Selenium - Node Exposure

What is "Selenium - Node Exposure?"

The "Selenium - Node Exposure" module is designed to detect misconfigurations in Selenium nodes. Selenium is a popular automation testing framework used for web application testing. This module specifically targets the Selenium nodes that are exposed without any form of authentication. The severity of this vulnerability is classified as high.

This module was authored by w0Tx.

Impact

If a Selenium node is exposed without authentication, it can potentially lead to remote command execution. This vulnerability is particularly critical if the Selenium node is configured with Chromium. By default, the Selenium node listens on port 4444, but most internet-facing instances are typically protected by reverse proxies.

How the module works?

The "Selenium - Node Exposure" module works by sending an HTTP GET request to the "/wd/hub" path of the target. It then applies matching conditions to determine if the Selenium node is exposed.

The matching conditions for this module are as follows:

- The response body must contain the words "WebDriverRequest" and "". - The response status code must be 200.

If both matching conditions are met, the module identifies the presence of an exposed Selenium node.

Here is an example of the HTTP request sent by the module:

GET /wd/hub

The module checks if the response body contains the words "WebDriverRequest" and "". It also verifies that the response status code is 200.

For more information, please refer to the official documentation.