Excluding Parameters from a Web Security Scan

Sometimes you need to exclude a parameter from being scanned during a web application security scan. This FAQ explains how to exclude any type of parameter from a scan with both Netsparker Desktop and Netsparker Cloud online web application security scanner.

1. Configure the Scan Policy

Excluded parameters are specified in the Ignored Parameters setting in a Scan Policy. Use the Scan Policy Editor in Netsparker Desktop or edit the Scan Policy in Netsparker Cloud to exclude the parameters from a scan, as shown in the below screenshot.

2. Specify the Parameter to Exclude from the Scan

To exclude a parameter you need to specify the following:

Name: this is just a friendly name for your reference.

Pattern: the actual name of the parameter to be excluded from the scan. Pattern matching is case sensitive, so you have to use the correct capitalization. You can also use any of the below wildcards to match the patterns in the parameter name:

? - any single character

* - zero or more characters

# - any single digit (0-9)

[charlist] - any single character in charlist

[!charlist] - do not match any of the characters specified in charlist

Type: Chose the parameter type. POST or GET. If you want to ignore GET and POST parameters with this name / match then you should create two entries. One with POST and one with GET.

How to Exclude all GET or POST Parameters

If you want to exclude all parameters for a specific HTTP verb, for example the POST verb, you can add the following entry to the list of Ignored Parameters:

• Name: All POST Parameters
• Pattern: *
• Type: POST