Xanda's Blog !~!

Hello Nokogiri


I’ve talked about scRUBYt! once and I’ve been using it for years as my primary ‘Google crawler’ aka Google web-scraper. So it is not a surprise if I say.. It was part of MyLipas Defacement Crawler as well 😉

If you are using scRUBYt! as your Google web-scraper as well, I would suggest you to take a look at your script, since it might be broken by now. Its not only the gem itself, event the domain of their website, scrubyt.org, is now expired. (but yes the project is till in github). I’ve noticed that my crawler reported zero URL (scraped from Google) everyday and it made me to think of 2 possibilities; the strings return zero match, OR the scraper is broken. And guess what, my second thought was right.

Yes.. Its another day in lab looking back at the crawler/scraper code. Now I don’t really depend on scRUBYt anymore due to lack of support/maintenance and broken gem dependencies. So here come the Nokogiri. With the XPaths support I manage to get working crawler as for the replacement.. in just few minutes. But of course the code will be a bit longer but NVM.. It works like a charm! 😀

Pen Testing the Web With Firefox


Nice write up by Michael “theprez98” Schearer

Get the PDF file HERE

New Project / Hobby :: Hunting / Collecting 0day in Ethical Way


Maybe you’ve heard about iDefense Lab and Zero Day Initiative before.. If no, please stop reading the rest of this entry bacause you might not understand what I’m tryin’ to say.

Yes I’m trying to establish something similar to iDefense Lab and Zero Day Initiative but the difference is, I’m not gonna sell the bugs and PoC. And.. No exploit will be released to the public as well. To me, it is all about fun and ethical.

Personally I’ve found a few 0days during my Uni time & working time

  • 2007 – Local Uni’s web apps – [dah kantoi]
  • 2007 – Local Uni’s web apps – [dah kantoi]
  • 2008 – Friend’s CMS (blog) – [dah kantoi]
  • 2008 – Friend’s CMS (fyp) – [dah alert admin & dah kantoi]
  • 2009 – Famous hypermarket’s web apps – [dah alert admin]
  • 2009 – Big local company’s web apps – [dah alert admin]
  • 2009 – Foreign Uni (faculty) web apps – [hurm… :D]
  • 2009 – Local Uni (faculty) web apps – [dah alert admin]

All bugs I’ve found in 2007 & 2008 have been abused by me but starting in 2009, the vulnerabilities found have been informed to the developer/admin for further action.

Starting from next 2 weeks, I’m going to hunt more 0days in a proactive manner and in ethical way. My area of interest will be the web applications. Alert will be sent to the vendor and general advisories will be released to the public. ‘Hunting’ is not the problem now, but ‘trademark’, timeline, alerting and advisories are the current issues for me.. I’m going to consult one of the oldtimer in this area next week to seek for his advice.

Good luck to me. Till next time..


My colleague in UIA inform me that he wants to be part of the project and gonna focus in modules/components. Thanks mate

Detects Adobe Flash flaws with SWFScan


HP SWFScan, a free tool developed by HP Web Security Research Group, will automatically find security vulnerabilities in applications built on the Flash platform.

HP is offering SWFScan because:

  • HP’s research shows that developers is increasingly implementing applications built on the Adobe Flash platform without the required security expertise.
  • As a result, HP is seeing a proliferation of insecure applications being deployed on the web.
  • A vulnerable application built on the Flash platform widens your website’s attack surface creating more opportunity for malicious hackers.

How SWFScan works and what vulnerabilities it finds:

  • Decompiles applications built on the Adobe Flash platform to extract the ActionScript code and statically analyzes it to identify security issues such as information disclosure.
  • Identifies and reports insecure programming and deployment practices and suggests solutions.
  • Enables you to audit third party applications without requiring access to the source code.

Dowload this free tool to help your team find Flash vulnerabilities in your web applications.