Bypass Scope for Static Checks

The option Bypass scope for Static Checks in the Scope settings of a Scan Policy is disabled by default. When enabled, Netsparker will make requests to resources which are out of scope.

The setting to bypass the Scan Scope when performing Static Checks

To get an idea of what type of requests the scanner will be doing when such option is enabled check the Static Resources group in the Security Checks section of the Scan Policy. For example;

If target url is http://example.com/scan-this-folder/ and scope is Entered Path and Below, Netsparker will make the following requests to possibly identify vulnerabilities from static checks:

  • http://example.com/robots.txt
  • http://example.com/crossdomain.xml
  • http://example.com/phpMyadmin (Netsparker will report if there is a phpMyadmin installed to manage MySQL database server)

Static checks do not include invasive requests, so in many cases it is a good idea to enable this option. However it is disabled by default to avoid potential legal issues in tests conducted with strict scope.

Previous Page Next Page