Query on Authenticating Multi-Field TOTP in Browser-Based Authentication
15 views
Skip to first unread message
ashish Rajanand
4:02 AM (11 hours ago) 4:02 AM
to ZAP Developer Group
Hi ZAP Team,
I'm implementing Browser-Based Authentication using the Automation Framework and need help configuring 2-Step Authentication with TOTP. The challenge: my application uses six separate single-digit input fields for the TOTP code instead of a single input.
Authentication Flow:
Step 1: User enters Username + Password → clicks Submit
Step 2: Modal appears requesting 6-digit TOTP code
The Constraint: The UI uses six distinct <input> elements (one per digit), not a single field
Technical Details
Input Field Selectors:
```
DigitXPath Selector1
//input[@aria-label='Please enter OTP character 1']2//input[@aria-label='Please enter OTP character 2']3//input[@aria-label='Please enter OTP character 3']4//input[@aria-label='Please enter OTP character 4']5//input[@aria-label='Please enter OTP character 5']6//input[@aria-label='Please enter OTP character 6'] ```
Input Field HTML Structure (if available):
html :
```
<!-- Please include actual HTML of the TOTP input fields from browser DevTools -->
<input type="text" maxlength="1" aria-label="Please enter OTP character 1" autocomplete="off" />
<!-- ... repeat for characters 2-6 -->
````
Application JavaScript Behavior:
Attempt 1: Standard TOTP_FIELD on First Input
yaml
```
env:
contexts:
- name: Authentication Test
urls:
- https://app.dev.com
includePaths:
- https://app.dev.com.*
authentication:
method: browser
parameters:
loginPageUrl: https://app.dev.com/login
loginPageWait: 2
browserId: firefox-headless
diagnostics: True
steps:
- description: "Login Auto Steps"
type: AUTO_STEPS
timeout: 1000
# This is where the issue occurs
- description: "Enter Full TOTP Code"
type: TOTP_FIELD
xpath: "//input[@aria-label='Please enter OTP character 1']"
verification:
method: "poll"
pollFrequency: 60
pollUnits: requests
pollUrl: "https://app.dev.com/api/v1/clients"
loggedInRegex: "\\Q 200 OK\\E"
loggedOutRegex: "\\Q 403 Forbidden\\E"
sessionManagement:
method: autodetect
users:
- name: testuser
credentials:
totp:
secret: XXXXXXXXXXXXXXX
period: 30
digits: 6
algorithm: SHA1
username: username
password: password
```
Result: No value filled in any box. Diagnostic report shows attributeValue:
My Questions
```
# Hypothetical - does this work?
- type: CUSTOM_FIELD
xpath: "//input[@aria-label='Please enter OTP character 1']"
value: "{totp:0}" # First digit
- type: CUSTOM_FIELD
xpath: "//input[@aria-label='Please enter OTP character 2']"
value: "{totp:1}" # Second digit
# ... etc
```
2. Script-Based Workaround: If native support isn't available, could you point me to documentation for:
I'm implementing Browser-Based Authentication using the Automation Framework and need help configuring 2-Step Authentication with TOTP. The challenge: my application uses six separate single-digit input fields for the TOTP code instead of a single input.
Authentication Flow:
Step 1: User enters Username + Password → clicks Submit
Step 2: Modal appears requesting 6-digit TOTP code
The Constraint: The UI uses six distinct <input> elements (one per digit), not a single field
Technical Details
Input Field Selectors:
```
DigitXPath Selector1
//input[@aria-label='Please enter OTP character 1']2//input[@aria-label='Please enter OTP character 2']3//input[@aria-label='Please enter OTP character 3']4//input[@aria-label='Please enter OTP character 4']5//input[@aria-label='Please enter OTP character 5']6//input[@aria-label='Please enter OTP character 6'] ```
Input Field HTML Structure (if available):
html :
```
<!-- Please include actual HTML of the TOTP input fields from browser DevTools -->
<input type="text" maxlength="1" aria-label="Please enter OTP character 1" autocomplete="off" />
<!-- ... repeat for characters 2-6 -->
````
Application JavaScript Behavior:
- The application appears to listen for individual keypress/keydown events
- Focus automatically shifts to the next input box after a digit is entered
- Paste functionality may or may not be supported (needs testing)
Attempt 1: Standard TOTP_FIELD on First Input
yaml
```
env:
contexts:
- name: Authentication Test
urls:
- https://app.dev.com
includePaths:
- https://app.dev.com.*
authentication:
method: browser
parameters:
loginPageUrl: https://app.dev.com/login
loginPageWait: 2
browserId: firefox-headless
diagnostics: True
steps:
- description: "Login Auto Steps"
type: AUTO_STEPS
timeout: 1000
# This is where the issue occurs
- description: "Enter Full TOTP Code"
type: TOTP_FIELD
xpath: "//input[@aria-label='Please enter OTP character 1']"
verification:
method: "poll"
pollFrequency: 60
pollUnits: requests
pollUrl: "https://app.dev.com/api/v1/clients"
loggedInRegex: "\\Q 200 OK\\E"
loggedOutRegex: "\\Q 403 Forbidden\\E"
sessionManagement:
method: autodetect
users:
- name: testuser
credentials:
totp:
secret: XXXXXXXXXXXXXXX
period: 30
digits: 6
algorithm: SHA1
username: username
password: password
```
Result: No value filled in any box. Diagnostic report shows attributeValue:
My Questions
- Native YAML Support: Is there a way to split the TOTP token across multiple CUSTOM_FIELD steps in Browser-Based Authentication YAML? For example:
```
# Hypothetical - does this work?
- type: CUSTOM_FIELD
xpath: "//input[@aria-label='Please enter OTP character 1']"
value: "{totp:0}" # First digit
- type: CUSTOM_FIELD
xpath: "//input[@aria-label='Please enter OTP character 2']"
value: "{totp:1}" # Second digit
# ... etc
```
2. Script-Based Workaround: If native support isn't available, could you point me to documentation for:
- A Zest script that generates TOTP and sends individual keystrokes
- A Selenium script integrated with ZAP that handles split-field TOTP
- Using CUSTOM_FIELD with JavaScript execution to dispatch key events
- Alternative Approaches:Would using JavaScript Executor via a script to simulate dispatchEvent(new KeyboardEvent(...)) work?
- Is there a way to configure TOTP_FIELD to send characters individually rather than as a string?
- Configure ZAP with the YAML above
- Run automation framework: zap.sh -cmd -autorun config.yaml
- Observe authentication failure at TOTP step
- Check diagnostic output showing empty field values
Environment Details:
ZAP Version: 2.16.1
Auth Method: Browser-Based (Firefox)
psiinon
4:20 AM (11 hours ago) 4:20 AM
to ZAP Developer Group
This is a question about using ZAP rather than developing ZAP, so please ask on the User Group: https://groups.google.com/group/zaproxy-users
It may seem a trivial difference, but we manage development questions in a different way to support questions :)
Feel free to link to this post rather than repeating everything.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages