HelpStartConceptsStructparams
Structural parameters are a type of Structural Modifier which identify parameters that represent application structure instead of user data.
In 'traditional' web applications the structure of the application is typically defined by the URL paths and the data is contained in the URL parameters and POST data. URLs like:
- https://www.example.com/app/aaa?ddd=eee
- https://www.example.com/app/aaa?ddd=fff
- https://www.example.com/app/aaa?ddd=ggg
are represented in the Sites tab as one 'node' in the tree:
-
Sites
-
-
app
- GET:aaa(ddd)
-
-
The Sites tree is very important as it reflects ZAP's understanding of the application structure. If it is not a good representation of the structure then ZAP will not be able to attack the application effectively.
In 'single' page applications a parameter is used to indicate the logical 'page':
- https://www.example.com/app/aaa?page=p1&ddd=eee
- https://www.example.com/app/aaa?page=p2&ddd=fff
- https://www.example.com/app/aaa?page=p3&ddd=ggg
these 3 URLs represent different logical pages, but by default ZAP will still represent them as one node:
-
Sites
-
-
app
- GET:aaa(ddd,page)
-
-
This is a problem because ZAP will now not attack all of the application's functionality.
In ZAP terms the 'page' URL parameter is a 'structural parameter' - a parameter that defines part of the application structure. You can define structural parameters by adding the application to a Context and then configuring them via the Session Context Structure screen. Once you have done this the pages will be correctly represented as 3 nodes:
-
Sites
-
-
app
-
aaa
- GET:p1(ddd,page)
- GET:p2(ddd,page)
- GET:p3(ddd,page)
-
-
-
| Session Context Structure screen |
| UI Overview | for an overview of the user interface | |
| Features | provided by ZAP | |
| Structural Modifiers | controls which change how ZAP represents the structure of the application | |
| Data Driven Content | which identify URL paths that represent data |
-
ZAP User Guide
- Introduction
-
Getting Started
- Configuring proxies
-
Features
- Active Scan
- Add-ons
- Alerts
- Anti CSRF Tokens
- API
- Authentication
- Break Points
- Callbacks
- Contexts
- Data Driven Content
- Filters
- Globally Excluded URLs
- HTTP Sessions
- Man-in-the-middle Proxy
- Modes
- Notes
- Passive Scan
- Scan Policies
- Scope
- Session Management
- Spider
- Statistics
- Structural Modifiers
- Structural Parameters
- Tags
- Users
- Scanner Rules
- A Simple Penetration Test
-
The User Interface
- Overview
- The Top Level Menu
- The Top Level Toolbar
- The Tabs
-
The Dialogs
- Active Scan
- Add Alert
- Add Break Point
- Add Note
- Encode/Decode/Hash
- Filter
- Find
- History Filter
- Manual Request Editor
- Manage Add-ons
- Manage Tags
-
Options
- Active Scan
- Active Scan Input Vectors
- Alerts
- Anti CSRF Tokens
- API
- Breakpoints
- Callback Address
- Certificate
- Check for Updates
- Connection
- Database
- Display
- Dynamic SSL Certificates
- Extensions
- Global Exclude URL
- HTTP Sessions
- JVM
- Keyboard
- Language
- Local Proxies
- Passive Scan Rules
- Passive Scan Tags
- Passive Scanner
- Rule Configuration
- Scripts
- Search
- Spider
- Statistics
- Persist Session
- Resend
- Scan Policy Manager
- Scan Progress
- Session
- Spider
- The Footer
- Command Line
- Add Ons
- Releases
- Paros Proxy
- Credits
