How to set param in Form Data as structural parameter?

[Nicole Errante]

Hi everyone,

For background, I have watched both the deep dive video on the Sites Tree and the Intro to 2.10.0.  My situation is that we have a website where functionality is determined by the value of a param in form data.

So, the website endpoint is always /blah/index.aspx, and the param in the form value that varies based on functionality/page being called is named dataSource.  There might also be other params, but those are true data params and do not drive functionality.  

Is there a way to get ZAP to recognize dataSource as a structural param in the site tree when it isn't included as part of the URL structure?  I'm thinking an Input Vector script is the way to go but the examples I see are setting params as data, not structure.  Is there a way to do it for structural params?  Any advice or direction pointing you could give me would be greatly appreciated.

Nicole

[kingthorin+owaspzap]

I think this help info should get you going in the direct direction:

https://www.zaproxy.org/docs/desktop/start/features/sitestree/

[Nicole Errante]

Thanks for the direction - it has taken me awhile but I'm slowly getting my site tree in the right "form" that my application requires for it to be tested thoroughly by ZAP.  I do have a follow up question though.

I'm using dummy data in this example, obviously, but it directly reflects what my application is currently doing.  

The endpoint I am attacking is http://mywebapp.com/sites/src/index.aspx?

There are no query params but the list of form params with dummy data is as follows (Parameter Name: Value):

dataSource: AnimalSearch

dataSourceType: dbXML

anotherParam: a

differentParam: b

params: {some json}

In this case, the dataSource value drives what stored procedure I am calling so I have cued off of that to make sure my site tree has all the different flavors of dataSource to test:

•  http://mywebapp.com
  
  • sites
    • src
      • index.aspx?
        • POST(AnimalSearch)(dataSource, dataSourceType, anotherParam, differentParam, varFromJson1, varFromJson2)
        • POST(FruitSearch)(dataSource, dataSourceType, anotherParam, differentParam, varFromJson1, varFromJson2)
        • POST(AddAnimal)(dataSource, dataSourceType, anotherParam, differentParam, varFromJson1, varFromJson2)

What I am wondering is, since the correct stored procedure will not be called without a valid dataSource (and possibly dataSourceType), would it make sense NOT to inject any values for those parameters to make sure the call to the SP is valid?  I think injecting values for dataSource still needs to be done to be thorough, and I would plan to do that once for the path to cover that scenario. Any thoughts? Hopefully this question makes sense...still new to all this stuff!