Global Settings - Exclusion
Click to view navigation pane

Home

Global Settings - Exclusion

On this page, you can set the exclusions to define which links to scan and which to ignore for all web applications in your subscription. You can define Allow List, Exclude List, Post data Exclude List and also regular logout expression where the matching link is not scanned.

global settings exclusions

Allow List

This list identifies the links (URLs) in the web application that you want to be scanned. For each string specified, the crawler performs a string match against each link it encounters. When a match is found, the crawler submits a request for the link. When there is an allow list only (no exclude list), no links will be crawled unless they match a white list entry.

The allow list can consist of URLs and/or regular expressions.

URLs Select the check box to enter the URLs for the allow list. Each URL must be a fully qualified domain name. Enter each URL on a new line. You can enter a maximum of 2048 characters for each URL.

Regular Expressions Select the check box to enter regular expressions for the allow list. Enter each regular expression on a new line. For example, specify /my/path/.* for all URLs under the /my/path/ directory. You can enter a maximum of 2048 characters for each regular expression.

Exclude List

This list identifies the links (URLs) in the web application that you do not want to be scanned. For each string specified, the crawler performs a string match against each link it encounters. When a match is found, the crawler does not submit a request for the link unless it also matches a allow list entry.

The exclude list can consist of URLs and/or regular expressions.

URLs Select the check box to enter URLs for the exclude list. Each URL must be a fully qualified domain name. Enter each URL on a new line. You can enter a maximum of 2048 characters for each URL.

Regular Expressions Select the check box to enter regular expressions for the exclude list. Enter each regular expression on a new line. For example, specify /my/path/.* for all URLs under the /my/path/ directory. You can enter a maximum of 2048 characters for each regular expression.

IPs Select the check box to enter the list of IPs, IP subnets, or IP range. 

POST data exclude List

This list identifies POST requests with body for which you want to block form submission, as this could have unwanted side effects like mass emailing. The entries for POST Data Black List should match something that appears in the body of the POST request. When specified, our service blocks form submission for any POST request with body that matches the specified entries and does not submit the blocked POST data (for example, form fields) during all scan phases.

Regular Expressions Select to set up a list of POST request with body for the form submissions you want to block. Specify each entry on a separate line in the field provided. You can enter a maximum of 2048 characters for each entry.

Logout Regular Expressions

The logout regular expression lists the logout links you want to exclude from scanning.

Regular Expressions Select the check box for the logout regular expression. Select to set up a list of regular expressions to identify logout links you want to exclude form scanning. Enter each regular expression on a separate line in the field provided. You can enter a maximum of 2048 characters for each regular expression.

Parameters

Define the parameter exclusion records to use them by default for scanning this web application as per the requirement. You can add multiple values. Exclusions can be defined for URL parameters, request body parameters or cookies. 

Is Regex -  Select Yes or No to define whether you want to add a parameter as a regular expression, add the type, and enter a regular expression or parameter value. 

Type - You can select a type: ANY, COOKIE, POST, URL.

Based on the value set in Is Regex field, enter a Regular Expression or Parameter Value.

Exclusions at the global level and web application

You can choose to define exclusion lists globally across your subscription or per web application.

At the Web application - You can define an exclusion list while creating or editing a web application and start the scan.

At a global level  - You can define global exclusion lists if you want to block IP addresses. Define the exclusions in the Global Settings > Exclusions and start the scan. 

Web application and Global level - You can configure an exclusion list at both levels. The global settings and web app settings are combined and applied during scanning. 

Related topic

Validation regular expression