Update R5 A4 documentation for IDOR "attack one"

[nvisium-john-poulin]

The documentation does not cover the second test case, within which a user can specify an arbitrary filename to gain access to.

The unit test:

  scenario "attack one" do
    login(normal_user)

    visit "/users/#{normal_user.id}/benefit_forms"
    download_url = first(".widget-body a")[:href]
    visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")

    expect(page.status_code).not_to eq(200)
    expect(page.response_headers["Content-Disposition"]).not_to include("database.yml")
  end

https://github.com/owasp/railsgoat/wiki/R5-A4-Insecure-Direct-Object-Reference