Scan Settings: Session Exclusions
To access this feature, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Scan Settings category, select Session Exclusions.
These settings apply to both the crawl and audit phases of a Fortify WebInspect vulnerability scan. To specify exclusions for only the crawl or only the audit, use the Crawl Settings: Session Exclusions or the Audit Settings: Session Exclusions.
Excluded or Rejected File Extensions
You can identify a file type and then specify whether you want to exclude or reject it.
- Reject - Fortify WebInspect will not request files of the type you specify.
- Exclude - Fortify WebInspect will request the files, but will not attack them (during an audit) and will not examine them for links to other resources.
By default, most image, drawing, media, audio, video, and compressed file types are rejected.
To add a file extension to reject or exclude:
-
Click Add.
The Exclusion Extension window opens.
-
In the File Extension box, enter a file extension.
-
Select either Reject, Exclude, or both.
-
Click OK.
Excluded MIME Types
Fortify WebInspect will not process files associated with the MIME type you specify. By default, image, audio, and video types are excluded.
To add a MIME Type to exclude:
-
Click Add.
The Provide a Mime-type to Exclude window opens.
-
In the Exclude Mime-type box, enter a MIME type.
-
Click OK.
Other Exclusion/Rejection Criteria
You can identify various components of an HTTP message and then specify whether you want to exclude or reject a session that contains that component.
-
Reject - Fortify WebInspect will not send any HTTP requests to the host or URL you specify. For example, you should usually reject any URL that deals with logging off the site, since you don't want to log out of the application before the scan is completed.
-
Exclude - During a crawl, Fortify WebInspect will not examine the specified URL or host for links to other resources. During the audit portion of the scan, Fortify WebInspect will not attack the specified host or URL. If you want to access the URL or host without processing the HTTP response, select the Exclude option, but do not select Reject. For example, to check for broken links on URLs that you don't want to process, select only the Exclude option.
Editing Criteria
To edit the default criteria:
-
Select a criterion and click Edit (on the right side of the Other Exclusion/Rejection Criteria list).
The Reject or Exclude a Host or URL window opens.
-
Select either Host or URL.
-
In the Host/URL box, enter a URL or fully qualified host name, or a regular expression designed to match the targeted URL or host.
-
Select either Reject, Exclude, or both.
-
Click OK.
Adding Criteria
To add exclusion/rejection criteria:
-
Click Add (on the right side of the Other Exclusion/Rejection Criteria list).
The Create Exclusion window opens.
-
Select an item from the Target list.
-
If you selected Query Parameter or Post Parameter as the target, enter the Target Name.
-
From the Match Type list, select the method to be used for matching text in the target:
-
Matches Regex - Matches the regular expression you specify in the Match String box.
-
Matches Regex Extension - Matches a syntax available from Fortify's regular expression extensions you specify in the Match String box.
-
Matches - Matches the text string you specify in the Match String box.
-
Contains - Contains the text string you specify in the Match String box.
-
-
In the Match String box, enter the string or regular expression for which the target will be searched. Alternatively, if you selected a regular expression option in the Match Type, you can click the drop-down arrow and select Create Regex to launch the Regular Expression Editor.
-
Click
(or press Enter). -
(Optional) Repeat steps 2-6 to add more conditions. Multiple matches are ANDed.
-
If you are working in Current Settings, you can click Test to process the exclusions on the current scan. Any sessions from that scan that would have been filtered by the criteria will appear in the test screen, allowing you to modify your settings if required.
-
Click OK.
-
When the exclusion appears in the Other Exclusion/Rejection Criteria list, select either Reject, Exclude, or both.
Note: You cannot reject Response, Response Header, and Status Code Target types during a scan. You can only exclude these Target types.
Example 1
To ensure that you ignore and never send requests to any resource at Microsoft.com, enter the following exclusion and select Reject.
| Target | Target Name | Match Type | Match String |
| URL | N/A | contains | Microsoft.com |
Example 2
Enter "logout" as the match string. If that string is found in any portion of the URL, the URL will be excluded or rejected (depending on which option you select). Using the "logout" example, Fortify WebInspect would exclude or reject URLs such as logout.asp or applogout.jsp.
| Target | Target Name | Match Type | Match String |
| URL | N/A | contains | logout |
Example 3
The following example rejects or excludes a session containing a query where the query parameter "username" equals "John."
| Target | Target Name | Match Type | Match String |
| Query parameter | username | matches | John |
Example 4
The following example excludes or rejects the following directories:
http://www.test.com/W3SVC55/
http://www.test.com/W3SVC5/
http://www.test.com/W3SVC550/
| Target | Target Name | Match Type | Match String |
| URL | N/A | matches regex | /W3SVC[0-9]*/ |
See Also
Scan Settings: Cookies/Headers