[WIP] Totp Active Scan Rules

[AliceMilshtein]

Overview

Briefly describe the purpose, goals, and changes or improvements made in this pull request.

Related Issues

Specify any related issues or pull requests by linking to them.

Checklist

• Update help
• Update changelog
• Run ./gradlew spotlessApply for code formatting
• Write tests
• Check code coverage
• Sign-off commits
• Squash commits
• Use a descriptive title

For more details, please refer to the developer rules and guidelines.

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[psiinon]

Checkmarx One – Scan Summary & Details – 872bcac0-8b30-474d-b823-2d6ff9d08ebb

Great job, no security vulnerabilities found in this Pull Request

[psiinon]

This worries me :)
HttpMessage's can be big objects, so we try not to hold on to them for too long.
In other places we've saved the History IDs (which are just ints) and then you can read the messages from the DB when they are needed.

[psiinon]

Just some initial comments, will give a fuller review in a bit :)

[psiinon]

All code should have the standard header - you can just rip it off from any other class, just remember to change the year to 2025 😁

[kingthorin]

The spotlessApply task will add them with the proper year.

[psiinon]

All strings should be i18ned, e.g. as per https://github.com/zaproxy/zap-extensions/blob/main/addOns/ascanrulesAlpha/src/main/java/org/zaproxy/zap/extension/ascanrulesAlpha/ExampleFileActiveScanRule.java#L67

[psiinon]

If we're actually doing testing then maybe Server Security? Or Miscellaneous.
Thats unless we want to add a new "Authentication" category??

[psiinon]

Either actually include logging (e.g. at DEBUG level) or remove the commented code

[psiinon]

The build is failing due to formatting issues.
Run ./gradlew :addOns:ascanrulesAlpha:spotlessApply to fix these violations.

[kingthorin]

You could just not override these methods

[AliceMilshtein]

I have read the CLA Document and I hereby sign the CLA

[kingthorin]

I haven't had a detailed look but I did notice that some new classes have 2023 license headers 😉

[psiinon]

Just started playing with the examples in the dev add-on :)
They are all under /api/openapi which is really for OpenAPI related content.
I think they would make more sense being under something like /auth, /auth/totp or /totp.

[psiinon]

I also noticed that in many (all) cases pressing RETURN did not submit the TOTP token. Was that deliberate? Most reasonable web apps I've used do accept RETURN as submit, but I can definitely see the point of having some that dont work in that way.

[psiinon]

@AliceMilshtein this PR still has conflicts

[psiinon]

I would argue that TOTP is not simpleAuth 😉 So maybe packages like totpBlankCodeVuln ?

[psiinon]

These classes are nothing to do with OpenApi 😁

[psiinon]

I fixed the conflict locally and had a go with the test apps.
With http://localhost:9091/auth/totp/simple-auth-otp-blank-code-vuln/ I submitted the creds but got an error logged:
/
Ignore that - I hadnt updated the authhelper 😁

[psiinon]

All text shown to the user should be i18n'ed. Use code like Constant.messages.getString(MESSAGE_PREFIX + "soln");