Require users to enter a selector type
Problem
Browser-based DAST scans don't require users to enter selector types when entering a selector. Not knowing whether the selector is an id, name, css selector or xpath selector, DAST will search for the selector by id, name and by itself (assumes it is a valid css selector).
This causes:
- Noisy log and confusing logs files as the log entries contain a search for elements using a different selector to what the user entered
- Presumed performance issues as the DOM is searched unnecessarily
- Possible accidental return of elements that are not supposed to be returned, resulting in failed authentication or sub-optimal crawling
This has been deprecated since 15.8 and should be removed.
Example
Configuring the DAST_SUBMIT_FIELD
to .submit-button
would cause DAST to search for the selector css:#.submit-button, [name=".submit-button"], .submit-button
.
Proposal
Require the user to enter a selector type as the prefix of a selector. This could be either css:
, id:
, name:
or xpath:
.
References
- This has been attempted before, but reverted. See issue Require selectors to have a selector type (#383348 - closed) • Cameron Swords • 15.7 and MR https://gitlab.com/gitlab-org/security-products/analyzers/browserker/-/merge_requests/955.
Implementation plan
-
Update the DAST documentation to remove None provided
selector type -
selector.Parse
should return an error when there is no selector type, instead of creating a "search all"idOrNameOrCSS
selector -
The feature should only be enabled for Browserker 2.0.0 and above (or the version of Browserker that will be released in GitLab 17.0
)
Edited by Cameron Swords