Bhaumik Merchant

Information Security Research Consultant

Bhaumik Merchant works as a Security Researcher and also serves law-enforcement as a Digital Forensics Investigator and Trainer to solve E-Crime cases. He has recently introduced an OpenSource Project "WOF" which can be used to evaluate Web Application Firewalls(WAFs). His InfoSec articles has been published in media as well as magazines like Hackin9, SecurityFocus, ClubHack, etc. and he has also been invited to speak at various Security Conferences like HackerHalted, ToorCon, ClubHack, Ground Zero Summit, etc. His major area of interest is in developing new stuff involved in exploitation phases and IDS/IPS Development. He has also developed IND 360 Intrusion Detection System.

Key Skills

  • Penetration Testing
  • Malware Analysis
  • Signature Development
  • Mobile AppSec
  • Digital Forensics
  • Vulnerability Research
  • IDS/IPS Development
  • Snort,ModSecurity
  • Cloud Computing(AWS, Azure)
  • Java,C/C++


Go to next/previous page

EC-Council's HackerHalted(Miami, USA Edition)



2012 (Feb Edition)

Cyber Crime Case Studies(Articles)

Hackin9 Magazine(June Edition)


White Papers

Go to next/previous page

WOF (Walk On The Fire) - OpenSource Contribution

Next Generation Exploitation Methods

They are Offline, But I Exploited Them

More Projects and Info


Go to next/previous page

WOF(Walk on the Fire)

Today's requirement is to secure the Web Applications without changing the existing infrastructure.But at the same time, it is a big risk in case of WAF behaviour and false positives(legitimate traffic blocking). This article will demonstrate a new concept to evaluate any WAF without taking risk of putting it into inline mode. Everything will be in learning or in passive mode. This paper describes concept of one special engine, which can be used by the end user(website owner) to evaluate any WAF with zero risk ,no matter whether its vendor supports Passive mode or not(i.e. modsecurity or naxsi).

They are Offline, But I Exploited Them

This article demonstrates a unique kind of communication technique between an attacker machine and a victim machine during the exploitation of any victim machine .In a general scenario, while an attacker exploits the remote machine and gets the remote command prompt (remote shell), the attacker is only able to execute commands till the session from the remote machine is opened (established). While exploiting the machine in a normal way, both the attacker and the victim machine should be online if the attacker wants to execute some commands in the remote machine (victim.s machine). This paper is going to demonstrate methodologies where an attacker can attack a remote victim without being online (i.e. the attacker may be online and the victim may or may not be online).

Contact Me

Go to next/previous page

Contact info

  • Vadodara, Gujarat, INDIA
  • bhaumik [dot] merchant [at] gmail [dot] com

Send me a message

Thanks for sending your message! We'll get back to you shortly.

There was a problem sending your message. Please try again.

Please complete all the fields in the form before sending.