Crucial Issue where Selenium C# API sends 'remote-debugging-port' which is causing security vulnerability
50 views
Skip to first unread message
Amir Tal
Oct 29, 2021, 12:59:51 PM10/29/21
to Selenium Users
Hey all,
We have a product using Selenium c# api which triggers chrome driver (our version is 2.35.528161) to open Chrome browser. Also reproduces on the latest chrome driver and latest selenium webdriver c# api.
We really need your urgent assistance finding a mitigation\solution for that manner.
Thanks in advance
We have a product using Selenium c# api which triggers chrome driver (our version is 2.35.528161) to open Chrome browser. Also reproduces on the latest chrome driver and latest selenium webdriver c# api.
Our product app main goal is to provide a chrome secured and isolated session via a customized website, and then invoking automation commands as the end user pre configured.
As all chrome sessions runs at the same application server,
Once browser opened, end user can enter at the address bar "chrome://version" to find the debugging port and then to just browse "localhost:{debugging port}"
of others user's chrome sessions, and by this way- providing access to sensitive information of other users. This is currently causing a serious security issue within our product.
We would like that the default behavior of Selenium+ Chrome driver won't set up the flag of remote-debugging-port.
So our crucial need is to block the "inspectable pages" console of the debugging port, or to disable\remove the debugging port flag via selenium code and the use of the driver.
We not sure whether the selenium "MUST" use the debugging port or not for its internal use, but we really hope that there is a way to resolve this major issue.
We would like that the default behavior of Selenium+ Chrome driver won't set up the flag of remote-debugging-port.
So our crucial need is to block the "inspectable pages" console of the debugging port, or to disable\remove the debugging port flag via selenium code and the use of the driver.
We not sure whether the selenium "MUST" use the debugging port or not for its internal use, but we really hope that there is a way to resolve this major issue.
We really need your urgent assistance finding a mitigation\solution for that manner.
Thanks in advance
Reply all
Reply to author
Forward
0 new messages