Scan Scope Exceptions

It is important to point out that there are some exceptions during which Netsparker will ignore the Scan Scope configuration. These are highlighted below:

  • During authentication: most of the time successful or failed login attempts are redirected to a page which can be out of scope. In this case the scanner would still need to crawl the page to check whether or not the authentication succeeded. For this reason, Netsparker does not check the Scan Scope configuration during authentication requests.
  • The target URL to scan is never checked against the scope. Only the crawled pages crawled from the target URL are checked.
  • The scanner will request JavaScript files that are located on external domains (common in a CDN setup) while performing JavaScript (DOM) Simulation (parsing) and DOM XSS attacks irrelevant of the Scan Scope configuration.