37 lines
1.2 KiB
YAML
37 lines
1.2 KiB
YAML
id: selenium-exposure
|
|
|
|
info:
|
|
name: Selenium - Node Exposure
|
|
author: w0Tx
|
|
severity: high
|
|
description: |
|
|
Selenium was shown to have an exposed node. If a Selenium node is exposed without any form of authentication, remote command execution could be possible if chromium is configured. By default the port is 4444, still, most of the internet facing are done through reverse proxies.
|
|
reference:
|
|
- https://nutcrackerssecurity.github.io/selenium.html
|
|
- https://labs.detectify.com/2017/10/06/guest-blog-dont-leave-your-grid-wide-open/
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
shodan-query: "/wd/hub"
|
|
tags: misconfig,selenium,misconfiguration,rce,chromium
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/wd/hub"
|
|
|
|
host-redirects: true
|
|
max-redirects: 2
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- 'WebDriverRequest'
|
|
- '<title>WebDriver Hub</title>'
|
|
condition: or
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4b0a00483046022100e8d01ef950283916ecd4b7a51ca1894c38c202a983e026809017a5aedcb0f24c0221008947d091988dbb5004c534962daef5c3ed109e158800d62db4d3e4d1dbafb7d2:922c64590222798bb761d5b6d8e72950 |