Ask HN: Why does the US Visa application website do a port-scan of my network?
31 comments
·August 20, 2025edarchis
Visa application is riddled with scams. From the simple website that charges you twice the price to websites that will tell you that you were rejected and then fake your documents to get in with your name. So they're probably trying to see that you're not one of those web servers, a proxy for them or detect some known C2 channels.
testdelacc1
Another data point - 5he Indian visa system is similar. The official website ending in .gov.in, which is hard to find, offers a visa for $10 and minimal hassle. The scam websites, with better SEO sell the same shit for $80. They’re just proxying your application to the real website and pocketing the difference.
It would be good if the Indian government could block the scammers but I guess it’s a lower priority for the moment.
null
jaimehrubiks
This is a very clever answer.
M95D
I'm using uMatrix and it blocks by default all connections outside the requested site and parent domains. For example, if I request https://mail.yahoo.com, connections to yimg.com are blocked. I need to manually allow each CDN for each website, so this attack/profiling won't work.
Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.
On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.
noja
How does uMatrix handle the Facebook tracking pixel, or the replacement which is the Conversions API Gateway?
This is a container that FB gives you to host that lives under your domain (it can be your main domain) that slurps up user data and sends it to Facebook from the server side. You embed some JS in your website, and they hoover up the data.
quietfox
It seems to try to check if you are using the Burp Suite on their web application.
samsonradu
How does it manage to hide the requests to 127.0.0.1 from the network tab?
M95D
I have no ideea. Possibly that's a limitation of Chrome+Firefox developer tools (I get the feeling it's the same code)?
But I found what "burp" is: https://portswigger.net/burp/communitydownload
culturestate
It seems like they only make the localhost requests on your first visit. If you open devtools in incognito mode (or just clear the cookies) before accessing https://ceac.state.gov/genniv/ you should see those 127.0.0.1 attempts as blocked in the network tab.
worthless-trash
The requests are not made, because some operating systems prevent this.
If you're on OSX, the permission to "discover on the local network" prevents it from happening ( System Settings -> Privacy & Security -> Local Network -> yourbrowser )
Could also be 'network' permissions on firefox ( Go to Settings > Privacy & Security > Permissions ) which is on a per site level, but iirc that could be set site-wide at some point.
The other browsers likely have similar configs, but this is what I have found.
thaumasiotes
> On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network).
That will be this burp: https://portswigger.net/burp/documentation/desktop/tools/pro...
Sounds like they don't want you to analyze their site.
galaxy_gas
Many sites do it .Included in many standard device fingerprinting / anti anonymity SAAS. Ebay facebook etc all do this ! But it looks this is first party to prevent the adblocking of them
1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.
meitham
Madness! How do I harden my network against that?
ale42
You should actually harden your browser or PC... to block any unwanted requests. Apparently some browser extensions can do that.
bawolff
Chrome is already in the process of killing it https://developer.chrome.com/blog/local-network-access
vaylian
> Blocks malicious websites from port-scanning your computer/network
How does that work? A browser extension can't influence how your router and other machines in your network react to incoming requests.
ale42
As far as I understand it, it is supposed to be a scan done by the browser on the user's computer, not an external scan, which a browser extension wouldn't be able to detect.
bawolff
Hopefully should soon be a thing of the past with https://developer.chrome.com/blog/local-network-access
Mashimo
Judging just from the screenshots, it seems it blocks websites from accessing 127.0.0.1 get requests. Not a port scan to the outside, more of what do you have running on the local machine inside your network.
est
but it can hook javascript methods before that scan can happen.
slyall
Be careful your security tool isn't producing false positives.
I remember years back when people would run these firewalls and we'd get complaints from home users about normal traffic.
Thinks like complaints our mail servers was scanning them on port 25 when they sent email.
asimovDev
Embarrassed to say that I wasn't aware of this practice. Are there malicious uses for this beyond fingerprinting?
asimovDev
https://files.catbox.moe/g1bejn.png
When I visit the site from Safari on macOS I see this in the console. Are there any particular services that use port 8888 for the website to do this?
Maxious
Perhaps to avoid people using misconfigured open proxies https://en.wikipedia.org/wiki/Open_proxy
Like a less sophisticated Tor/VPN that is easily detected by port scans
LoadingXD
is it true visa and paypal are able to mkae you unable to buy games on steam?
trod1234
Capturing forensic artifacts of the local network allows a building a bridge strategy for identifying fraudulent networks without requiring knowledge of the path taken from destination to recipient. Other local devices do this and send the network map during a phone home, allowing comparison to a source of truth that is tied almost directly to the person, or group of people.
There is also a lot of fingerprintable material within such a port scan from clock skew, TCP ISN, and a few other areas.
You can sieve this quite easily with this available, thanks to Roku's, Phone's, and other things doing this while just sitting locally in a shared collision domain (a digital soldier quartered in every home).
The metadata node graph of devices locally acts as a unique fingerprint once in RFC1918 space, technically not unique but close enough.
kolla
My biggest grief with that site is that it's like something from the 90s.
thrown-0825
Yeah it should have a fixed header and footer along with a pop-up consent drawer so you can only see 10% of the actual site content.
So much better.
Modern web design is a joke.
bhaney
As something from the 90s myself, I find this rude.
danw1979
The 1990s web was actually good
I have recently installed this extension on FF: https://addons.mozilla.org/en-US/firefox/addon/port-authorit... and yesterday I visited this website: https://ceac.state.gov/genniv/ and I got a notification that the website tried to do a port-scan of my private network.
Is this a common thing? I have just recently installed the extension, so I am not sure if there are a lot of other websites who do it.
Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled.