How do I protect the ports that chromedriver use?

by

This INFO message…

Please protect ports used by ChromeDriver and related test frameworks to prevent access by malicious code.

… was the result of a bug which got induced with ChromeDriver v2.46

Analysis

As per the discussion 2.46 produces unexpected debug.log file if verbose logging is enabled, within the InitLogging() function of logging.cc some logging messages were written too early even before logging::InitLogging is called (at the last line of the function). This turned out to be OK on Linux and Mac OS, where the default log destination is where it is expected. But on Windows, the default log destination is a file named debug.log.

So ChromeDriver team needed to remove the two VLOG calls to the end of the method, after calling logging::InitLogging.

This issue was addressed through a commit and the fix was available within ChromeDriver 73.x

Protecting the ports that chromedriver use

There is nothing much we can do about the port usage as @barancev mentions ChromeDriver attempts to find a free Ephemeral port using a system-dependent ephemeral port range detector. An ephemeral port is a short-lived endpoint that is created by the operating system when a program requests any available user port. The operating system selects the port number from a predefined range, typically between 1024 and 65535, and releases the port after the related TCP connection terminates.

By default, the system can create a maximum of approximately 4,000 ephemeral ports that run concurrently on Windows Server 2003 and approximately 16,000 on Windows Server 2008.

Solution

Upgrading to ChromeDriver 73.x will solve this issue.

Outro

These log messages were the reflection of ChromeDriver – Security Considerations.

ChromeDriver is a powerful tool, and it can cause harms in the wrong hands. While using ChromeDriver, please follow these suggestions to help keeping it safe:

  • By default, ChromeDriver only allows local connections. If you need to connect to it from a remote host, use --whitelisted-ips switch on the command line to specify a list of IP addresses that are allowed to connect to ChromeDriver.
  • If possible, run ChromeDriver with a test account that has no access to sensitive local or network data. ChromeDriver should never be run with a privileged account.
  • If possible, run ChromeDriver in a protected environment such as Docker or virtual machine.
  • Use firewall to prevent unauthorized remote connection to ChromeDriver.
  • If you are using ChromeDriver through third-party tools such as Selenium Server, be sure to protect the network ports of those tools as well.
  • Use the latest versions of ChromeDriver and Chrome.

You can find the list of restricted ports on Chrome here.

More Related Contents:

  1. org.openqa.selenium.WebDriverException: chrome not reachable – when attempting to start a new session
  2. WebDriver vs ChromeDriver
  3. java.lang.IllegalStateException: The path to the driver executable must be set by the webdriver.chrome.driver system property
  4. org.openqa.selenium.WebDriverException: unknown error: call function result missing ‘value’
  5. java.lang.IllegalStateException: The driver executable does not exist: while trying to execute tests through Selenium, ChromeDriver and Chrome
  6. org.openqa.selenium.remote.http.ConnectionFailedException: Unable to establish websocket connection Selenium ChromeDriver and Chrome v111
  7. How to mouse hover using java through selenium-webdriver and Java
  8. Set Chrome’s language using Selenium ChromeDriver
  9. Selenium – Basic Authentication via url
  10. Wait for page load in Selenium
  11. How can I ask the Selenium-WebDriver to wait for few seconds in Java?
  12. Cannot resolve constructor FirefoxDriver(org.openqa.selenium.firefox.FirefoxProfile)
  13. How to solve the error “Not a valid XPath expression”
  14. Random “Element is no longer attached to the DOM” StaleElementReferenceException
  15. How to select an item from a dropdown list using Selenium WebDriver with java?
  16. Chrome – org.openqa.selenium.WebDriverException: unknown error: cannot get automation extension at driver.manage().window().maximize();
  17. java.lang.NoSuchMethodError: com.google.common.base.Preconditions.checkState(ZLjava/lang/String;) with Selenium, gradle and ChromeDriver
  18. Using Selenium how to get network request [closed]
  19. Tools for measuring UI Performance [closed]
  20. How to verify element present or visible in selenium 2 (Selenium WebDriver)
  21. How to handle authentication popup in Chrome with Selenium WebDriver using Java
  22. How to Conceal WebDriver in Geckodriver from BotD in Java?
  23. How can I check if an element exists with Selenium WebDriver? [duplicate]
  24. ChromeDriver – Disable developer mode extensions pop up on Selenium WebDriver automation
  25. How to disable push-notifications using Selenium for Firefox and Chrome?
  26. selenium.common.exceptions.SessionNotCreatedException: Message: session not created: This version of ChromeDriver only supports Chrome version 80
  27. Compound class names are not supported error in WebDriver
  28. Exception in thread “main” java.lang.NoSuchMethodError: com.google.common.base.Preconditions.checkState(ZLjava/lang/String;Ljava/lang/Object;)
  29. How to set proxy authentication in PhantomJS using selenium?
  30. Disable Chrome notifications (Selenium)

Leave a Comment