2022-05-23 19:21:42 +00:00
id : selenium-exposure
info :
name : Selenium Node exposure
author : w0Tx
severity : high
description : |
If a Selenium Node is exposed without any form of authentication, RCE could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies.
2022-05-23 19:23:21 +00:00
reference :
2022-05-23 19:21:42 +00:00
- https://nutcrackerssecurity.github.io/selenium.html
- https://labs.detectify.com/2017/10/06/guest-blog-dont-leave-your-grid-wide-open/
2022-05-23 19:27:09 +00:00
metadata :
verified : true
shodan-query : "/wd/hub"
2022-05-23 19:21:42 +00:00
tags : selenium,misconfiguration,rce,chromium
requests :
- method : GET
path :
- "{{BaseURL}}/wd/hub"
redirects : true
max-redirects : 2
matchers-condition : and
matchers :
- type : word
words :
- 'WebDriverRequest'
- '<title>WebDriver Hub</title>'
condition : or
- type : status
status :
- 200