SUPPORT

24/5 Hotline Support Service

+44 (0)20 3588 3841

Open a Support Ticket

support@netsparker.com

Excluding Parameters From a Scan

Netsparker scans are fully configurable, right down to excluding or including parameters. Both Netsparker Enterprise and Netsparker Standard maintain a list of currently Ignored Parameters. You can add, edit and remove items from this list.

Excluded Parameters Definitions

For each parameter, Netsparker displays definitions.

How to Specify a Parameter to Exclude From a Scan

  1. First, open the Ignored Parameters list:
    • In Netsparker Enterprise:
      • From the main menu, select Policies, then New Scan Policy.
      • Click the Ignored Parameters tab.

    excluded parameters_4_add new parameter.png

      • In Netsparker Standard:
        • In the Scan Policy Editor dialog, navigate to the Security Checks panel and select Ignored Parameters.

    ignore parameters_scan policy editor.png

    1. The configured POST and GET Ignored Parameters list is displayed.
    2. Do the following:
      • Create a new parameter:
        • In Netsparker Enterprise, click New
        • In Netsparker Standard, click into the last (empty) row at the bottom of the list
      • Complete the NAME, PATTERN and TYPE definitions
      • Alternatively, edit the definitions of an existing parameter.
    3. In Netsparker Enterprise, click Save. In Netsparker Standard, click OK.

    How to Specify all GET or POST Parameters in a Scan

    You can exclude all parameters for a specific HTTP verb (for example, the POST verb).

    Add the following entry to the list of Ignored Parameters:

    • Name:                All POST Parameters
    • Pattern:              *
    • Type:                  POST

    Pattern Options

    There are three pattern options:

    Character Lists

    • A group of one or more characters (charlist) enclosed in square brackets ([ ]) can be used to match any single character in a parameter, and can include almost any character code, including digits
    • An exclamation point (!) at the beginning of a charlist means that a match is made if any character, except the characters in charlist, is found in a parameter:
      • When used outside brackets, the exclamation point matches itself

    Example

    • Name: foo
    • Pattern: foo[b]?[rz]

    Special Characters

    To match these special characters, enclose them in brackets:

    • Left square bracket ([)
    • Question mark (?)
    • Number (hash) symbol (#)
    • Asterisk (*)

    Example

    • Name: foo#[]*?baz
    • Pattern: foo[#][[][]][*][?]baz

    Character Ranges

    • By using a hyphen (-) to separate the lower and upper bounds of the range, charlist can specify a range of characters, for example:
    • [A-Z] results in a match if the corresponding character position in the parameter contains any character within the range A-Z
    • [!H-L] results in a match if the corresponding character position in the parameter contains any character outside the range H-L
    • When you specify a range of characters, they must appear in ascending sort order (from lowest to highest)
    • [A-Z] is a valid pattern; [Z-A] is not

    Example

    • Name: foobar
    • Pattern: foo[a-c]?[!a-c]

    Multiple Character Ranges

    To specify multiple ranges for the same character position, put them within the same brackets, without delimiters:

    • [A-CX-Z] results in a match if the corresponding character position in the parameter contains any character within either the range A-C or X-Z
    • Example, Name: foo, Pattern: fooba[r-ty-z]

    Use of the Hyphen

    • A hyphen (-) can appear either at the beginning (after an exclamation point, if any) or at the end of a charlist to match itself
    • In any other location, the hyphen identifies a range of characters delimited by the characters on either side of the hyphen
    Netsparker

    Dead accurate, fast & easy-to-use Web Application Security Scanner

    GET A DEMO