authhelper: support single-input TOTP fields and improve field interaction

[sarathivengadesh]

Overview

The TOTP_FIELD step previously called element.sendKeys() directly, which has two problems:

  - Single vs split input — sites like GitHub and Codeberg use a single input for the full 6-digit OTP code. The old code always sent one character per field, so single-input TOTP fields received only one digit and authentication failed.
  
  - JS framework compatibility — sendKeys() alone does not fire input/change events, so React and Angular apps never registered the typed value, causing username and password fields to appear empty on submit.

Changes:

  - TOTP_FIELD now detects whether there is one field (sends full 6-digit code) or multiple fields (sends one character each), by counting enabled TOTP_FIELD steps
  - Added fillFieldWithEvents() which fires input and change JS events after sendKeys(), fixing field registration in React/Angular/Vue apps and Shadow DOM components
  - TOTP code is pre-generated once before stepping through split fields, preventing a 30-second boundary crossing mid-flow from producing a mismatched code
  - MsLoginAuthenticator updated to use fillFieldWithEvents() consistently

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[psiinon]

Checkmarx One – Scan Summary & Details – 5e89d657-33a1-4ba5-b405-aee5d9ed9286

---

New Issues (158)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Stored_Code_Injection	/addOns/graaljs/src/main/java/org/zaproxy/zap/extension/graaljs/PacScript.java: 107	details The application's  method receives and dynamically executes user-controlled code using eval, at line 143 of /addOns/graaljs/src/main/java/org/zapr... Attack Vector
2		Stored_XSS	/addOns/plugnhack/src/main/java/org/zaproxy/zap/extension/plugnhack/PlugNHackAPI.java: 300	details The method embeds untrusted data in generated output with append, at line 301 of /addOns/plugnhack/src/main/java/org/zaproxy/zap/extension/plugnha... Attack Vector
3		Absolute_Path_Traversal	/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java: 363	details Method at line 363 of /addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java gets dynamic data from ... Attack Vector
4		Absolute_Path_Traversal	/addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java: 331	details Method at line 331 of /addOns/selenium/src/main/java/org/zaproxy/zap/extension/selenium/internal/DialogCustomBrowser.java gets dynamic data from ... Attack Vector
5		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 223	details Method at line 223 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
6		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 400	details Method at line 400 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
7		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 432	details Method at line 432 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
8		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 441	details Method at line 441 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
9		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 612	details Method at line 612 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
10		Absolute_Path_Traversal	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 663	details Method at line 663 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java gets dy... Attack Vector
11		Absolute_Path_Traversal	/addOns/jython/src/main/java/org/zaproxy/zap/extension/jython/JythonOptionsPanel.java: 111	details Method at line 111 of /addOns/jython/src/main/java/org/zaproxy/zap/extension/jython/JythonOptionsPanel.java gets dynamic data from the getText el... Attack Vector
12		Absolute_Path_Traversal	/addOns/network/src/main/java/org/zaproxy/addon/network/ClientCertificatesOptionsPanel.java: 206	details Method at line 206 of /addOns/network/src/main/java/org/zaproxy/addon/network/ClientCertificatesOptionsPanel.java gets dynamic data from the getT... Attack Vector
13		Absolute_Path_Traversal	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/ui/AddPkcs11DriverDialog.java: 96	details Method at line 96 of /addOns/network/src/main/java/org/zaproxy/addon/network/internal/ui/AddPkcs11DriverDialog.java gets dynamic data from the ge... Attack Vector
14		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 297	details Method at line 297 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
15		Absolute_Path_Traversal	/addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java: 153	details Method at line 153 of /addOns/reports/src/main/java/org/zaproxy/addon/reports/ReportDialog.java gets dynamic data from the getText element. This... Attack Vector
16		Absolute_Path_Traversal	/addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java: 335	details Method at line 335 of /addOns/invoke/src/main/java/org/zaproxy/zap/extension/invoke/DialogAddApp.java gets dynamic data from the getText element... Attack Vector
17		Cleartext_Submission_of_Sensitive_Information	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/HttpSenderApache.java: 446	details Potentially sensitive personal information credentialsProvider, at line 446 of /addOns/network/src/main/java/org/zaproxy/addon/network/internal/cli... Attack Vector
18		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 452 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
19		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 419 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
20		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 386 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
