From 0c5b2efe65c4d99382546d1fda1bf18ef5ea6001 Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Tue, 24 May 2022 00:51:42 +0530
Subject: [PATCH 1/2] Create selenium-exposure.yaml

---
 misconfiguration/selenium-exposure.yaml | 31 +++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 misconfiguration/selenium-exposure.yaml

diff --git a/misconfiguration/selenium-exposure.yaml b/misconfiguration/selenium-exposure.yaml
new file mode 100644
index 0000000000..475488a7c4
--- /dev/null
+++ b/misconfiguration/selenium-exposure.yaml
@@ -0,0 +1,31 @@
+id: selenium-exposure
+
+info:
+  name: Selenium Node exposure
+  author: w0Tx
+  severity: high
+  description: |
+    If a Selenium Node is exposed without any form of authentication, RCE could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies.
+  reference: 
+    - https://nutcrackerssecurity.github.io/selenium.html
+    - https://labs.detectify.com/2017/10/06/guest-blog-dont-leave-your-grid-wide-open/
+  tags: selenium,misconfiguration,rce,chromium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wd/hub"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'WebDriverRequest'
+          - '<title>WebDriver Hub</title>'
+        condition: or
+
+      - type: status
+        status:
+          - 200

From 3cd7bf4c5aa3859dfea161990967c8b5027b17cb Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Tue, 24 May 2022 00:53:21 +0530
Subject: [PATCH 2/2] Update selenium-exposure.yaml

---
 misconfiguration/selenium-exposure.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misconfiguration/selenium-exposure.yaml b/misconfiguration/selenium-exposure.yaml
index 475488a7c4..f9c01b9f86 100644
--- a/misconfiguration/selenium-exposure.yaml
+++ b/misconfiguration/selenium-exposure.yaml
@@ -6,7 +6,7 @@ info:
   severity: high
   description: |
     If a Selenium Node is exposed without any form of authentication, RCE could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies.
-  reference: 
+  reference:
     - https://nutcrackerssecurity.github.io/selenium.html
     - https://labs.detectify.com/2017/10/06/guest-blog-dont-leave-your-grid-wide-open/
   tags: selenium,misconfiguration,rce,chromium