Step 2: Filtering URLs in the Scan Scope

You can exclude or include URLs in the Scan Scope by entering regular expressions in the Exclude URLs with RegEx section highlighted in the below screenshot.

Excluding or Including URLs in a scan with the Scan Scope

It is only possible to either exclude or include URLs in the scan. By default the Exclude option is selected and there are three predefined regular expressions, which are used to exclude URLs which might possibly end an authenticated session. When Netsparker finds a URL that matches one of these regular expressions, it will not crawl or scan the page to prevent session logout.

Note: When you use the Include option the Netsparker scanners will ONLY crawl and scan the URLs that match those regular expressions.

How to Write Regular Expressions to Include/Exclude URLs?

You do not need to be knowledgeable about regular expressions to filter URLs. All you need to know is that there are a few special characters that when used in a regular expression and are not part of it you must escape with backslash. These characters are ()|.*+-?

Therefore if the URL for which you want to write a regex contains one those characters, just escape. Read the Wikipedia article on Regular Expressions for more information.

Example of How to Filter URLs with RegEx

In a typical logged in session there is a link on all pages that allows the user to log out, such as:

<a href=”session-end.php”>Logout</a>

If Netsparker crawls this link during the scan it will end the session. Therefore to ensure the scanner scans all the pages you need to exclude that URL from the scan. To do so we need to write a regular expression to match the URL session-end.php. Since it contains special characters (hyphen and dot) that need to be escaped the regular expression should be:


Notice the backslash being used to escape the - and the . characters. If on the other hand you want to make sure Netsparker always crawls and scans such URL, use the same regular expression and tick the option Include.