Reflection on Sheeraj Shah
This week on Reflection we have another big contributor to webappsec field. Sheeraj Shah is a founder of Net Square Solutions where he performs consulting, training and R&D activities. He has done a lot of research on web application and web services security. Sheeraj started with web application security in mid 2000 when he was working on WebLogic application server and discovered some architecture level security issues. He quickly found out similar issues in other products like WebSphere, JRun, Java Web Server etc. and posted a lot of advisories on SecurityFocus. Since then he has performed numerous network security pen testing and application assessments for many significant companies.
Based out of Ahmedabad, India, Sheeraj is 31 years old and has a lot of experience in web application security and has authored a couple of books, published many articles, presented at many conferences (including Blackhat, HackInTheBox, RSA, etc), and posted several vulnerabilities and advisories at securityfocus. Below is a compilation of most of his work including article, whitepapers, books, presentations, etc
Books:-
Hacking Web Services (Thomson 06)
Web Hacking – Attacks & Defense (AWL 03)
Articles:-
Stateful Web Application Firewalls with .NET
http://www.informit.com/articles/article.asp?p=694855&rl=1
Ajax Fingerprinting for Web 2.0 Applications
http://www.net-security.org/article.php?id=976
Detect Your Web Application's Vulnerabilities Early with Ruby
http://www.devx.com/security/Article/33559
Crawling Ajax-driven Web 2.0 Applications
http://www.net-security.org/article.php?id=973
XSRF attack vector with Ajax serialization
http://searchappsecurity.techtarget.com/tip/0,289483,sid92_gci1235537,00.html
Vulnerability Scanning Web 2.0 Client-Side Components
http://www.securityfocus.com/infocus/1881
Web 2.0 defense with Ajax fingerprinting & filtering
http://www.insecuremagazine.com/INSECURE-Mag-9.pdf
Top 10 Ajax Security Holes and Driving Factors
http://www.net-security.org/article.php?id=956
Detecting Web Application Security Vulnerabilities
http://www.oreillynet.com/pub/a/sysadmin/2006/11/02/webapp_security_scans.html
Hacking Web 2.0 Applications with Firefox
http://www.securityfocus.com/infocus/1879
Top 10 Web 2.0 attack vectors
http://www.net-security.org/article.php?id=949
Assessing Web App Security with Mozilla
http://www.onlamp.com/pub/a/security/2005/10/20/web_vulnerabilities.html
Protect your applications without recoding them
http://www.onlamp.com/pub/a/onlamp/2005/06/09/wss_security.html
Web Services - Attacks and Defense
http://www.net-square.com/whitepapers/WebServices_Info_Gathering.pdf
Defending Web Services using Mod Security (Apache) Methodology and Filtering Techniques
http://www.net-square.com/whitepapers/Defending-web-services.pdf
Web Application Footprints and Discovery
http://www.net-square.com/whitepapers/WebApp_Footprints_Disco.pdf
Web application defense at the gates - Leveraging IHttpModule
http://www.net-square.com/whitepapers/WebApp_HTTPMod.pdf
Web Services: Enumeration and Profiling
http://www.net-square.com/whitepapers/WebServices_Profiling.pdf
Domain Footprinting for Web Applications and Web Services
http://www.net-square.com/whitepapers/domain_footprints.pdf
Web Application Footprinting & Assessment with MSN Search Tricks
http://www.net-square.com/whitepapers/MSN_Search_For_WebApp.pdf
Browser Identification for Web Applications
http://www.net-square.com/whitepapers/browser_ident.pdf
Tools:-
wsChess - Toolkit for Web Services Assessments and Defense
http://www.net-square.com/wschess/index.shtml
MSNPawn - Footprinting, Profiling & Assessment with MSN Search
http://www.net-square.com/msnpawn/index.shtml
Ajaxfinger – Ajax fingerprinting script
http://www.net-square.com/ns_freetools.shtml#ajaxfinger
Presentations:-
Advanced Web Hacking - EUSecWest
http://www.slideshare.net/shreeraj/advanced-web-hacking/
Advanced Web Services Hacking - AusCERT
http://www.slideshare.net/shreeraj/advanced-web-services-hacking/
Web Services Security Chess - RSA
http://www.slideshare.net/shreeraj/web-services-security-chess-rsa/
Web Application Kung-Fu, Art of Defense - Bellua/HITB
http://www.slideshare.net/shreeraj/web-application-kungfu-art-of-defense-bellua/
Hacking and Securing .NET Apps - Infosecworld
http://www.slideshare.net/shreeraj/hacking-and-securing-net-apps-infosecworld/
Defending Web Applications: Strategies, methods and practices
http://www.archive.org/details/hitb2003-Shreeraj-Shah
Blog:-
http://shreeraj.blogspot.com
Companies worked for:-
IBM, Chase bank and Foundstone
Education:-
Masters in Computer Science
Company working for:-
Net Square Solutions Pvt. Ltd.
Email:-
shreeraj__at__net-square__dot__com
Sheeraj has come up with interesting ideas before and i am sure he has a lot more to contribute to the webappsec industry. If you dont already follow his blog then I suggest you should definitely keep an eye on it.
Last Week - Ivan Ristic
Next Week - Billy Hoffman
2 comments:
One mistake about Shreeraj shah..
He is based out of Ahmedabad not Hyderabad.
thanks paavan for pointing it out. i have made the changes in the posting.
Post a Comment