js-shield
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: An interesting (probably) fingerprinting technique that should fail

From: Bednář Martin
Subject: Re: An interesting (probably) fingerprinting technique that should fail with NBS
Date: Fri, 04 Jun 2021 13:25:02 +0200
User-agent: Roundcube Webmail 
Hello all,
I have done several experiments and I can confirm that the Network Boundary Shield (NBS), which is a part of the JavaScript Restrictor, can prevent port scanning performed by eBay.com. I would like to summarize my experiments in this email.
First of all, I can confirm that eBay.com really performs port scanning on localhost. This can be seen in the captured traffic on figure 1 in the attachment to this e-mail.
When the NBS is enabled, this port scanning is not successful, because requests to localhost are blocked by NBS and a user is informed of suspicious behavior. You can see this notifications on figure 2 in the attachment to this e-mail.
The last step is to send information about open ports to the eBay server. Here, my experience differs from the information provided in the article. I think eBay has changed the way of sending information about open ports. The current version of this requirement, you can see in Figure 3 in the attachment to this e-mail. Number of params has changed. And now, all params are encrypted. I was not able to decrypt the parameters in query, but I am convinced that the information about open ports is returned in this request. 

That's all from my side. Have a nice weekend,

Martin Bednář
Faculty of Information Technology
Brno University of Technology




On 2021-06-03 10:07, Libor Polčák wrote:

Hello all,

I learnt about
https://web.archive.org/web/20200526092506/https://blog.nem.ec/2020/05/24/ebay-port-scanning/.

Long story short: "It’s not just Ebay scanning your ports, there is
allegedly a network of 30,000 websites out there all working for the
common aim of harvesting open ports, collecting IP addresses, and User
Agents in an attempt to track users all across the web. And this isn’t
some rogue team within Ebay setting out to skirt the law, you can bet
that LexisNexis lawyers have thoroughly covered their bases when
extending this service to their customers (at least in the U.S.)."

The scan should be mitigated by the Network Boundary Shield. But it is
something worth a try to make sure that it indeed does.

And it is also something to think about when we are going to decide
what to do with NBS and manifest v3.

The DNS cloacking based on CNAME seems to be quite common technique
which beats (some) adblockers. (uBlock origin was recently patched in
Firefox to use DNS API to detect DNS cloacking) Additional reading at
https://blog.lukaszolejnik.com/large-scale-analysis-of-dns-based-tracking-evasion-broad-data-leaks-included/
(or the linked PETS paper).

Libor

Attachment: 1_captured_traffic.png
Description: PNG image

Attachment: 2_request_blocked.png
Description: PNG image

Attachment: 3_return_request.png
Description: PNG image

reply via email to
[Prev in Thread] Current Thread [Next in Thread]