21		Improper_Restriction_of_Stored_XXE_Ref	/addOns/reports/src/test/java/org/zaproxy/addon/reports/ReportTestUtils.java: 236	details The loads and parses XML using parse, at line 364 of /addOns/reports/src/test/java/org/zaproxy/addon/reports/ExtensionReportsXmlUnitTest.java. ... Attack Vector
22		Improper_Restriction_of_Stored_XXE_Ref	/addOns/todo/src/main/java/org/zaproxy/zap/extension/todo/TodoList.java: 131	details The loads and parses XML using parse, at line 133 of /addOns/todo/src/main/java/org/zaproxy/zap/extension/todo/TodoList.java. This XML was rece... Attack Vector
23		Improper_Restriction_of_Stored_XXE_Ref	/addOns/saml/src/main/java/org/zaproxy/zap/extension/saml/SAMLConfiguration.java: 78	details The loads and parses XML using unmarshal, at line 248 of /addOns/saml/src/main/java/org/zaproxy/zap/extension/saml/SAMLConfiguration.java. This... Attack Vector
24		SSRF	/addOns/network/src/main/java/org/apache/hc/client5/http/impl/classic/ZapInternalHttpClient.java: 188	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/apache/hc/client5/http/im... Attack Vector
25		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 47	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
26		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 53	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
27		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 56	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
28		SSRF	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/LegacyUtils.java: 46	details The application sends a request to a remote server, for some resource, using execute in /addOns/network/src/main/java/org/zaproxy/addon/network/int... Attack Vector
29		Missing_HSTS_Header	/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java: 984	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
30		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmAppendHttpMessageMenu.java: 53	details Method at line 53 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmAppendHttpMessageMenu.java sends user information outside the applicat... Attack Vector
31		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java: 201	details Method at line 201 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java sends user information outside the ap... Attack Vector
32		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmChatPanel.java: 240	details Method at line 240 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/ui/LlmChatPanel.java sends user information outside the application. This ... Attack Vector
33		Privacy_Violation	/addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java: 206	details Method at line 206 of /addOns/llm/src/main/java/org/zaproxy/addon/llm/services/LlmCommunicationService.java sends user information outside the ap... Attack Vector
34		Privacy_Violation	/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java: 117	details Method at line 117 of /addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java sends user inform... Attack Vector
35		Privacy_Violation	/addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java: 116	details Method at line 116 of /addOns/pscanrules/src/main/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRule.java sends user inform... Attack Vector
36		SSL_Verification_Bypass	/addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/h2/ZapClientTlsStrategy.java: 197	details /addOns/network/src/main/java/org/zaproxy/addon/network/internal/client/apachev5/h2/ZapClientTlsStrategy.java relies HTTPS requests, in . The x50... Attack Vector
37		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 696	details Method at line 696 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getVariableName - the ... Attack Vector
38		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 697	details Method at line 697 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getCookieName - the ra... Attack Vector
39		Unchecked_Input_for_Loop_Condition	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java: 695	details Method at line 695 of /addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestZapUtils.java obtains user input from getWindowHandle - the ... Attack Vector
40		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/DefaultStringPayloadGeneratorUIHandler.java: 257	details Method at line 257 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/DefaultStringPayloadGeneratorUIHandler.java obta... Attack Vector
41		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java: 381	details Method at line 381 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java obtains user... Attack Vector
42		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java: 381	details Method at line 381 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/RegexPayloadGeneratorUIHandler.java obtains user... Attack Vector
43		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 441	details Method at line 441 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
44		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 444	details Method at line 444 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
45		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 612	details Method at line 612 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
46		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java: 617	details Method at line 617 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/FileStringPayloadGeneratorUIHandler.java obtains... Attack Vector
47		Unchecked_Input_for_Loop_Condition	/addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/JsonPayloadGeneratorAdapterUIHandler.java: 169	details Method at line 169 of /addOns/fuzz/src/main/java/org/zaproxy/zap/extension/fuzz/payloads/ui/impl/JsonPayloadGeneratorAdapterUIHandler.java obtain... Attack Vector
