Excluding Parameters From a Scan

Netsparker scans are fully configurable, right down to excluding or including parameters. Both Netsparker Enterprise and Netsparker Standard maintain a list of currently Ignored Parameters. You can add, edit and remove items from this list.

Excluded Parameters Definitions

For each parameter, Netsparker displays the following definitions listed in Ignored Parameters.

How to Specify a Parameter to Exclude From a Scan

  1. First, open the Ignored Parameters list:
  • In Netsparker Enterprise:
  • From the main menu, select Policies, then New Scan Policy.
  • Click the Ignored Parameters tab.

excluded parameters_4_add new parameter.png

  • In Netsparker Standard:
  • In the Scan Policy Editor dialog, navigate to the Security Checks panel and select Ignored Parameters.

ignore parameters_scan policy editor.png

  1. The configured POST and GET Ignored Parameters list is displayed.
  2. Do the following:
  • Create a new parameter:
  • In Netsparker Enterprise, click New
  • In Netsparker Standard, click into the last (empty) row at the bottom of the list
  • Complete the NAME, PATTERN and TYPE definitions
  • Alternatively, edit the definitions of an existing parameter.
  1. In Netsparker Enterprise, click Save. In Netsparker Standard, click OK.

How to Specify all GET or POST Parameters in a Scan

You can exclude all parameters for a specific HTTP verb (for example, the POST verb).

Add the following entry to the list of Ignored Parameters:

  • Name:                All POST Parameters
  • Pattern:              *
  • Type:                  POST

Pattern Options

There are three pattern options:

  • Character Lists
  • Special Characters
  • Character Ranges

Character Lists

  • A group of one or more characters (charlist) enclosed in square brackets ([ ]) can be used to match any single character in a parameter, and can include almost any character code, including digits
  • An exclamation point (!) at the beginning of a charlist means that a match is made if any character, except the characters in charlist, is found in a parameter:
    • When used outside brackets, the exclamation point matches itself

Example

  • Name: foo
  • Pattern: foo[b]?[rz]

Special Characters

To match these special characters, enclose them in brackets:

  • Left square bracket ([)
  • Question mark (?)
  • Number (hash) symbol (#)
  • Asterisk (*)

Example

  • Name: foo#[]*?baz
  • Pattern: foo[#][[][]][*][?]baz

Character Ranges

  • By using a hyphen (-) to separate the lower and upper bounds of the range, charlist can specify a range of characters, for example:
  • [A-Z] results in a match if the corresponding character position in the parameter contains any character within the range A-Z
  • [!H-L] results in a match if the corresponding character position in the parameter contains any character outside the range H-L
  • When you specify a range of characters, they must appear in ascending sort order (from lowest to highest)
  • [A-Z] is a valid pattern; [Z-A] is not

Example

  • Name: foobar
  • Pattern: foo[a-c]?[!a-c]

Multiple Character Ranges

To specify multiple ranges for the same character position, put them within the same brackets, without delimiters:

  • [A-CX-Z] results in a match if the corresponding character position in the parameter contains any character within either the range A-C or X-Z
  • Example, Name: foo, Pattern: fooba[r-ty-z]

Use of the Hyphen

  • A hyphen (-) can appear either at the beginning (after an exclamation point, if any) or at the end of a charlist to match itself
  • In any other location, the hyphen identifies a range of characters delimited by the characters on either side of the hyphen

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO