Home > Uncategorized > Understanding F5 “bobcmn” Javascript detection

Understanding F5 “bobcmn” Javascript detection

F5-Networks-Logo

If you’ve seen a response like this from a website;

(function(){
var securemsg;
var dosl7_common;

window[“bobcmn”] = “1111101010101020000000220000000520000000021f86dd03200000096300000000300000000300000006/TSPD/300000008TSPD_101300000005https200000000200000000”;

window.aht=!!window.aht;try{(function(){try{var __,i_,j_=1,o_=1,z_=1,s_=1,S_=1,Ji=1,li=1;for(var oi=0;oi_j;if(l)return OI(!1);l=Ij&&ij+lj<_;l=OI(l);ij=_;Ij||(Ij=!0,Jj(function(){Ij=!1},1));return l}oj();var zj=[17795081,27611931586,1558153217];
function Zj(_){_="string"===typeof _?_:_.toString(36);var l=window[_];if(!l.toString)return;var O=""+l;window[_]=function(_,O){Ij=!1;return l(_,O)};window[_].toString=function(){return O}}for(var sj=0;sj<zj.length;++sj)Zj(zj[sj]);OI(!1!==window.aht);
(function Sj(){if(!oj())return;var l=!1;function O(l){for(var z=0;l–;)z+=Z(document.documentElement,null);return z}function Z(l,z){var O="vi";z=z||new s;return O_(l,function(l){l.setAttribute("data-"+O,z.Zz());return Z(l,z)},null)}function s(){this.jo=1;this.io=0;this.Sj=this.jo;this.c=null;this.Zz=function(){this.c=this.io+this.Sj;if(!isFinite(this.c))return this.reset(),this.Zz();this.io=this.Sj;this.Sj=this.c;this.c=null;return this.Sj};this.reset=function(){this.jo++;this.io=0;this.Sj=this.jo}}
var S=!1;function z(l,z){if(!oj())return;var O=document.createElement(l);z=z||document.body;z.appendChild(O);O&&O.style&&(O.style.display="none");oj()}function J_(z,O){if(!oj())return;O=O||z;var Z="|";function s(l){l=l.split(Z);var z=[];for(var O=0;O<l.length;++O){var S="",I_=l[O].split(",");for(var J_=0;J__}
function J(_){var l=arguments.length,O=[];for(var Z=1;Z>b>>0};

})();

/TSPD/088481ad69ab2000b270b96268cc0e553e2472504e457123c9fbd2b9bab56ec1bcd49acbc8338cd8?type=7
Please enable JavaScript to view the page content.

Then you’ve been blocked by F5 Network’s Javascript detection, and unless your next requests have the correct Cookies, then you’ll be dumped back to this page. The cookies are IP and time specific.

Now, you can try and pick through the javascript, (please leave a comment, if you find anything), or you can use PhantomJS to execute the front page, and return the cookies, with a script such as;

var page = require(‘webpage’).create();
page.open(‘https://www.somewebsite.com&#8217;, function(status) {
setInterval(function(){
if (phantom.cookies.length > 0)
{
var strCookie = “”;
for(var i in phantom.cookies)
{
var cookie = phantom.cookies[i];
strCookie += cookie.name + “=” + cookie.value + “;”;
}
console.log(strCookie);
phantom.exit();
}
},1000);
});

This script will write our the required cookies, which must then be sent along with any subsequent requests. Note that the cookies are limited by time and IP, so you need to make the subsequent request from the same IP address as PhantomJS.

Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s