How to Exclude Parts of Your Website from a Web Vulnerability Scan

When doing automated web vulnerability scans you might need to exclude a part of a web application from the scan. For example you do not want Netsparker Desktop or Netsparker Cloud to scan the contact form or guest book page on your production website.

Below are five different methods which you can use to exclude parts of your website from an automated web application security scan:

  1. Use the scan scope to define which parts of the target web applications should be crawled.
  2. Exclude the URLs from a crawl using Regular Expressions (part of the scan scope configuration).
  3. Exclude the parameters from a scan when configuring the Scan Policy.
  4. Do a controlled web application security scan.
  5. Exclude (or include) crawled resources after crawling and during the scan.

If you are new to Netsparker please read Before Using Netsparker.

NOTE: When a part of a web application is excluded from a web security scan it means that the Netsparker web vulnerability scanner WILL NOT SCAN that part of the web application for vulnerabilities. Therefore we suggest you to test any exclusion rules in doing this in your testing environment first so you are sure which parts of the web applications will be scanned.


Keep up to date with web security news from Netsparker