TOTP support in Zest used by automation plan
18 views
Skip to first unread message
Mike Ifright
Mar 24, 2026, 12:06:34 PM (7 days ago) Mar 24
to ZAP User Group
Hi everybody
I am currently trying to set up ZAP for a modern single page application utilizing 2FA within a rather complicated IAM architecture. For this reason I opted for authenticating through a browser using zest. I would like to be able to do so, from an automation plan.
From the documentation I gather, there are two different types of authentication:
- Browser Based Authentication and
- Client Based Authentication
The browser based authentication defines the login steps directly in the automation plan and the client based authentication defines the steps in a separate zest script. I went with the zest script, because zest allows me to take screenshots of individual steps to better understand what is going on and debug things.
My automation plan executes the Zest script in the context section:
```
env:
contexts:
- name: my context
...
authentication:
method: client
parameters:
script: /zap/wrk/my-zest-script.zst
...
```
Inside my Zest Script, the parameters-Section defines credentials and the TOTP secret as follows:
```
...
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {
"Username": "myusername",
"Password": "mypasswd",
"totp": "mytotpsecret"
...
```
The {{Username}} and {{Password}} values are expanded as expected into the respective input Tags later in my Zest Script.
However, I can't figure out, how to expand the calculated TOTP value (not the secret!) into the appropriate field, through any ZestElement in my script and can't find any hints in the documentation either.
Can you point me in the right direction?
Thanks and best
I am currently trying to set up ZAP for a modern single page application utilizing 2FA within a rather complicated IAM architecture. For this reason I opted for authenticating through a browser using zest. I would like to be able to do so, from an automation plan.
From the documentation I gather, there are two different types of authentication:
- Browser Based Authentication and
- Client Based Authentication
The browser based authentication defines the login steps directly in the automation plan and the client based authentication defines the steps in a separate zest script. I went with the zest script, because zest allows me to take screenshots of individual steps to better understand what is going on and debug things.
My automation plan executes the Zest script in the context section:
```
env:
contexts:
- name: my context
...
authentication:
method: client
parameters:
script: /zap/wrk/my-zest-script.zst
...
```
Inside my Zest Script, the parameters-Section defines credentials and the TOTP secret as follows:
```
...
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {
"Username": "myusername",
"Password": "mypasswd",
"totp": "mytotpsecret"
...
```
The {{Username}} and {{Password}} values are expanded as expected into the respective input Tags later in my Zest Script.
However, I can't figure out, how to expand the calculated TOTP value (not the secret!) into the appropriate field, through any ZestElement in my script and can't find any hints in the documentation either.
Can you point me in the right direction?
Thanks and best
Mike
thc202
Mar 24, 2026, 12:18:56 PM (7 days ago) Mar 24
to zaprox...@googlegroups.com
Hi,
Both authentication methods you mentioned allow to record diagnostics,
which include screenshots.
https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-report-json/#diagnostics
You can see the data in the Auth Diags tab after running the authentication.
For the Zest script, you can use the variable TOTP in the respective
statement you want and ZAP will generate/replace it at runtime.
https://www.zaproxy.org/docs/desktop/addons/zest/#authentication-scripts
Best regards.
Both authentication methods you mentioned allow to record diagnostics,
which include screenshots.
https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-report-json/#diagnostics
You can see the data in the Auth Diags tab after running the authentication.
For the Zest script, you can use the variable TOTP in the respective
statement you want and ZAP will generate/replace it at runtime.
https://www.zaproxy.org/docs/desktop/addons/zest/#authentication-scripts
Best regards.
Mike Ifright
4:58 AM (19 hours ago) 4:58 AM
to ZAP User Group
Hi thc202
Thank you for your reply and pointing out the auth report. I managed to enable diagnostics and collect details on the steps taken, during authentication, which is quite neat!
Looking at the diagnostics, I realized, that the custom steps I specified for the browser based authentication method, are completely ignored.
My use case starts with loading the loginPageUrl and clicking a "Start Login" button, in order to collect necessary cookies etc. Only after that, the filling in of forms starts.
Instead of the steps I have specified, the recorded steps start with:
- description: "URL Accessed" - this loads the URL I specified as "loginPageUrl"
- description: "Auto Fill Username" - this autofills the Username I specified, into a search field on the login page, which ofc is wrong.
So it seems my custom steps are ignored for some reason.
My automation plan looks as follows:
```
env:
contexts:
- name "my context"
urls:
excludePaths:
- 'https://.*vimeo.*'
includePaths:
authentication:
method: browser
parameters:
loginPageUrl: https://start-page-for-login-as-mentioned-above.com
loginPageWait: 10
browserId: firefox-headless
stepDelay: 5
diagnostics: true
steps:
- description: Click the "Start Login Flow"-Button
type: CLICK
cssSelector: "#path-to-start-button"
- description: Next step ...
type: USERNAME
...
...
```
I seem to be missing something. Can you again point me in the right direction?
Reply all
Reply to author
Forward
0 new messages