Chenggang Wu:

DTA & XSS:

1: Directory traversal attack is an injection attack that can trick the filesystem code to read/write files that the malicious user shouldn’t have access to. Specifically, instead of giving the filename that the user wants to access, he/she can mix some directory traversal command into the input. By doing so, when joining the base path with the user-input filename, the filesystem can then access files in the parent directories (and in the worst case, all files under those parent directories). One way to prevent this attack is to sanitize the user-input and strip off any directory traversal command such as “..” and “.”.

 

2: When the malicious user submits input to a web application, he/she can instead submit a piece of executable code. Without proper encoding and sanitization, the web application can execute the code, which might be used to steal sensitive information. Moreover, if the malicious content is stored into a database, when other users retrieve the content, the script will be executed and can do arbitrary damage to their account. A way to prevent XSS is to escape and/or encode any content that come from a user before inserting it into HTML. Examples could be escaping all variable values and encoding “ as &quot.