Assistance Required for Authentication Scanning in ZAP for OTP and Two-Factor Authentication URLs

40 views
Skip to first unread message

Naveen Sabavath

unread,
Nov 5, 2024, 6:19:53 AMNov 5
to ZAP User Group

Hi [,

I’m currently working on automating security scans using the ZAP SDK in Java and have encountered a challenge with handling authentication for certain types of URLs. Specifically, I’m trying to perform authentication scanning on endpoints that require OTP (One-Time Password) verification or Two-Factor Authentication (2FA). These URLs don’t follow the traditional username and password fields typically managed with JSON-based authentication.

Issue Details

Using JSON-based authentication is straightforward for URLs that involve username and password fields. However, for URLs requiring OTP or 2FA:

  • There is no standard username/password combination to send in the payload.
  • The process involves multiple steps, including:
    1. An initial step (like entering a registered mobile number).
    2. A secondary step where the OTP or 2FA code is retrieved and submitted.

I understand that ZAP supports Script-based Authentication, which allows for customization in handling multi-step authentication. I would like guidance on setting up this type of authentication using the ZAP SDK.

Assistance Needed

Could you please provide information on:

  1. Process Overview: How to approach multi-step authentication for OTP/2FA with ZAP.
  2. Sample Script Template: A template or example script for managing non-standard fields and OTP retrieval/submission.
  3. Configuration Steps: Details on how to configure the script-based authentication through the SDK, including any necessary script parameters or settings.
My Current Setup
  • Technology: Java with ZAP SDK
  • Objective: Integrate custom authentication steps (without username/password) for specific API endpoints through code .

Simon Bennetts

unread,
Nov 5, 2024, 7:00:20 AMNov 5
to ZAP User Group
Hiya,

Especially the part about making your life easier :D

Cheers,

Simon

Naveen Sabavath

unread,
Nov 8, 2024, 6:24:30 AMNov 8
to zaprox...@googlegroups.com
Hi,
am doing Zap Scans using Java SDK

See  Even though url has been Scanned through Spiderscan   am getting url not found in scan tree for Active Scan for Post Calls
why ...is it a bug....

tried Creating context and tried running spiderScan  throwing provided url not found in context but on UI i see those urls are included 

any Help ....please find code below

private void createOrLoadContext(String target,ClientApi clientApi) throws ClientApiException {

ApiResponse contextIdResponse = clientApi.context.newContext(contextName);
CONTEXT_ID = ((ApiResponseElement) contextIdResponse).getValue(); // This gives the context ID
log.info("Created context with ID: " + CONTEXT_ID);


try {
// Include the URL in the context
clientApi.context.includeInContext(contextName, target);
clientApi.context.includeInContext(contextName, target + ".*"); // You can also include a wildcard URL
log.info("Included URL in context: " + target);
} catch (ClientApiException e) {
log.error("Failed to include URL in context: " + e.getMessage());
throw e;
}

try { Thread.sleep(2000); } catch (InterruptedException e) { e.printStackTrace(); }
verifyUrlsInContext(clientApi);


}
2024-11-06T17:17:57.509+05:30 ERROR 30606 --- [demo] [nio-8081-exec-1] zapmod.demo.service.ZapService           : No URLs found in context: spiderContext





--
ZAP by Checkmarx: https://www.zaproxy.org/
---
You received this message because you are subscribed to the Google Groups "ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zaproxy-users/d68cef92-ddab-4404-bddf-fc81e2050ff9n%40googlegroups.com.

Simon Bennetts

unread,
Nov 8, 2024, 12:20:32 PMNov 8
to ZAP User Group
Theres not enough info there for us to see whats going on.
We'll need a lot more information - how you have defined your context, what values you are calling the spider with, some idea of what the spider finds.

Cheers,

Simon

Simon Bennetts

unread,
Nov 8, 2024, 12:25:24 PMNov 8
to ZAP User Group
Following on from your other thread, I suggest you print out all of the nodes in the Sites tree after the spider has finished.
Are you trying to active scan one specific node?
Thats what will happen if you specify a POST request.
You will need to check that request is already in the Sites tree, and make sure you specify it in the right way.

Cheers,

Simon

Reply all
Reply to author
Forward
0 new messages