Require selectors to have a selector type
Problem
Browser-based DAST scans don't require users to enter selector types when entering a selector. Not knowing whether the selector is an id, name, css selector or xpath selector, DAST will search for the selector by id, name and by itself (assumes it is a valid css selector).
This causes:
- Noisy log and confusing logs files as the log entries contain a search for elements using a different selector to what the user entered
- Presumed performance issues as the DOM is searched unnecessarily
- Possible accidental return of elements that are not supposed to be returned, confusing the crawler
Example
Configuring the DAST_SUBMIT_FIELD
to .submit-button
would cause DAST to search for the selector css:#.submit-button, [name=".submit-button"], .submit-button
.
Proposal
Require the user to enter a selector type as the prefix of a selector. This could be either css:
, id:
, name:
or xpath:
.
Implementation plan
-
Update the DAST documentation to indicate that selector type is required -
Show a message to the user indicating that the type is missing and how they fix it -
selector.Parse
should return an error when there is no selector type, instead of creating a "search all"idOrNameOrCSS
selector -
The feature should only be enabled for Browserker 1.0.0 and above (or the version of Browserker that will be released in GitLab 16.0
) -
If Browserker <1.0.0 is used, log a WARN
message that selector types will be required in future versions of DAST
Edited by Cameron Swords