Why and How are Enterprise Companies, Like eBay, Actively Port-scanning End-users’ Computers From Their Websites

You might have recently heard that eBay is performing port scanning, while online shoppers are visiting their website. At first glance, it will probably sound a bit strange, as port scanning is an internal network action. As such, it is designed to detect services and should not be related to the regular user browsing experience.
eBay is not alone. According to Bleeping Computer a high number of well-established websites are conducting port-scanning. These include top websites like TD Bank, Lloyds Bank, Walmart, Target, Netflix and lots more. 

From a technological point of view, the issue of port-scanning has raised an interesting question: how does an external website have access and the ability to conduct internal network scanning and what are their limitations.

This article will shed more light about port-scanning activities. We will explain the technical aspects of it from a website perspective and then we will explore different ways of using it.


Port Scanning: Technical background 

Client & Server

When you, as an end-user, are browsing a website, you load the HTML content from the web server which provides most of the

data you request. While visiting eBay, for example, you get products, pictures, your cart and endless inventory of data about goods. The same loaded HTML also includes a high number of JavaScript codes, that are actually running on your own browser. This is commonly referred to as client-side code.

The Client-Side Code

Gartner’s “Market Guide for Online Fraud Detection” indicates that  “Contemporary websites have become completely reliant on JavaScript to fulfill their functions”, ranging from collecting usage metrics to serving up ads. According to the guide, many of these JavaScript snippets are provided by third parties.

JavaScript codes can do anything, as if they are the original website code, from user engagement to advanced analytics. For example, in order to improve the user experience, the JavaScript code can load banners, suggesting that you buy a product that is currently on sale. It can also enable customer support and engagement tools, like live chats. This is the code that enables us, as users, to engage and get feedback from a website that actually reacts to our actions. 

Javascript has the ability to do almost anything today. This is even more true since the introduction of HTML5, that enables the creation of web based applications that can both behave and feel like native mobile apps.You can use JS to open the camera or access the microphone, you can read what your visitors are typing or, you check if they have opened Bluetooth. Practically, everything and yes, you can also use it for port scanning.  

Now, let’s talk about web-sockets.

What are WebSockets?

According to Wikipedia: “WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection.”

Put simply, we are all familiar with the fact that website’s communication is done through HTTP requests. These are asynchronous requests, meaning that when you are visiting a webpage, the user’s browser is sending an HTTP request to the server, including additional headers, that add some user data and some request guidelines. In response, the server returns an HTTP response with the webpage’s content.

As it is an asynchronous request, there is no active channel between the user and server. If it wants to share extra details, like updating a user’s actions, or just requesting additional content, the client will be required to send a new request, with all the header data again, over and over. In many cases this creates an inefficient method of communication, increases the traffic load and affects the user experience. 

For that reason, Web-sockets were introduced, presenting the ability to run a regular TCP request from your own browser. The concept is similar to TCP: a server opens a port, listening to the incoming traffic and in this case, the client, our browser, can create a socket between the client and the server. The socket always requires the external server IP and a listening port. To know more about TCP and sockets visit this recommended article explaining it on Steve’s Internet Guide. 

Since the user is the one who creates the requests, the user needs to use JavaScript for it. In this case the JavaScript obtains objects that can create and manage web-socket connections to the server.  

Websockets - port-scanning


How to detect client-side risks on your website before they happen?

Book a complimentary meeting with one of experts

Port-Scanning and JavaScript

So how can you run a port scanning with these sets of “tools”? Simple. 

The JavaScript code can initiate a websocket request to any location around the world and try to open a socket to it. For example, the selected address can be ‘’, the loopback address, which is your localhost.

If you “translate” it to a simple code, you just need to run a list of ports you want, and then try to open a socket for each of them. Once the port is opened, you will know about it.                

                var ports = [80, 443, 445];
                for (var i = 0; i < ports.length; i++) 
                var s = new WebSocket("wss://" + ports[i]);
                s.port = ports[i];

A basic port-scanning code

The most common way to find out if the port is open is to measure the time until getting a response. Active listening ports will answer immediately. Inactive ports will only be resolved when a timeout threshold happens. These are the indications that are helping us to distinguish whois doing what.

Some of the most common ports are blocked by browsers to reduce the risk level. Because of this, scanners aren’t able to analyze ports like DNS, SSH, 21. To view the full list, by browser type, go to the following links: Chrome, Firefox

Now that we have discussed how to operate a port-scanning, we can jump on to the next question: WHY?


Compromised Hosts Detection

Well, there are different reasons to run port scanning. The most essential technique is trying to detect if the client’s host is compromised. The idea in this case is testing several known ports that are commonly used by remotely controlled applications, or by known trojans. This lets you understand which services are currently running on the client host and creates a risk score. Once you realize that, you can decide if you want to allow the user to login to your application or website. 

Most of these web port scanners are doing it to protect login pages or checkout pages, which are usually targeted by client-side attacks, third-party skimming and, man in the browser attacks. Port scanning is just an additional method of understanding who is performing as the host: a regular user or a malicious entity. 

Is port-scanning legal?

Legal or not? Is port-scanning allowed?

Is Port-Scanning Allowed?

The first question we should ask ourselves in this case should be – is this behavior illegal? According to the Wikipedia article “Port-Scanning”: “Because of the inherently open and decentralized architecture of the Internet, lawmakers have struggled since its creation to define legal boundaries that permit effective prosecution of cyber-criminals. Cases involving port scanning activities are an example of the difficulties encountered in judging violations. Although these cases are rare, most of the time the legal process involves proving that an intent to commit a break-in or unauthorized access existed, rather than just the performance of a port scan”

Web port scanning doesn’t necessarily fall under the category of illegal, as the action is conducted to detect breaches and increase the protection level of websites. 

But, for many users this action would be perceived as highly intrusive, one that is being done without their consent. In such cases, the obvious option should be to alert users before the action is done, or at least, update the website’s Terms of Use and Privacy Policy. 

eBay, and other sites mentioned above, are using port-canning capabilities to enhance the security level of the website and to protect their users.
But this same technique can also be used for malicious purposes. For example, an attacker can scan the open services you currently run on the host to detect vulnerabilities that can be exploited, either through the website or, by other means. No matter how you look at it, we mustn’t forget that port scanning is considered as one of the basic steps of accumulating information before conducting an attack. 


As a website owner, am I in danger?

The answer is yes, and no. In the cases mentioned here we saw how eBay is running the port scanning, probably relying that their user will consider it essential and therefore consent. Now let’s go back to the beginning of this article and remember what JavaScripts can do, and that port scanning is conducted by JavaScript. It means that every third-party application, or a 4th-party, that is running on your website can carry out the same actions. It also means that once one of your third or fourth party apps are breached, or even just releasing a new version that is trying to access some local resources, you, as the website owner, won’t be able to know about it, or block it.

The consequences include reputation damages, privacy issues, as well as an indication of a breach.

How can you detect port-scanning? A dynamic browser security solution (like Reflectiz) can easily detect any type of port scanning from the site origins or iFrames. 


We hope you find this article useful.

To learn more about the risks of third-party apps, networking and client-side security, I recommend reading the following articles: Why WAF is not enough and the Risk of Ex-domain Usage


Your Website’s URL.
That’s all we need to keep you protected against the risks your installed third-party apps are creating.
Contact us to get a third-party risk analysis for your website

The post Why and How are Enterprise Companies, Like eBay, Actively Port-scanning End-users’ Computers From Their Websites appeared first on Reflectiz.

*** This is a Security Bloggers Network syndicated blog from Blog – Reflectiz authored by Reflectiz Team. Read the original post at: