Bypassing __jsl_clearance_s Cookie To Scrape CNVDs

CNVD is the Chinese vulnerability enumeration scheme to report the latest cyber threats, very similar to CVEs referenced as the standard in the U.S. Although many CNVDs cross over and map directly to CVE IDs as well, there are high-profile vulnerabilities that are exclusively identified by a CNVD ID, such as Ghostcat CNVD-2020-10487 from March 2020.

The CNVD (China National Vulnerability Database) is an essential data source to gain a broader perspective on reconnaissance. Let’s extract the CNVD data into a more accessible format for further analysis of vulnerabilities special to China.

Scraping the CNVD website ( presents an unexpected barrier. Visiting and clicking around the CNVD website via standard website is fine, but as soon as trying to programmatically access it, the server sends a 521 HTTP response with an odd-looking javascript snippet. WTF?


Opening up Chrome Developer Tools on a regular browser, see that two unique cookies are set:


Now try requesting the URL via curl and include those cookie parameter values in -H 'Cookie: <parameters> header flag, and we pass through to the actual response body content with 200 HTTP response and no further drag.

Searching for this _jsl_clearance_s value on GitHub, it seems that jsl is a common protocol utilized by Chinese government websites to block automated crawlers.

The above snippet is the first of two javascript challenges, which only serves as a redirect to the second, heftier challenge. The true values of the jsl cookie parameters are set by the server on the second challenge. There are three sets of cookie generation methods depending on the incoming ha parameter: md5, sha1, sha256.

There are two ways to bypass this cookie generation, and we’ll focus on the second.

Method A - Manual (More Complex, More Fun?):

De-obfuscate the series of two javascript challenges to evaluate passing values for __jsluid_s and _jsl_clearance_s cookie parameters. This is a stimulating analysis in obfuscation and replay as a script, very similar to a CTF.


The second javascript challenge example is de-obfuscated as:

function hash(_0x4c5001) {
  function _0x435850(_0x4140cb, _0x295d35) {
    return ((_0x4140cb & 2147483647) + (_0x295d35 & 2147483647)) ^ (_0x4140cb & 2147483648) ^ (_0x295d35 & 2147483648);

  function _0x14c120(_0x426a20) {
    var _0x5800e2 = '0123456789abcdef';
    var _0x56d447 = '';

    for (var _0xa2c5f9 = 7; _0xa2c5f9 >= 0; _0xa2c5f9--) {
      _0x56d447 += _0x5800e2['charAt']((_0x426a20 >> (_0xa2c5f9 * 4)) & 15);

    return _0x56d447;

  function _0x1e6823(_0x31dad7) {
    var _0x241c41 = ((_0x31dad7['length'] + 8) >> 6) + 1,
      _0x5e5f03 = new Array(_0x241c41 * 16);

    for (var _0x3cede4 = 0; _0x3cede4 < _0x241c41 * 16; _0x3cede4++) {
      _0x5e5f03[_0x3cede4] = 0;

    for (_0x3cede4 = 0; _0x3cede4 < _0x31dad7['length']; _0x3cede4++) {
      _0x5e5f03[_0x3cede4 >> 2] |= _0x31dad7['charCodeAt'](_0x3cede4) << (24 - (_0x3cede4 & 3) * 8);

    _0x5e5f03[_0x3cede4 >> 2] |= 128 << (24 - (_0x3cede4 & 3) * 8);
    _0x5e5f03[_0x241c41 * 16 - 1] = _0x31dad7['length'] * 8;
    return _0x5e5f03;

  function _0x57037a(_0x208397, _0x4325e4) {
    return (_0x208397 << _0x4325e4) | (_0x208397 >>> (32 - _0x4325e4));

  function _0x313eac(_0x365ce3, _0x2c7ea3, _0x275dcd, _0x1c06fe) {
    if (_0x365ce3 < 20) {
      return (_0x2c7ea3 & _0x275dcd) | (~_0x2c7ea3 & _0x1c06fe);

    if (_0x365ce3 < 40) {
      return _0x2c7ea3 ^ _0x275dcd ^ _0x1c06fe;

    if (_0x365ce3 < 60) {
      return (_0x2c7ea3 & _0x275dcd) | (_0x2c7ea3 & _0x1c06fe) | (_0x275dcd & _0x1c06fe);

    return _0x2c7ea3 ^ _0x275dcd ^ _0x1c06fe;

  function _0x5b63dc(_0x3aec64) {
    return _0x3aec64 < 20 ? 1518500249 : _0x3aec64 < 40 ? 1859775393 : _0x3aec64 < 60 ? -1894007588 : -899497514;

  var _0x425cb1 = _0x1e6823(_0x4c5001);

  var _0x1e576b = new Array(80);

  var _0xb1c509 = 1732584193;

  var _0x5039fb = -271733879;

  var _0x117199 = -1732584194;

  var _0x5a4fb9 = 271733878;

  var _0x45e7bf = -1009589776;

  for (var _0x54a2c4 = 0; _0x54a2c4 < _0x425cb1['length']; _0x54a2c4 += 16) {
    var _0x34ca2e = _0xb1c509;
    var _0x1f9ad0 = _0x5039fb;
    var _0x5a63ff = _0x117199;
    var _0x559733 = _0x5a4fb9;
    var _0x35bdf3 = _0x45e7bf;

    for (var _0x9ec6e0 = 0; _0x9ec6e0 < 80; _0x9ec6e0++) {
      if (_0x9ec6e0 < 16) {
        _0x1e576b[_0x9ec6e0] = _0x425cb1[_0x54a2c4 + _0x9ec6e0];
      } else {
        _0x1e576b[_0x9ec6e0] = _0x57037a(_0x1e576b[_0x9ec6e0 - 3] ^ _0x1e576b[_0x9ec6e0 - 8] ^ _0x1e576b[_0x9ec6e0 - 14] ^ _0x1e576b[_0x9ec6e0 - 16], 1);

      t = _0x435850(
        _0x435850(_0x57037a(_0xb1c509, 5), _0x313eac(_0x9ec6e0, _0x5039fb, _0x117199, _0x5a4fb9)),
        _0x435850(_0x435850(_0x45e7bf, _0x1e576b[_0x9ec6e0]), _0x5b63dc(_0x9ec6e0))
      _0x45e7bf = _0x5a4fb9;
      _0x5a4fb9 = _0x117199;
      _0x117199 = _0x57037a(_0x5039fb, 30);
      _0x5039fb = _0xb1c509;
      _0xb1c509 = t;

    _0xb1c509 = _0x435850(_0xb1c509, _0x34ca2e);
    _0x5039fb = _0x435850(_0x5039fb, _0x1f9ad0);
    _0x117199 = _0x435850(_0x117199, _0x5a63ff);
    _0x5a4fb9 = _0x435850(_0x5a4fb9, _0x559733);
    _0x45e7bf = _0x435850(_0x45e7bf, _0x35bdf3);

  return _0x14c120(_0xb1c509) + _0x14c120(_0x5039fb) + _0x14c120(_0x117199) + _0x14c120(_0x5a4fb9) + _0x14c120(_0x45e7bf);

function go(_0x29f20f) {
  function _0x182a8f() {
    var _0x8108a = window['navigator']['userAgent'],
      _0x1fe249 = ['Phantom'];

    for (var _0x3df012 = 0; _0x3df012 < _0x1fe249['length']; _0x3df012++) {
      if (_0x8108a['indexOf'](_0x1fe249[_0x3df012]) != -1) {
        return true;

    if (
      window['callPhantom'] ||
      window['_phantom'] ||
      window['Headless'] ||
      window['navigator']['webdriver'] ||
      window['navigator']['__driver_evaluate'] ||
    ) {
      return true;

  if (_0x182a8f()) {

  var _0x4aaf18 = new Date();

  function _0x576300(_0x448fbe, _0x4e13f6) {
    var _0x525945 = _0x29f20f['chars']['length'];

    for (var _0x32092d = 0; _0x32092d < _0x525945; _0x32092d++) {
      for (var _0x34f5bc = 0; _0x34f5bc < _0x525945; _0x34f5bc++) {
        var _0x25ad02 = _0x4e13f6[0] + _0x29f20f['chars']['substr'](_0x32092d, 1) + _0x29f20f['chars']['substr'](_0x34f5bc, 1) + _0x4e13f6[1];

        if (hash(_0x25ad02) == _0x448fbe) {
          return [_0x25ad02, new Date() - _0x4aaf18];