48		Unchecked_Input_for_Loop_Condition	/addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java: 969	details Method at line 969 of /addOns/ascanrules/src/main/java/org/zaproxy/zap/extension/ascanrules/HeartBleedActiveScanRule.java obtains user input from... Attack Vector
49		Unchecked_Input_for_Loop_Condition	/addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java: 465	details Method at line 465 of /addOns/ascanrulesBeta/src/main/java/org/zaproxy/zap/extension/ascanrulesBeta/InsecureHttpMethodScanRule.java obtains user ... Attack Vector
50		Use_Of_Hardcoded_Password	/addOns/authhelper/src/main/java/org/zaproxy/addon/authhelper/AuthUtils.java: 178	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
51		Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 68	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
52		Use_Of_Hardcoded_Password	/addOns/zest/src/main/java/org/zaproxy/zap/extension/zest/ZestAuthenticationRunner.java: 65	details The application uses the hard-coded password OLD_PASSWORD for authentication purposes, either using it to verify users' identities, or to access ... Attack Vector
53		Use_Of_Hardcoded_Password	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/internal/ClientSideHandlerUnitTest.java: 64	details The application uses the hard-coded password TEST_PASSWORD for authentication purposes, either using it to verify users' identities, or to access... Attack Vector
54		Use_Of_Hardcoded_Password	/addOns/authhelper/src/test/java/org/zaproxy/addon/authhelper/AuthDiagnosticCollectorUnitTest.java: 236	details The application uses the hard-coded password ""mySuperSecretPassword"" for authentication purposes, either using it to verify users' identities, o... Attack Vector
55		Use_Of_Hardcoded_Password	/addOns/automation/src/main/java/org/zaproxy/addon/automation/ContextWrapper.java: 518	details The application uses the hard-coded password PASSWORD_CREDENTIAL for authentication purposes, either using it to verify users' identities, or to ... Attack Vector
56		Use_Of_Hardcoded_Password	/addOns/bugtracker/src/main/java/org/zaproxy/zap/extension/bugtracker/BugTrackerBugzillaParam.java: 41	details The application uses the hard-coded password CONFIG_PASSWORD_KEY for authentication purposes, either using it to verify users' identities, or to... Attack Vector
57		Use_Of_Hardcoded_Password	/addOns/network/src/main/java/org/zaproxy/addon/network/NetworkApi.java: 141	details The application uses the hard-coded password PARAM_PASSWORD for authentication purposes, either using it to verify users' identities, or to acces... Attack Vector
58		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/LegacyConnectionParamUnitTest.java: 57	details The application uses the hard-coded password PASSWORD for authentication purposes, either using it to verify users' identities, or to access anoth... Attack Vector
59		Use_Of_Hardcoded_Password	/addOns/pscanrules/src/test/java/org/zaproxy/zap/extension/pscanrules/InsecureAuthenticationScanRuleUnitTest.java: 53	details The application uses the hard-coded password pass for authentication purposes, either using it to verify users' identities, or to access another r... Attack Vector
60		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/internal/client/KeyStoreEntryUnitTest.java: 66	details The application uses the hard-coded password ""password"" for authentication purposes, either using it to verify users' identities, or to access a... Attack Vector
61		Use_Of_Hardcoded_Password	/addOns/network/src/test/java/org/zaproxy/addon/network/internal/client/CertificateEntryUnitTest.java: 55	details The application uses the hard-coded password ""password"" for authentication purposes, either using it to verify users' identities, or to access a... Attack Vector
62		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_tr_TR.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_tr_TR.properties contains a har... Attack Vector
63		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_bs_BA.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_bs_BA.properties contains a har... Attack Vector
64		Use_Of_Hardcoded_Password_In_Config	/addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_fr_FR.properties: 12	details The configuration file /addOns/tokengen/src/main/resources/org/zaproxy/zap/extension/tokengen/resources/Messages_fr_FR.properties contains a har... Attack Vector
65		Use_Of_Hardcoded_Password_In_Config	/addOns/bugtracker/src/main/resources/org/zaproxy/zap/extension/bugtracker/resources/Messages_vi_VN.properties: 107	details The configuration file /addOns/bugtracker/src/main/resources/org/zaproxy/zap/extension/bugtracker/resources/Messages_vi_VN.properties contains a... Attack Vector
66		Use_Of_Hardcoded_Password_In_Config	/addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_es_ES.properties: 357	details The configuration file /addOns/zest/src/main/resources/org/zaproxy/zap/extension/zest/resources/Messages_es_ES.properties contains a hardcoded p... Attack Vector

More results are available on the CxOne platform

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

[sarathivengadesh]

I have read the CLA Document and I hereby sign the CLA

[thc202]

This needs tests.

[thc202]

Also examples where the current sendKeys fails, that sounds more like a bug in the WebDriver spec since they are supposed to behave like user input.

[thc202]

This should be reverted, this existing code is working correctly.