Scope Scan Settings
Configure Scope settings to specify the URLs and file types that you want to include in or exclude from your scan.
You can configure Scope settings when you create a scan or user-defined scan template and select the Web App Overview or Scan Web App templates. For more information, see Scan Templates and Web Application Scanning in Tenable Nessus.
The Scope settings include three sections:
Crawl Scripts
Specify the Selenium scripts you want to add to your scan to enable the scanner to analyze pages with complex access logic.
Note: If you add more than one target to your scan, these settings are disabled.
| Setting | Default Value | Description |
|---|---|---|
| Add File | n/a |
Hyperlink that allows you to add one or more recorded Selenium script files to your scan. Your script must be added as a .side file. |
Scan Inclusion
Specify the URLs to include when scanning the web application. The URLs must have the same domain as the target URL.
| Setting | Default Value | Description |
|---|---|---|
| List of URLs | n/a | Specifies the URLs to include when scanning the web application. When listing multiple URLs, you must format them in a comma-separated list. |
| Specify how the scanner handles URLs found during the application crawl | Crawl all URLs detected |
Specifies the limits you want the scanner to adhere to as it crawls URLs. Select one of the following:
|
Scan Exclusion
Specify any URLs that you want to exclude from your scan.
Note: If you add more than one target to your scan, these settings are disabled.
| Setting | Default Value | Description |
|---|---|---|
| Regex For Excluded URLs | logout |
Specifies a regex pattern that the scanner can look for in URLs to exclude from the scan. When listing multiple regex patterns, you must format them in a comma-separated list. Regex values are case-sensitive. Note: The regex values should be values contained within the URL to be excluded. For example, in the URL http://www.example.com/blog/today.htm, valid regex values would be blog or today (not the full URL). |
| File Extensions to Exclude | js,css,png,jpeg,gif,pdf,csv,svn-base,svg,jpg,ico,woff,woff2,exe,msi,zip |
Specifies the file types you want the scanner to exclude from the scan. When listing multiple URLs, you must format them in a comma-separated list. Note: Excluding certain file extensions may be useful as the scanner may not realize something is not a web page and attempt to scan it, as if it actually is a web page. This wastes time and slows down the scan. You can add additional file extensions if you know you use them, and are certain they do not need to be scanned. For example, Tenable includes different image extensions by default, such as .png and .jpeg. |
| Decompose Paths | Disabled |
Specifies whether you want the scanner to break down each URL identified during the scan into additional URLs, based on directory path level. For example, if you specify www.example.com/dir1/dir2/dir3 as your target and enable Decompose Paths, the scanner analyzes each of the following as separate URLs of the target:
When you enable this setting, the scanner attempts to audit the root of each sub-folder found in the path. This increases the web application detection surface, but also increases the scan time. |
| Exclude Binaries | Enabled |
Specifies whether you want the scanner to audit URLs with responses in binary format. When you disable this setting, the scanner attempts to audit the URL for which the response is in the binary format and therefore cannot be read by the scanner, increasing the web application detection surface, but also leading to increased scan time. |