Forum Discussion

caisys's avatar
caisys
Icon for Nimbostratus rankNimbostratus
Dec 05, 2020

Unusual requests initiated by /TSPD directory on f5 firewall

I developed a website for a client who deployed it behind an F5 firewall. I noticed that when accessing the site for the fist time the home page is not served. Instead an blank html page with some java script files located in the /TSPD directory.

The javascript initiates requests to common internet sites like dropbox, reddit, twitter. After that it redirects to the original homepage. So for the visitor it is almost transparent but when opening developer tools I can see around 20 requests before loading the home page.

I searched on the net and found that the /TSPD directory is related to anti-bot protection.

Is this normal behavior to initiate such requests? It looks very suspicious. Can the firewall be misconfigured or compromised ?

 

examples of requests:

Request URL: https://twitter.com/login?redirect_after_login=%2Ffavicon.ico

Request URL: https://www.dropbox.com/login?cont=https%3A%2F%2Fwww.dropbox.com%2Fstatic%2Fimages%2Ficons%2Ficon_spacer-vflN3BYt2.gif

Request URL: https://store.steampowered.com/login/?redir=favicon.ico

2 Replies

  • This is normal JavaScript injection used by F5 Adv. WAF to assess a client for the purpose of fingerprinting to determine if it's malicious or legitimate. Fingerprinting comes in two forms: active and passive. Passive fingerprinting doesn't Query the client--it only checks for a list of attributes. Active fingerprinting challenges the client. It can force a client to prove it supports the JavaScript API, execute mathematical challenges, and a range of other tests that verify the client is what it claims to be. Even sophisticated bots cannot fake replies. What you are seeing is the client-side challenge where the browser fingerprinting is occurring. The white page you see is transient and should not cause any performance degradation. The firewall cannot be compromised.