SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Advanced Scan Scope Settings

These are the advanced scan scope settings:

URLs and Case Sensitivity

By default, the Netsparker scanners do not differentiate between uppercase and lowercase URLs. Both these URLs are considered as the same URL:

http://example.com/dir/index.php

http://example.com/DiR/IndEX.php

If you want to change this behaviour, tick the option Case Sensitive from the Scope node in the Scan Policy.

How to Set Case Sensitivity in the Scan Scope in Netsparker Standard

  1. Open Netsparker Standard.
  2. Click Scan Policy Editorin the Home window. The Scan Policy Editor - Default Security Checks dialog is displayed.
  3. Click Scope in the Scan Policy Editor menu. The Scope fields are displayed.
  4. Click Clone. The Scan Scope fields are displayed.
  5. Enable the Case Sensitive checkbox.

  1. Click OK.

Bypass Scope for Static Checks

The option Bypass scope for Static Checks in the Scope settings of a Scan Policy is disabled by default. When enabled, Netsparker will make requests to resources which are out of scope.

To get an idea of what type of requests the scanner will be running when such an option is enabled, check the Static Resources group in the Security Checks section of the Scan Policy. For example:

If target url is http://example.com/scan-this-folder/ and scope is Entered Path and Below, Netsparker will make the following requests to possibly identify vulnerabilities from static checks:

  • http://example.com/robots.txt
  • http://example.com/crossdomain.xml
  • http://example.com/phpMyadmin (Netsparker will report if there is a phpMyadmin installed to manage MySQL database server)

Static checks do not include invasive requests, so in many cases it is a good idea to enable this option. However, it is disabled by default to avoid potential legal issues in tests conducted with strict scope.

How to Set the Bypass Option in the Scan Scope in Netsparker Standard

  1. Open Netsparker Standard.
  2. Click Scan Policy Editorin the Home window. The Scan Policy Editor - Default Security Checks dialog is displayed.
  3. Click Scope in the Scan Policy Editor menu. The Scope fields are displayed.
  4. Click Clone. The Scan Scope fields are displayed.
  5. Enable the Bypass Scope for Static Checks checkbox.

  1. Click OK.

Excluding Pages and Files with Specific Content Types from a Scan

By default, Netsparker excludes a number of files from the scan based on their content type. For example, fields such as PDF and compressed files do not need to be scanned during a web vulnerability scanning. Netsparker checks the Content-type HTTP header of the file and if it matches a header listed in this list it will ignore it.

You can also exclude a file or page from a scan based on its content-type header or remove any excluded content type from the exclusion from the Ignore these Content Types option in the Scope section when configuring a Scan Policy.

How to Exclude Pages and Files with Specific Content Types from a Scan in Netsparker Standard

  1. Open Netsparker Standard.
  2. Click Scan Policy Editorin the Home window. The Scan Policy Editor - Default Security Checks dialog is displayed.
  3. Click Scope in the Scan Policy Editor menu. The Scope fields are displayed.
  4. Click Clone. The Scan Scope fields are displayed.
  5. Enable the Enable the Content-Type Checks checkbox. The Ignore These Content Types table is displayed.

  1. Add or delete content type as required.
  2. Click OK.

Excluding Advertising Networks from a Scan

During a scan, Netsparker loads the crawled pages into an internal browser to simulate specific DOM events (e.g, click, mouse over, form submit) to find more attack surfaces. If a page loads resources from an advertising networks continuously, this will affect the loading time and might even result in a timeout.

For this reason, by default Netsparker will block requests to known advertising networks during DOM simulation. You can disable this check at any time by disabling the option Block Ad Networks from the Scope section in the Scan Policy.

How to Exclude Advertising Networks from a Scan in Netsparker Standard

  1. Open Netsparker Standard.
  2. Click Scan Policy Editorin the Home window. The Scan Policy Editor - Default Security Checks dialog is displayed.
  3. Click Scope in the Scan Policy Editor menu. The Scope fields are displayed.
  4. Click Clone. The Scan Scope fields are displayed.
  5. Disable the Block Ad Network checkbox.

  1. Click OK.
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO