Require selectors to have a selector type

Problem

Browser-based DAST scans don't require users to enter selector types when entering a selector. Not knowing whether the selector is an id, name, css selector or xpath selector, DAST will search for the selector by id, name and by itself (assumes it is a valid css selector).

This causes:

• Noisy log and confusing logs files as the log entries contain a search for elements using a different selector to what the user entered
• Presumed performance issues as the DOM is searched unnecessarily
• Possible accidental return of elements that are not supposed to be returned, confusing the crawler

Example

Configuring the DAST_SUBMIT_FIELD to .submit-button would cause DAST to search for the selector css:#.submit-button, [name=".submit-button"], .submit-button.

Proposal

Require the user to enter a selector type as the prefix of a selector. This could be either css:, id:, name: or xpath:.

Implementation plan

• Update the DAST documentation to indicate that selector type is required
• Show a message to the user indicating that the type is missing and how they fix it
• selector.Parse should return an error when there is no selector type, instead of creating a "search all" idOrNameOrCSS selector
• The feature should only be enabled for Browserker 1.0.0 and above (or the version of Browserker that will be released in GitLab 16.0)
• If Browserker <1.0.0 is used, log a WARN message that selector types will be required in future versions of DAST