Add MFA handling script in Selenium (#438)

njmulsqb · web-flow · commit 3db301ef0474 · 2024-03-15T16:13:50.000Z
Add selenium script to fill in fixed OTP.

Signed-off-by: Najam Ul Saqib &lt;najamulsaqib@tutamail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
   to find and add subdomains to the Sites Tree.
 - passive/JavaDisclosure.js - Passive scan for Java error messages leaks
 - httpsender/RsaEncryptPayloadForZap.py - A script that encrypts requests using RSA
+- selenium/FillOTPInMFA.js - A script that fills the OTP in MFA
 
 ## [18] - 2024-01-29
 ### Added
diff --git a/selenium/FillOTPInMFA.js b/selenium/FillOTPInMFA.js
@@ -0,0 +1,19 @@
+/*
+This script will fill the OTP if MFA is configured on web-app. Browser-based auth is the pre-requisite for this script.
+You need to analyze DOM of the web app this script needs to run on and modify the parameters accordingly.
+This script assumes that the web app has fixed OTP for testing which can be stored in the variable below.
+ */
+
+function browserLaunched(utils) {
+  var By = Java.type("org.openqa.selenium.By");
+  var Thread = Java.type("java.lang.Thread");
+  var url = utils.waitForURL(5000);
+  var wd = utils.getWebDriver();
+  var OTP = "123456";
+
+  wd.get(url + "#/login");
+  Thread.sleep(30000); //Wait for ZAP to handle the auth.
+  wd.findElement(By.id("one-time-code")).sendKeys(OTP); //Replace the input field as per your web-app's DOM
+  Thread.sleep(1000);
+  wd.executeScript("document.querySelector('[aria-label=\"Verify Code\"]').click()"); //Replace the submit label as per your web-app's DOM
+}
