challenge
 and later on using AES CFB8 encryption to generate client credentials from an all-zero IV and client credentials with the session key as key.
 Because the server challenge is randomly generated, the resulting session key is also effectively random and is then used to encrypt the IV and the client challenge. 
@@ -129,8 +134,8 @@ also set to all zeros. The attacker is now authenticated.
 ![Cryptographic All-Zero IV Vulnerability](assets/images/handshake_exploit.jpg)
 
 
-### Attack Flow Chart
-
+### Exploit
+In order to exploit, the following steps are performed:
 ```mermaid
 flowchart TD
     A["Get flag hint user and session ID"] --> B["Create 8 byte long all-zero client challenge"]
@@ -143,16 +148,17 @@ flowchart TD
     G -->|Yes| I["Receive JWT token"]
     H -->|Yes| C
     H -->|No| J["Attack failed after X attempts"]
-    I --> K["Connect to MCP interface<br/>using JWT token in authentication header"]
+    I --> K["Connect to MCP interface<br/>using JWT in authentication header"]
     K --> L["Read messages from<br/>target chat session"]
     L --> M["Extract flag from messages"]
     M --> N["Remove eventual padding characters"]
     N --> O["Success: Flag recovered"]
-
-
 ```
+Since the handshake is performed in two successive steps, data has to be stored in on server-side in memory. The client 
+receives in the first response a memory key that must be sent in the second request to continue the handshake.
+
 ### Fix
-To fix this vulnerability, the IV should be set to a random value instead of all-zero bytes.
+To fix this vulnerability, the IV should be initialized with a random for each handshake value instead of all-zero bytes.
 
 # Potential Enhancements
 ## OpenID Connect OAuth 2.0 Authorization Code Flow with PKCE