  var _0x45e298 = _0x576300(_0x29f20f['ct'], _0x29f20f['bts']);

  if (_0x45e298) {
    var _0x8fbb8a;

    if (_0x29f20f['wt']) {
      _0x8fbb8a = parseInt(_0x29f20f['wt']) > _0x45e298[1] ? parseInt(_0x29f20f['wt']) - _0x45e298[1] : 500;
    } else {
      _0x8fbb8a = 1500;

    setTimeout(function () {
      document['cookie'] = _0x29f20f['tn'] + '=' + _0x45e298[0] + ';Max-age=' + _0x29f20f['vt'] + '; path = /';
      location['href'] = location['pathname'] + location['search'];
    }, _0x8fbb8a);
  } else {

  bts: ['1607495990.867|0|Gfh', '2B3jKT0cuo40VLe9fsSYDoZs%3D'],
  chars: 'bIFUQEMKOTUbSsQ%UqkAAb',
  ct: 'eb2afeea2ca7fde4a77c8a452fc6642d052ca882',
  ha: 'sha1',
  tn: '__jsl_clearance_s',
  vt: '3600',
  wt: '1500'

Method B - Headless Chrome:

Simulating an actual user, headless Google Chrome automatically evaluates the javascript challenges to pass the proper jsl cookie parameters to our scraper script.

Couple nuances with this method, though. The javascript challenge embeds a tripwire to expose crawlers with the following javascript, as de-obfuscated here:

function _0xa5b8cd() {
  var _0x5ddf29 = window['navigator']['userAgent'],
    _0x15ad8f = ['Phantom'];

  for (var _0x152237 = 0; _0x152237 < _0x15ad8f['length']; _0x152237++) {
    if (_0x5ddf29['indexOf'](_0x15ad8f[_0x152237]) != -1) {
      return true;

  if (
    window['callPhantom'] ||
    window['_phantom'] ||
    window['Headless'] ||
    window['navigator']['webdriver'] ||
    window['navigator']['__driver_evaluate'] ||
  ) {
    return true;

if (_0xa5b8cd()) {

As shown in above snippet, simply spoofing a User-Agent value will not suffice. The jsl challenge script will attempt to pop window["navigator"]["webdriver"] to expose the headless agent. When configuring chromedp, modify navigator.webdriver as follows to proceed:

chromedp.ActionFunc(func(cxt context.Context) error {
    _, err := page.AddScriptToEvaluateOnNewDocument("Object.defineProperty(navigator, 'webdriver', { get: () => false, });").Do(cxt)

Although this was enough to gain access to the CNVD website, it is useful to have additional bypass options prepared to emulate an actual user’s browser agent. Here’s an extended list of potential chromedp flags to attempt evading detection and making headless Chrome undetectable:

chromedp.Flag("disable-infobars", true),
chromedp.Flag("excludeSwitches", "enable-automation"),
chromedp.Flag("disable-background-networking", true),
chromedp.Flag("enable-features", "NetworkService,NetworkServiceInProcess"),
chromedp.Flag("disable-background-timer-throttling", true),
chromedp.Flag("disable-backgrounding-occluded-windows", true),
chromedp.Flag("disable-breakpad", true),
chromedp.Flag("disable-client-side-phishing-detection", true),
chromedp.Flag("disable-default-apps", true),
chromedp.Flag("disable-dev-shm-usage", true),
chromedp.Flag("disable-extensions", true),
chromedp.Flag("disable-features", "site-per-process,TranslateUI,BlinkGenPropertyTrees"),
chromedp.Flag("disable-hang-monitor", true),
chromedp.Flag("disable-ipc-flooding-protection", true),
chromedp.Flag("disable-popup-blocking", true),
chromedp.Flag("disable-prompt-on-repost", true),
chromedp.Flag("disable-renderer-backgrounding", true),
chromedp.Flag("disable-sync", true),
chromedp.Flag("force-color-profile", "srgb"),
chromedp.Flag("metrics-recording-only", true),
chromedp.Flag("safebrowsing-disable-auto-update", true),
chromedp.Flag("enable-automation", true),
chromedp.Flag("password-store", "basic"),
chromedp.Flag("use-mock-keychain", true),

The full CNVD scraper script (in Go) is shared on GitHub: daehee/cnvd