MFA Authentication

[Lisa Bhas]

Question: How to Use Selenium Script for MFA Authentication in ZAP with AJAX Spider?

Hey everyone,

I'm working on scanning a web application that requires Multi-Factor Authentication (MFA) using ZAP's AJAX Spider. Since the app uses username, password, and a TOTP (Time-Based One-Time Password), I plan to automate authentication using Selenium.

My Plan So Far:

1. Write a Selenium script in Python to:

   • Open the login page

   • Enter the username & password

   • Generate the TOTP code and enter it

   • Click the login button

   • Ensure authentication persists

2. Use ZAP to scan the site after authentication with the AJAX Spider.

My Questions:

1. What all steps are required to ensure ZAP can continue the scan after Selenium handles authentication?

2. Where should I place the Selenium script in ZAP? (Should it be part of Browser-Based Authentication, or do I need another approach?)

3. Do I need any additional scripts?

   • HTTP Sender script to maintain session?

   • Session Management settings to persist authentication across requests?

4. How exactly do I trigger the AJAX Spider after authentication? (Any specific configurations?)

I want to avoid errors like authentication loops or session timeouts, so any guidance on the best setup would be super helpful!

Thanks in advance! 

[Simon Bennetts]

Hiya,

So we have a better solution for you - ZAP now has built in TOTP support!

We need better documentation .. but you can still use it and we can help here.

You need to use Browser Based Authentication, and for testing purposes you can use the Authentication Tester

Have a play with that, but do get back to us here if you dont understand what you need to do - we know we need more docs :)

Cheers,

Simon