Netsparker scans are fully configurable, right down to excluding or including parameters. Both Netsparker Enterprise and Netsparker Standard maintain a list of currently Ignored Parameters. You can add, edit and remove items from this list.
Excluded Parameters Definitions
For each parameter, Netsparker displays definitions.
How to Specify a Parameter to Exclude From a Scan
- First, open the Ignored Parameters list:
- In Netsparker Enterprise:
- From the main menu, select Policies, then New Scan Policy.
- Click the Ignored Parameters tab.
- In Netsparker Standard:
- In the Scan Policy Editor dialog, navigate to the Security Checks panel and select Ignored Parameters.
- The configured POST and GET Ignored Parameters list is displayed.
- Do the following:
- Create a new parameter:
- In Netsparker Enterprise, click New
- In Netsparker Standard, click into the last (empty) row at the bottom of the list
- Complete the NAME, PATTERN and TYPE definitions
- Alternatively, edit the definitions of an existing parameter.
- Create a new parameter:
- In Netsparker Enterprise, click Save. In Netsparker Standard, click OK.
How to Specify all GET or POST Parameters in a Scan
You can exclude all parameters for a specific HTTP verb (for example, the POST verb).
Add the following entry to the list of Ignored Parameters:
- Name: All POST Parameters
- Pattern: *
- Type: POST
There are three pattern options:
- A group of one or more characters (charlist) enclosed in square brackets ([ ]) can be used to match any single character in a parameter, and can include almost any character code, including digits
- An exclamation point (!) at the beginning of a charlist means that a match is made if any character, except the characters in charlist, is found in a parameter:
- When used outside brackets, the exclamation point matches itself
- Name: foo
- Pattern: foo[b]?[rz]
To match these special characters, enclose them in brackets:
- Left square bracket ([)
- Question mark (?)
- Number (hash) symbol (#)
- Asterisk (*)
- Name: foo#*?baz
- Pattern: foo[#][][*][?]baz
- By using a hyphen (-) to separate the lower and upper bounds of the range, charlist can specify a range of characters, for example:
- [A-Z] results in a match if the corresponding character position in the parameter contains any character within the range A-Z
- [!H-L] results in a match if the corresponding character position in the parameter contains any character outside the range H-L
- When you specify a range of characters, they must appear in ascending sort order (from lowest to highest)
- [A-Z] is a valid pattern; [Z-A] is not
- Name: foobar
- Pattern: foo[a-c]?[!a-c]
Multiple Character Ranges
To specify multiple ranges for the same character position, put them within the same brackets, without delimiters:
- [A-CX-Z] results in a match if the corresponding character position in the parameter contains any character within either the range A-C or X-Z
- Example, Name: foo, Pattern: fooba[r-ty-z]
Use of the Hyphen
- A hyphen (-) can appear either at the beginning (after an exclamation point, if any) or at the end of a charlist to match itself
- In any other location, the hyphen identifies a range of characters delimited by the characters on either side of the hyphen