Friday, March 09, 2007

Reflection on Sheeraj Shah



This week on Reflection we have another big contributor to webappsec field. Sheeraj Shah is a founder of Net Square Solutions where he performs consulting, training and R&D activities. He has done a lot of research on web application and web services security. Sheeraj started with web application security in mid 2000 when he was working on WebLogic application server and discovered some architecture level security issues. He quickly found out similar issues in other products like WebSphere, JRun, Java Web Server etc. and posted a lot of advisories on SecurityFocus. Since then he has performed numerous network security pen testing and application assessments for many significant companies.


Based out of Ahmedabad, India, Sheeraj is 31 years old and has a lot of experience in web application security and has authored a couple of books, published many articles, presented at many conferences (including Blackhat, HackInTheBox, RSA, etc), and posted several vulnerabilities and advisories at securityfocus. Below is a compilation of most of his work including article, whitepapers, books, presentations, etc


Books:-

Hacking Web Services (Thomson 06)

Web Hacking – Attacks & Defense (AWL 03)


Articles:-

Stateful Web Application Firewalls with .NET
http://www.informit.com/articles/article.asp?p=694855&rl=1

Ajax Fingerprinting for Web 2.0 Applications
http://www.net-security.org/article.php?id=976

Detect Your Web Application's Vulnerabilities Early with Ruby
http://www.devx.com/security/Article/33559

Crawling Ajax-driven Web 2.0 Applications
http://www.net-security.org/article.php?id=973

XSRF attack vector with Ajax serialization
http://searchappsecurity.techtarget.com/tip/0,289483,sid92_gci1235537,00.html

Vulnerability Scanning Web 2.0 Client-Side Components
http://www.securityfocus.com/infocus/1881

Web 2.0 defense with Ajax fingerprinting & filtering
http://www.insecuremagazine.com/INSECURE-Mag-9.pdf

Top 10 Ajax Security Holes and Driving Factors
http://www.net-security.org/article.php?id=956

Detecting Web Application Security Vulnerabilities
http://www.oreillynet.com/pub/a/sysadmin/2006/11/02/webapp_security_scans.html

Hacking Web 2.0 Applications with Firefox
http://www.securityfocus.com/infocus/1879

Top 10 Web 2.0 attack vectors
http://www.net-security.org/article.php?id=949

Assessing Web App Security with Mozilla
http://www.onlamp.com/pub/a/security/2005/10/20/web_vulnerabilities.html

Protect your applications without recoding them
http://www.onlamp.com/pub/a/onlamp/2005/06/09/wss_security.html

Web Services - Attacks and Defense
http://www.net-square.com/whitepapers/WebServices_Info_Gathering.pdf

Defending Web Services using Mod Security (Apache) Methodology and Filtering Techniques
http://www.net-square.com/whitepapers/Defending-web-services.pdf

Web Application Footprints and Discovery
http://www.net-square.com/whitepapers/WebApp_Footprints_Disco.pdf

Web application defense at the gates - Leveraging IHttpModule
http://www.net-square.com/whitepapers/WebApp_HTTPMod.pdf

Web Services: Enumeration and Profiling
http://www.net-square.com/whitepapers/WebServices_Profiling.pdf

Domain Footprinting for Web Applications and Web Services
http://www.net-square.com/whitepapers/domain_footprints.pdf

Web Application Footprinting & Assessment with MSN Search Tricks
http://www.net-square.com/whitepapers/MSN_Search_For_WebApp.pdf

Browser Identification for Web Applications
http://www.net-square.com/whitepapers/browser_ident.pdf


Tools:-

wsChess - Toolkit for Web Services Assessments and Defense
http://www.net-square.com/wschess/index.shtml

MSNPawn - Footprinting, Profiling & Assessment with MSN Search
http://www.net-square.com/msnpawn/index.shtml

Ajaxfinger – Ajax fingerprinting script
http://www.net-square.com/ns_freetools.shtml#ajaxfinger


Presentations:-

Advanced Web Hacking - EUSecWest
http://www.slideshare.net/shreeraj/advanced-web-hacking/

Advanced Web Services Hacking - AusCERT
http://www.slideshare.net/shreeraj/advanced-web-services-hacking/

Web Services Security Chess - RSA
http://www.slideshare.net/shreeraj/web-services-security-chess-rsa/

Web Application Kung-Fu, Art of Defense - Bellua/HITB
http://www.slideshare.net/shreeraj/web-application-kungfu-art-of-defense-bellua/

Hacking and Securing .NET Apps - Infosecworld
http://www.slideshare.net/shreeraj/hacking-and-securing-net-apps-infosecworld/

Defending Web Applications: Strategies, methods and practices
http://www.archive.org/details/hitb2003-Shreeraj-Shah


Blog:-

http://shreeraj.blogspot.com


Companies worked for:-

IBM, Chase bank and Foundstone


Education:-

Masters in Computer Science


Company working for:-

Net Square Solutions Pvt. Ltd.


Email:-

shreeraj__at__net-square__dot__com

Sheeraj has come up with interesting ideas before and i am sure he has a lot more to contribute to the webappsec industry. If you dont already follow his blog then I suggest you should definitely keep an eye on it.

Last Week - Ivan Ristic
Next Week - Billy Hoffman

2 comments:

Paavan Shah said...

One mistake about Shreeraj shah..

He is based out of Ahmedabad not Hyderabad.

Anurag Agarwal said...

thanks paavan for pointing it out. i have made the changes in the posting.