Merge pull request #4474 from projectdiscovery/selenium-exposure

Create selenium-exposure.yaml

misconfiguration/selenium-exposure.yaml

@@ -0,0 +1,31 @@
+id: selenium-exposure
+
+info:
+  name: Selenium Node exposure
+  author: w0Tx
+  severity: high
+  description: |
+    If a Selenium Node is exposed without any form of authentication, RCE could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies.
+  reference:
+    - https://nutcrackerssecurity.github.io/selenium.html
+    - https://labs.detectify.com/2017/10/06/guest-blog-dont-leave-your-grid-wide-open/
+  tags: selenium,misconfiguration,rce,chromium
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/wd/hub"
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'WebDriverRequest'
+          - '<title>WebDriver Hub</title>'
+        condition: or
+
+      - type: status
+        status:
+          - 200