Context
When performing a web application scan, you might want to either explicitly restrict a scan of a domain to a certain path (eg www.example.com/path2/ ), or to explicitly exclude a certain path from scanning (e.g. www.example.com/static/) whilst scanning all other paths on the domain.
Likewise, when performing an infrastructure scan, you may want to exclude a certain IP within a larger range, for example to scan 1921.68.0.1-254, but exclude 192.168.0.8 if that IP is, for example,unsuitable for scanning, or covered by a separate scan.
Limiting Web Application Scope (Scan specific URL only)
Application targets can be set to a limited crawl target. What this means is AppCheck will not scan outside of a given path (directory) in the URL. Normally when AppCheck is crawling and attacking an application it attempts to crawl the entire domain.
Even if the scan target is given as https://www.example.com/path1 AppCheck will use this as the starting point for scanning, but will crawl and then attack any other paths found via crawling or brute force discovery, including pages at eg https:///www.example.com/path2
In some instances, this can be undesirable behaviour: for instance if you entered http://www.example.com/app1 as a target, you may have the expectation that AppCheck will only scan this page (and pages within that directory). However if you wish to scan ONLY that path and pages within it, you can limit the scope of the crawler with the “|” (pipe) character as a suffix (trailing character) in the scan target.
If you change your scan target to http://www.example.com/app1| (note trailing pipe character) then this will now only crawl and attack paths above within the /app1 path/directory, leaving /app2 and /app2 and all other paths un-scanned.
Further reading on this subject: Application Scan Targets, Scope and Seeded Targets
Excluding Specific Web Application Crawl Targets (Exclude specific URL)
It is also possible to exclude a given path (and directories underneath it) using the blacklist feature in the scan configuration:
Any URL entered in this list (and directories underneath them) will be excluded/blacklisted from scanning.
For example, if you add https://example.com/one to your blacklist then
https://example.com/one/some-page will not be scanned, but
https://example.com/two/some-page will be.
If you add https://example.com/ to your blacklist then the whole application is blacklisted - none of it will be scanned.
Excluding Specific IPs from infrastructure scanning
The Blacklist Targets section of a scan configuration can also be used to exclude specific IPs from within a scan target range from being scanned. You can exclude IP ranges and subnets within the Blacklist Targets, also.
Comments
0 comments
Please sign in to leave a comment.