Excluding Parameters from Web Security Scans

This FAQ explains how to exclude any type of parameter from a scan with both Netsparker Desktop and Netsparker Cloud online web application security solution.

The process involves two stages:

  1. Configuring the Scan Policy (see Create Own Scan Policies with Netsparker Scan Policy Editor)
  2. Specifying a Parameter to Exclude from the Scan

Specifying a Parameter to Exclude From a Scan

You can exclude parameters from scans. Each default Scan Policy contains a list, Excluded Parameters. You can edit existing excluded parameters or add new ones.

Excluded Parameters Definitions

For each parameter, Netsparker displays the following definitions.

Item Description Format Example
Name This is a name for your reference. This is a friendly name for the parameter. ASP Session ID (COOKIE)
Pattern This is the actual name of the parameter to be excluded from the scan. Pattern matching is case sensitive, so use the correct capitalization.
You can also use any of these pattern options to match the patterns in the parameter name:
●     ? - any single character
●     * - zero or more characters
●     # - any single digit (0-9)
●     [charlist] - any single character in charlist
●     [!charlist] - any single character not in charlist
See Pattern Options.		 ASPSESSIONID*
Type This is the parameter type. Select GET, POST, COOKIE or ALL. If you want to ignore GET and POST parameters with this name or match, create two entries, one with POST and one with GET. If you want to ignore GET, POST and COOKIE parameters, create one entry with ALL. COOKIE
How to Specify a Parameter to Exclude From a Scan
  1. Open the Ignore Parameters list:
  • In Netsparker Desktop:
    • In the Scan Policy Editor dialog, navigate to the Security Checks panel and select Ignored Parameters.

In the Scan Policy Editor dialog, navigate to the Security Checks panel and select Ignored Parameters.

  • In Netsparker Cloud:
    • From the Policies menu, select New Scan Policy, then Ignored Parameters.

From the dashboard menu, select Policies, then Ignored Parameters.

  1. The configured POST and GET Ignored Parameters list is displayed.
  1. Do the following:
  • Create a new parameter:
    • In Netsparker Desktop, click into the last (empty) row at the bottom of the list
    • In Netsparker Cloud, click New
  • Complete the NAME, PATTERN and TYPE definitions
  • Alternatively, edit the definitions of an existing parameter.
  1. In Netsparker Desktop, click OK. In Netsparker Cloud, click Save.
How to Specify all GET or POST Parameters in a Scan

You can exclude all parameters for a specific HTTP verb (for example, the POST verb).

Add the following entry to the list of Ignored Parameters:

  • Name: All POST Parameters
  • Pattern: *
  • Type: POST

Pattern Options

There are three pattern options:

  • Character Lists
  • Special Characters
  • Character Ranges

Character Lists

  • A group of one or more characters (charlist) enclosed in square brackets ([ ]) can be used to match any single character in a parameter, and can include almost any character code, including digits
  • An exclamation point (!) at the beginning of a charlist means that a match is made if any character, except the characters in charlist, is found in a parameter:
    • When used outside brackets, the exclamation point matches itself
Example
  • Name: foo
  • Pattern: foo[b]?[rz]

Special Characters

To match these special characters, enclose them in brackets:

  • Left square bracket ([)
  • Question mark (?)
  • Number (hash) symbol (#)
  • Asterisk (*)
Example
  • Name: foo#[]*?baz
  • Pattern: foo[#][[][]][*][?]baz

Character Ranges

  • By using a hyphen (-) to separate the lower and upper bounds of the range, charlist can specify a range of characters, for example:
    • [A-Z] results in a match if the corresponding character position in the parameter contains any character within the range A-Z
    • [!H-L] results in a match if the corresponding character position in the parameter contains any character outside the range H-L
  • When you specify a range of characters, they must appear in ascending sort order (from lowest to highest)
    • [A-Z] is a valid pattern; [Z-A] is not
Example
  • Name: foobar
  • Pattern: foo[a-c]?[!a-c]

Multiple Character Ranges

To specify multiple ranges for the same character position, put them within the same brackets, without delimiters:

  • [A-CX-Z] results in a match if the corresponding character position in the parameter contains any character within either the range A-C or X-Z
  • Example, Name: foo, Pattern: fooba[r-ty-z]

Use of the Hyphen

  • A hyphen (-) can appear either at the beginning (after an exclamation point, if any) or at the end of a charlist to match itself
  • In any other location, the hyphen identifies a range of characters delimited by the characters on either side of the hyphen
Tweet
Share
Share

SUBSCRIBE BY EMAIL

Get notified via email when new blog posts are published.

LEARN ABOUT

CATEGORIES

RELATED ARTICLES

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO
BACK TO TOP

NETSPARKER

USE CASES

WEB SECURITY

COMPANY

Netsparker Ltd

  • United Kingdom, (reg. no. 06947644)
  • USA Office: +1 415 877 4450
  • UK Office: +44 (0)20 3588 3840
  • contact@netsparker.com
Copyright © 2018 Netsparker Ltd. All rights reserved. | Privacy Policy | Data Protection Policy