Scope Settings in WAS Scans

Configure Scope settings to specify the URLs and file types that you want to include in or exclude from your scan.

You can configure Scope settings when you create a scan or user-defined scan template and select the Overview or Scan template type. For more information, see Scan Templates.

Tip: If you want to save your settings configurations and apply them to other scans, you can create and configure a user-defined scan template.

The Scope settings include the following sections:

Crawl Scripts

Selenium scripts you want to add to your scan to enable the scanner to analyze pages with complex access logic.

Setting Description
Add File

Hyperlink that allows you to add one or more recorded Selenium script files to your scan.

Your script must be added as a .side file.

OpenAPI (Swagger) Specification

The specification file for the RESTful API that you want to scan. The file should be OpenAPI Specification (v2 or v3) compliant and represented in either JSON or YAML format.

Setting Description
Add File Hyperlink that allows you to add one or more OpenAPI (v2 or v3) specification files. The specification files should be represented in either JSON or YAML format.

Scan Inclusion

The URLs you want the scanner to include, along with how you want the scanner to crawl them.

Setting Default Description
List of URLs none

A list of any URLs you want to ensure the scanner analyzes, in addition to the target URL you specified in the Basic settings.

Type each URL as an absolute URL.

Type each URL on a separate line.

Note: All URLs should have the same domain and wildcards are not allowed.

Specify how the scanner handles URLs found during the application crawl Crawl all URLs detected

Specifies the limits you want the scanner to adhere to as it crawls URLs.

Select one of the following:

  • Crawl all URLs detected — The scanner crawls all URLs and child paths it detects on the target URL's domain host.
  • Limit crawling to specified URLs and child paths — The scanner crawls only the target URL and child paths.
  • Limit crawling to specified URLs — The scanner crawls the target URL only. It does not crawl child paths for the target URL.

Scan Exclusion

The attributes of URLs you want the scanner to exclude from your scan.

Setting Default Value Description
Regex for Excluded URLs logout

Text box option in which you can specify a regex pattern that the scanner can look for in URLs to exclude from the scan. You can specify multiple regex patterns separated by new lines.

Note: The regex values should be values contained within the URL to be excluded. For example, in the URL http://www.example.com/blog/today.htm, valid regex vlaues would be blog or today (not the full URL). Additionally, regex values are case-sensitive.

File Extensions to Exclude js, css, png, jpeg, gif, pdf, csv, svn-base, svg, jpg, ico

Text box option in which you can specify the file types you want the scanner to exclude from the scan.

Separate each file type with a comma.

Decompose Paths not selected

Check box option that allows you to specify whether you want the scanner to break down each URL identified during the scan into additional URLs, based on directory path level.

For example, if you specify www.example.com/dir1/dir2/dir3 as your target and select Decompose Paths, the scanner analyzes each of the following as separate URLs of the target:

  • www.example.com/dir1/dir2/dir3
  • www.example.com/dir1/dir2
  • www.example.com/dir1

Select this option to increase the surface coverage of your web application scan.

Note: Scans that include path decomposition can take longer to complete than scans that do not.