id: selenium-exposure info: name: Selenium Node exposure author: w0Tx severity: high description: | If a Selenium Node is exposed without any form of authentication, RCE could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies. reference: - https://nutcrackerssecurity.github.io/selenium.html - https://labs.detectify.com/2017/10/06/guest-blog-dont-leave-your-grid-wide-open/ metadata: verified: true shodan-query: "/wd/hub" tags: selenium,misconfiguration,rce,chromium requests: - method: GET path: - "{{BaseURL}}/wd/hub" redirects: true max-redirects: 2 matchers-condition: and matchers: - type: word words: - 'WebDriverRequest' - 'WebDriver Hub' condition: or - type: status status: - 200