Audit Settings: Session Exclusions
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Audit Settings category, select Session Exclusions.
All items specified in the Scan Settings - Session Exclusions are automatically replicated in the Session Exclusions for both the Crawl Settings and the Audit Settings. These items are listed in gray (not black) text. If you do not want these objects to be excluded from the audit, you must remove them from the Scan Settings - Session Exclusions panel.
This panel (Audit Settings - Session Exclusions) allows you to specify additional objects to be excluded from the audit.
Excluded or Rejected File Extensions
If you select Reject, Fortify WebInspect will not request files having the specified extension.
If you select Exclude, Fortify WebInspect will request files having the specified extension, but will not audit them.
Adding a File Extension to Exclude/Reject
To add a file extension:
-
Click Add.
The Exclusion Extension window opens.
-
In the File Extension box, enter a file extension.
-
Select either Reject, Exclude, or both.
-
Click OK.
Excluded MIME Types
Fortify WebInspect will not audit files associated with the MIME types you specify.
Adding a MIME Type to Exclude
To add a MIME type:
-
Click Add.
The Provide a Mime-type to Exclude window opens.
-
In the Exclude Mime-type box, enter a MIME type.
-
Click OK.
Other Exclusion/Rejection Criteria
You can identify various components of an HTTP message and then specify whether you want to exclude or reject a session that contains that component.
-
Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For example, you should usually reject any URL that deals with logging off the site, since you don't want to log out of the application before the scan is completed.
-
Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified host or URL. If you want to access the URL or host without processing the HTTP response, select the Exclude option, but do not select Reject. For example, to check for broken links on URLs that you don't want to process, select only the Exclude option.
Editing the Default Criteria
To edit the default criteria:
-
Select a criterion and click Edit (on the right side of the Other Exclusion/Rejection Criteria list).
The Reject or Exclude a Host or URL window opens.
- Select either Host or URL.
- In the Host/URL box, enter a URL or fully qualified host name, or a regular expression designed to match the targeted URL or host.
- Select either Reject, Exclude, or both.
- Click OK.
Adding Exclusion/Rejection Criteria
To add exclusion/rejection criteria:
-
Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
-
Select an item from the Target list.
-
If you selected Query Parameter or Post Parameter as the target, enter the Target Name.
-
From the Match Type list, select the method to be used for matching text in the target:
-
Matches Regex - Matches the regular expression you specify in the Match String box.
-
Matches Regex Extension - Matches a syntax available from Fortify's regular expression extensions you specify in the Match String box.
-
Matches - Matches the text string you specify in the Match String box.
-
Contains - Contains the text string you specify in the Match String box.
-
-
In the Match String box, enter the string or regular expression for which the target will be searched. Alternatively, if you selected a regular expression option in the Match Type, you can click the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
-
Click
(or press Enter). -
(Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
-
If you are working in Current Settings, you can click Test to process the exclusions on the current scan. Any sessions from that scan that would have been filtered by the criteria will appear in the test screen, allowing you to modify your settings if required.
-
Click OK.
-
When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject, Exclude, or both.
Note: You cannot reject Response, Response Header, and Status Code Target types during a scan. You can only exclude these Target types.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the following exclusion and select Reject.
| Target | Target Name | Match Type | Match String |
| URL | N/A | contains | Microsoft.com |
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be excluded or rejected (depending on which option you select). Using the "logout" example, Fortify WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
| Target | Target Name | Match Type | Match String |
| URL | N/A | contains | logout |
Example 3
The following example rejects or excludes a session containing a query where the query parameter "username" equals "John."
| Target | Target Name | Match Type | Match String |
| Query parameter | username | matches | John |
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
| Target | Target Name | Match Type | Match String |
| URL | N/A | matches regex | /W3SVC[0-9]*/ |
See Also
Audit Settings: Attack Exclusions