Why does the US Visa application website do a port-scan of my network?
Is this a common thing? I have just recently installed the extension, so I am not sure if there are a lot of other websites who do it.
Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled.
Many sites do it .Included in many standard device fingerprinting / anti anonymity SAAS. Ebay facebook etc all do this ! But it looks this is first party to prevent the adblocking of them
1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.
Like a less sophisticated Tor/VPN that is easily detected by port scans
> Blocks malicious websites from port-scanning your computer/network
How does that work? A browser extension can't influence how your router and other machines in your network react to incoming requests.
Embarrassed to say that I wasn't aware of this practice. Are there malicious uses for this beyond fingerprinting?
My biggest grief with that site is that it's like something from the 90s.
Visa application is riddled with scams. From the simple website that charges you twice the price to websites that will tell you that you were rejected and then fake your documents to get in with your name.
So they're probably trying to see that you're not one of those web servers, a proxy for them or detect some known C2 channels.
I'm using uMatrix and it blocks by default all connections outside the requested site and parent domains. For example, if I request https://mail.yahoo.com, connections to yimg.com are blocked. I need to manually allow each CDN for each website, so this attack/profiling won't work.
Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.
On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.
Capturing forensic artifacts of the local network allows a building a bridge strategy for identifying fraudulent networks without requiring knowledge of the path taken from destination to recipient. Other local devices do this and send the network map during a phone home, allowing comparison to a source of truth that is tied almost directly to the person, or group of people.
There is also a lot of fingerprintable material within such a port scan from clock skew, TCP ISN, and a few other areas.
You can sieve this quite easily with this available, thanks to Roku's, Phone's, and other things doing this while just sitting locally in a shared collision domain (a digital soldier quartered in every home).
The metadata node graph of devices locally acts as a unique fingerprint once in RFC1918 space, technically not unique but close enough.
Be careful your security tool isn't producing false positives.
I remember years back when people would run these firewalls and we'd get complaints from home users about normal traffic.
Thinks like complaints our mail servers was scanning them on port 25 when they sent email.
is it true visa and paypal are able to mkae you unable to buy games on steam?
Just a little side note - in this context, it makes sense if the website tries to connect to a local port because you might be running a card reader(ie. terminal). This is how it works with some(all?) EU countries that have a chip in their ID cards, or even vehicle registration cards, which you can use to access sensitive information or perform certain administrative tasks on government websites.
Although, from personal experience, it used to require java and it worked only on internet explorer and since it has been retired and replaced with chromium, i am not sure what is the way to make it work nowadays, as i have not been able to figure out to use it when i needed the last time.
The "port scan" just seems to be a local connection to 127.0.0.1:8888. I don't know what purpose it serves on this page, but our government websites often use this technique to communicate with native software for digitally signing documents.
Are you seeing connection attempts to other IPs?
Very interesting. Having looked at NoScript it seems like you can disable LAN as a default value under the allow tab.
It's coming from a F5 script, which is a company that sells anti-bot protection. (It's coming from obfuscated script at /TSPD, which is a F5 thing.)
https://www.f5.com/
No worries, they are "just" looking for Mexicans, hiding in your network.
How and why do browsers allow this? Why wouldn't the browser ask for permission in the same way that it does for Microphone access?
It's insane to allow any random website to port scan my LAN. If this wasn't a "feature", I would have considered this a high severity vulnerability
"Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled."
Never knew that this existed. Thank you!
That extension has "Access your data for all websites" ... I really don't get how anyone can give that permission to anyone that isn't well known (a company with a lot on the line) or a person famous for their work (the uBO dev) who has stated he will never sell to anyone or do bad things.
"Hacks and Hops" doesn't even have a valid home page. The extension links to https://g666gle.me/ which does not exist. The domain name itself does not want to make me give access to all my data for all websites to them.
As nice as this extension seems, I would ever in a million years install it.
If would be interesting to see what happens on OpenBSD. With pledge(2) and unveil(2) in Firefox, I wonder what it would see. I expect it would see nothing.
I will give it a try and see what happens and if I see anything I will add it here.
Checking if you are sharing torrents, run a tor node, mine coins?
For another example, studentaid.gov doesn’t work in private browsing.
Most likely some "antivirus" bs. Probably harmless. Fun fact. Most browsers allow by default GET access to web resources on localhost and LAN. Been used for exploits since last century.
Have you double-checked whether the IP isn't shared among multiple website domains? That's quite a classic with IP based filtering with hosters like GCP...
Data my friend, data.
Ports scanning?
Well, tell us about the hosts and the port numbers. Add some logs if you got.
If you did not go into the details, chances are that when you will, this will turned out to be a false positive case.
If you did, where are the evidence?