Friday, March 09, 2007

Reflection on Sheeraj Shah

This week on Reflection we have another big contributor to webappsec field. Sheeraj Shah is a founder of Net Square Solutions where he performs consulting, training and R&D activities. He has done a lot of research on web application and web services security. Sheeraj started with web application security in mid 2000 when he was working on WebLogic application server and discovered some architecture level security issues. He quickly found out similar issues in other products like WebSphere, JRun, Java Web Server etc. and posted a lot of advisories on SecurityFocus. Since then he has performed numerous network security pen testing and application assessments for many significant companies.

Based out of Ahmedabad, India, Sheeraj is 31 years old and has a lot of experience in web application security and has authored a couple of books, published many articles, presented at many conferences (including Blackhat, HackInTheBox, RSA, etc), and posted several vulnerabilities and advisories at securityfocus. Below is a compilation of most of his work including article, whitepapers, books, presentations, etc


Hacking Web Services (Thomson 06)

Web Hacking – Attacks & Defense (AWL 03)


Stateful Web Application Firewalls with .NET

Ajax Fingerprinting for Web 2.0 Applications

Detect Your Web Application's Vulnerabilities Early with Ruby

Crawling Ajax-driven Web 2.0 Applications

XSRF attack vector with Ajax serialization,289483,sid92_gci1235537,00.html

Vulnerability Scanning Web 2.0 Client-Side Components

Web 2.0 defense with Ajax fingerprinting & filtering

Top 10 Ajax Security Holes and Driving Factors

Detecting Web Application Security Vulnerabilities

Hacking Web 2.0 Applications with Firefox

Top 10 Web 2.0 attack vectors

Assessing Web App Security with Mozilla

Protect your applications without recoding them

Web Services - Attacks and Defense

Defending Web Services using Mod Security (Apache) Methodology and Filtering Techniques

Web Application Footprints and Discovery

Web application defense at the gates - Leveraging IHttpModule

Web Services: Enumeration and Profiling

Domain Footprinting for Web Applications and Web Services

Web Application Footprinting & Assessment with MSN Search Tricks

Browser Identification for Web Applications


wsChess - Toolkit for Web Services Assessments and Defense

MSNPawn - Footprinting, Profiling & Assessment with MSN Search

Ajaxfinger – Ajax fingerprinting script


Advanced Web Hacking - EUSecWest

Advanced Web Services Hacking - AusCERT

Web Services Security Chess - RSA

Web Application Kung-Fu, Art of Defense - Bellua/HITB

Hacking and Securing .NET Apps - Infosecworld

Defending Web Applications: Strategies, methods and practices


Companies worked for:-

IBM, Chase bank and Foundstone


Masters in Computer Science

Company working for:-

Net Square Solutions Pvt. Ltd.



Sheeraj has come up with interesting ideas before and i am sure he has a lot more to contribute to the webappsec industry. If you dont already follow his blog then I suggest you should definitely keep an eye on it.

Last Week - Ivan Ristic
Next Week - Billy Hoffman


Paavan Shah said...

One mistake about Shreeraj shah..

He is based out of Ahmedabad not Hyderabad.

Anurag Agarwal said...

thanks paavan for pointing it out. i have made the changes in the posting.