From 2ad1b8599e4747b500f517bd14740c8cc5cd93d3 Mon Sep 17 00:00:00 2001 From: AutomatedTester Date: Wed, 31 Jul 2024 11:59:05 +0100 Subject: [PATCH 1/2] [blog] Secure against SeleniumGreed --- .../protecting-unsecured-selenium-grid.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 website_and_docs/content/blog/2024/protecting-unsecured-selenium-grid.md diff --git a/website_and_docs/content/blog/2024/protecting-unsecured-selenium-grid.md b/website_and_docs/content/blog/2024/protecting-unsecured-selenium-grid.md new file mode 100644 index 000000000000..ac1eb12780ed --- /dev/null +++ b/website_and_docs/content/blog/2024/protecting-unsecured-selenium-grid.md @@ -0,0 +1,25 @@ +--- +title: "Protecting unsecured Selenium Grids against SeleniumGreed" +linkTitle: "Protecting unsecured Selenium Grids" +date: 2024-07-31 +tags: ["selenium"] +categories: ["general"] +author: David Burns [@automatedtester](https://www.linkedin.com/in/theautomatedtester/) +description: > + With an ongoing attack, called SeleniumGreed, on Selenium Grids, we recommend you keep your grid secure. +--- + +Over the last week there have been stories going around about crypto miners abusing unsecured Selenium Grids by +injecting code in the session create to download and start up crypto miners. This came out thanks to the work from +Wiz about an attack they have called [SeleniumGreed](https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps). +This issue can be abused on most versions of Selenium but there appears to be a lot of effort going into abusing +Selenium Grid 3.14. Please upgrade as some of the security items have been added since then. + +Selenium Grid by default doesn't have any authentication as the assumption has always been that we want you to put +this behind a secure network to prevent people from abusing your resources. There are ways that you can secure the grid, +and we have documentation available on how to do this in our [help section](https://www.selenium.dev/documentation/grid/configuration/help/#security). + +Another way to combat this is to use a cloud provider to run your Selenium Grid. We have numerous vendors that sponsor us +so have a look at our [sponsors](https://www.selenium.dev/sponsors/) page. If you need help, after reading the [help section](https://www.selenium.dev/documentation/grid/configuration/help/#security) +please come into our [chat rooms](https://www.selenium.dev/support/#ChatRoom) and we will try guide you through making your +grid more secure. From 50184b7dd177cc3c3151a9cde8ac6f041899ec9e Mon Sep 17 00:00:00 2001 From: AutomatedTester Date: Wed, 31 Jul 2024 14:21:14 +0100 Subject: [PATCH 2/2] explicitly show the security command as well as leaving the link --- .../content/blog/2024/protecting-unsecured-selenium-grid.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/website_and_docs/content/blog/2024/protecting-unsecured-selenium-grid.md b/website_and_docs/content/blog/2024/protecting-unsecured-selenium-grid.md index ac1eb12780ed..de78326cb07e 100644 --- a/website_and_docs/content/blog/2024/protecting-unsecured-selenium-grid.md +++ b/website_and_docs/content/blog/2024/protecting-unsecured-selenium-grid.md @@ -17,7 +17,11 @@ Selenium Grid 3.14. Please upgrade as some of the security items have been added Selenium Grid by default doesn't have any authentication as the assumption has always been that we want you to put this behind a secure network to prevent people from abusing your resources. There are ways that you can secure the grid, -and we have documentation available on how to do this in our [help section](https://www.selenium.dev/documentation/grid/configuration/help/#security). +and we have documentation available on how to do this in our [help section](https://www.selenium.dev/documentation/grid/configuration/help/#security). You can see more details if you run + +``` +java -jar selenium-server-.jar info security +``` Another way to combat this is to use a cloud provider to run your Selenium Grid. We have numerous vendors that sponsor us so have a look at our [sponsors](https://www.selenium.dev/sponsors/) page. If you need help, after reading the [help section](https://www.selenium.dev/documentation/grid/configuration/help/#security)