Shreeraj Shah

Shreeraj Shah
B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security (Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O’reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert. Blog:

Temat: Exploiting SQL, XSS & XPATH

Applications are vulnerable to several set of different injections and attackers are looking for these vulnerable entry points. There are several popular injection points which give handler to SQL interface, browser streams and XML processing objects. If an attacker is successful in determining these access points then it is possible to craft and exploit which can end up compromising backend servers or end user’s session. There are several new techniques are developed in the era of next generation applications and we are going to cover them during this talk. Following injection vectors will be discussed along with demonstrations, tools, concepts and real life cases.

  • SQL injection over JSON and XML
  • Blind SQL injection exploitation
  • Exploiting flash based application with Injections
  • XSS and JSON hijacking
  • XSS with Web 2.0 streams and exploits
  • Authentication bypass with XPATH
  • Design and Architecture defense against injections
  • Securing application and validations
  • Code scanning for injection points and patching