To the filter applied in uBlock Origin added rules to block typical network port scanning scripts on the user's local system. Recall that in May scanning local ports when opening eBay.com. It turned out that this practice is not limited to eBay and many (Citibank, TD Bank, Sky, GumTree, WePay, etc.) apply port scanning of the user's local system when opening their pages, using the code for detecting access attempts from hacked computers provided by the ThreatMetrix service.
In the case of eBay, 14 network ports were tested associated with remote access servers such as VNC, TeamViewer, Anyplace Control, Aeroadmin, Ammy Admin and RDP. Probably checking in progress the presence of traces of malware infection in the system in order to prevent fraudulent purchases using botnets. Scanning can also be used to obtain data for indirect .
Scanning uses a technique based on trying to establish connections to various network ports of the host 127.0.0.1 (localhost) via . The presence of an open network port is determined indirectly based on the difference in the handling of connection errors to active and unused network ports. WebSocket allows you to send only HTTP requests, but such a request for an inactive network port fails immediately, and for an active port only after a while, which takes some time to try to negotiate the connection. In addition, in the case of an inactive port, WebSocket issues a connection error code (ERR_CONNECTION_REFUSED), and in the case of an active one, a connection negotiation error code.
In addition to port scanning, WebSockets can also to attack the systems of web developers running WebSocket handlers for React applications on the local system. An external site can enumerate network ports, determine the presence of such a handler and connect to it. If the developer makes a mistake, the attacker can obtain the contents of the debug data, which may include snippets of sensitive information.
Source: opennet.ru