How to handle multifactor authentication in automated testing?

[Sargent D]

I have been tasked with implementing ZAP scanning as part of our test automation suite. As such I have been exploring implementing the authentication part of the scan using some script. While the first part of the authentication seems familiar, the second screen in our web app prompts for an OTP which gets sent to a user's cell phone.

Is there any way to integrate this into the ZAP automation script? I am currently pondering over the idea of having the SMS be sent to a Twilio number and then querying the OTP code using Twilio's API. So, could anyone let me know if it's possible to import external libraries in the ZAP automation script?

I am thinking of writing a Python script for this purpose.

[Simon Bennetts]

See https://www.zaproxy.org/docs/authentication/make-your-life-easier/ :)

However if you cant disable OTP then yet, you will be able to get it into ZAP, one way or another.

ZAP has very powerful scripting support but the python add-on actually supports jython rather than full python.

That does support python modules / libraries as per https://www.zaproxy.org/docs/desktop/addons/python-scripting/options/

ZAP scripts can also call out to other command line tools and scripts so they can do anything you like :)

Cheers,

Simon

[Sargent D]

Thanks. That's reassuring.

I was not really sure whether I could use external python libraries or not. Let me give this a try and I'll report here if I have any issues.

Thanks again.