DAST/Browserker: User input values not being filled during authentication

A customer reported an issue where DAST can identify and locate the login form selectors but fails to successfully input the username and password values into the fields.

See internal issue for more details.

According to the authentication report, the username and password fields each have an icon positioned on the left side of the respective input fields. Our hypothesis is that these icons may be overlapping the input fields, causing DAST to mistakenly click on the icons rather than the input elements themselves when attempting to enter the credentials.

Possible options that we could consider to help investigate further and resolve this include:

  • Enable the auth report to extract the entire source of the website -
    • We often encounter situations where we don't have access to a customer's site for testing, making it difficult to precisely reproduce a bug or behavior. By enhancing the report to capture not only the DOM but also the full content of the website that includes JavaScript and CSS styling, this can help improve our ability to troubleshoot and accurately replicate issues.
  • Add a post-validation step after sending keys -
    • We need a way to help us confirm (could be done through logging) that after DAST sends keys to the input field, this value is actually present as expected.
  • On clicking the top left of the element (e.ClickTopLeft), check that it has focus to make sure we are within the element before entering the input value.
  • Remove e.ClickTopLeft() in internal_element.go through a configuration change/feature flag -
    • This is the current workflow when clearing input fields:
      1. Find the input element and attempt to clear it by calling e.prepareForInput
      2. e.prepareForInput will scroll to the element, focus on it, then click on the top left to move the cursor to the beginning.
      3. e.sendKeyEvents then sends the home key to move to the beginning of the element, selects the entire field and clears it.
    • With the above in mind, by using key events to move to the beginning of the field and clear it, the click top left action in step 2 is potentially no longer necessary and we could remove this step.