All contributors have signed the CLA ✍️ ✅
_{Posted by theCLA Assistant Lite bot.}

BBA already supports TOTP fields.

Is that a recent change? Are there docs for it yet? I didn't see it back when I started working on this

It was done last month, there are no docs yet.

Pro tip - please get in touch with us before starting on any significant changes - we can then let you know if similar changes are already in progress 😁

Checkmarx One – Scan Summary & Details –9dbe7bdc-a0c7-48ec-899a-4b501268a0f5

New Issues (11)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2023-33201	Maven-org.bouncycastle:bcprov-jdk15on-1.69	details Description: Bouncy Castle for Java versions prior to 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2023-33202	Maven-org.bouncycastle:bcprov-jdk15on-1.69	details Description: Bouncy Castle for Java in versions prior to 1.73 contains a potential Denial-of-Service (DoS) issue within the Bouncy Castle "org.bouncycastle.open... Attack Vector: LOCAL Attack Complexity: LOW Exploitable Path: equals@.../extension/ExtensionLoader.java - ... - toDERObject@...cycastle/asn1/ASN1Set.java Vulnerable Package
	CVE-2024-29857	Maven-org.bouncycastle:bcprov-jdk15on-1.69	details Description: An issue was discovered in "ECCurve.java" and "ECCurve.cs" in Bouncy Castle Java (BC Java) versions prior to 1.78, BC Java LTS versions prior to 2.... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	CVE-2024-30171	Maven-org.bouncycastle:bcprov-jdk15on-1.69	details Description: An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. This issue also affects Bouncy Castle C# package prior to 2.3.... Attack Vector: NETWORK Attack Complexity: HIGH Exploitable Path: doFinal@...network/ZapNTLMEngineImpl.java - ... - checkPkcs1Encoding@.../PKCS1Encoding.java Vulnerable Package
	CVE-2024-30172	Maven-org.bouncycastle:bcprov-jdk15on-1.69	details Description: An issue was discovered in Bouncy Castle Java Cryptography APIs prior to 1.78 and Bouncy Castle C# Cryptography prior to 2.3.1. An "Ed25519" verifi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java:400	details Method at line 400 of /zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java sends user information outside the ... Attack Vector
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java:400	details Method at line 400 of /zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java sends user information outside the ... Attack Vector
	Heap_Inspection	/zap/src/test/java/org/zaproxy/zap/authentication/UsernamePasswordAuthenticationCredentialsUnitTest.java:147	details Method at line 147 of /zap/src/test/java/org/zaproxy/zap/authentication/UsernamePasswordAuthenticationCredentialsUnitTest.java defines encodedUser... Attack Vector
	Use_Of_Hardcoded_Password	/zap/src/test/java/org/zaproxy/zap/authentication/UsernamePasswordAuthenticationCredentialsUnitTest.java:46	details The application uses the hard-coded password password for authentication purposes, either using it to verify users' identities, or to access anothe... Attack Vector
	Use_Of_Hardcoded_Password	/zap/src/test/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodTypeUnitTest.java:325	details The application uses the hard-coded password password for authentication purposes, either using it to verify users' identities, or to access anothe... Attack Vector
	Use_Of_Hardcoded_Password_In_Config	/zap/src/main/resources/org/zaproxy/zap/resources/Messages.properties:1335	details The configuration file /zap/src/main/resources/org/zaproxy/zap/resources/Messages.properties contains a hardcoded password in line 1335 Attack Vector

Fixed Issues (4)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java:293
	Privacy_Violation	/zap/src/main/java/org/zaproxy/zap/authentication/PostBasedAuthenticationMethodType.java:349
	Use_Of_Hardcoded_Password	/zap/src/test/java/org/zaproxy/zap/authentication/UsernamePasswordAuthenticationCredentialsUnitTest.java:46
	Use_Of_Hardcoded_Password_In_Config	/zap/src/main/resources/org/zaproxy/zap/resources/Messages.properties:1333

I was under the impression that there wasn't any interesting in adding TOTP support based on previous comments. Nonetheless, is adding the TOTP support to post-based auth still of use or is that something that's already in progress?

Priorities change, sometimes very quickly.
If we're aware that someone is working on something that suddenly becomes more important to us then we can talk to them and see how we can work together on it.
Confession time - I dont think that FORM based auth is all that useful any more. We wont get rid of it, but I cant see us puttting much more effort into it. Unless I'm convinced otherwise of course 😁

Fair enough, I guess I'll finish up just this PR then & bring it in line with the changes to BBA.

Just a couple follow up questions: There was a comment I think in the docs somewhere about BBA being accessible via the API at some point, is that still happening and do you have an idea of when that'll be/has it already happened? We're using form/json-based auth since it's what's accessible via the API, but if we can do BBA via the API I don't think we'd have as much of a need for that

Deleted mistaken repost 😉
The problem with the API is that we need a core change. We do plan to do it .. but dont have any ETA.
If you'd like to work on it we can give you suitable advice and guidance 😁

Noted, I'll chat with my team properly about all this on Monday and see what our priorities are

Note that further work should be done on top of#7857.

@psiinon Had a chat with my team, and we agreed BBA via the API isn't a high enough priority for us at the moment to work on.

@thc202 Should I wait for that to be merged, or shall I just merge that branch into this?

That PR was for the API/BBA changes.

fyi, we'll be taking care of this PR for 2.16.1.

Taking care of it in what sense? Just so you know right now I'm updating the tests to include this functionality (edit: see the commit after this message). Shall I leave it to you guys to finish off once I've done that?

I have read the CLA Document and I hereby sign the CLA