Audit Settings: Attack Exclusions
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Audit Settings category, select Attack Exclusions.
Excluded Parameters
Use this feature to prevent Fortify WebInspect from using certain parameters in the HTTP request to attack the Web site. This feature is used most often to avoid corrupting query and POSTDATA parameters.
Adding Parameters to Exclude
To prevent certain parameters from being modified:
-
In the Excluded Parameters group, click Add.
The Specify HTTP Exclusions window opens.
-
In the HTTP Parameter box, enter the name of the parameter you want to exclude.
Click
to insert regular expression notations. -
Choose the area in which the parameter may be found: HTTP query data or HTTP POST data. You can select both areas, if necessary.
-
Click OK.
Excluded Cookies
Use this feature to prevent Fortify WebInspect from using certain cookies in the HTTP request to attack the Web site. This feature is used to avoid corrupting cookie values.
This setting requires you to enter the name of a cookie.
In the following example HTTP response, the name of the cookie is "FirstCookie."
Set-Cookie: FirstCookie=Chocolate+Chip; path=/
Excluding Certain Cookies
To exclude certain cookies:
-
In the Excluded Headers group, click Add.
The Regular Expression Editor appears.
Note: You can specify a cookie using either a text string or a regular expression.
-
To enter a text string:
-
In the Expression box, type a cookie name.
-
Click OK.
-
-
To enter a regular expression:
-
In the Expression box, type or paste a regular expression that you believe will match the text for which you are searching.
Click
to insert regular expression notations. -
In the Comparison Text box, type or paste the text that is known to contain the string you want to find (as specified in the Expression box).
-
To find only those occurrences matching the case of the expression, select the Match Case check box.
-
If you want to replace the string identified by the regular expression, select the Replace check box and then type or select a string from the Replace box.
-
Click Test to search the comparison text for strings that match the regular expression. Matches will be highlighted in red.
-
Did your regular expression identify the string?
-
If yes, click OK.
-
If no, verify that the Comparison Text contains the string you want to identify or modify the regular expression.
-
-
Excluded Headers
Use this feature to prevent Fortify WebInspect from using certain headers in the HTTP request to attack the Web site. This feature is used to avoid corrupting header values.
Excluding Certain Headers
To prevent certain headers from being modified, create a regular expression using the procedure described below.
-
In the Excluded Headers group, click Add.
The Regular Expression Editor appears.
Note: You can specify a header using either a text string or a regular expression.
-
To enter a text string:
-
In the Expression box, type a header name.
-
Click OK.
-
-
To enter a regular expression:
-
In the Expression box, type or paste a regular expression that you believe will match the text for which you are searching.
Click
to insert regular expression notations. -
In the Comparison Text box, type or paste the text that is known to contain the string you want to find (as specified in the Expression box).
-
To find only those occurrences matching the case of the expression, select the Match Case check box.
-
If you want to replace the string identified by the regular expression, select the Replace check box and then type or select a string from the Replace box.
-
Click Test to search the comparison text for strings that match the regular expression. Matches will be highlighted in red.
-
Did your regular expression identify the string?
-
If yes, click OK.
-
If no, verify that the Comparison Text contains the string you want to identify or modify the regular expression.
-
-
Audit Inputs Editor
Using the Audit Inputs Editor, you can create or modify parameters for audit engines and checks that require inputs.
-
To launch the tool, click Audit Inputs Editor.
-
To load inputs that you previously created using the editor, click Import Audit Inputs.
See Also
Audit Settings: Attack Expressions