Scope Settings in Tenable Web App Scanning Scans

Configure Scope settings to specify the URLs and file types that you want to include in or exclude from your scan.

You can configure Scope settings when you create a scan or user-defined scan template and select the Overview or Scan template type. For more information, see Scan Templates.

Tip: If you want to save your settings configurations and apply them to other scans, you can create and configure a user-defined scan template.

The Scope settings include the following sections:

Crawl Scripts

Selenium scripts you want to add to your scan to enable the scanner to analyze pages with complex access logic.

Note: If you add more than one target to your scan, these settings are disabled.

Setting Description
Add File

Hyperlink that allows you to add one or more recorded Selenium script files to your scan.

Your script must be added as a .side file.

OpenAPI (Swagger) Specification

The specification file for the RESTful API that you want to scan. The file should be OpenAPI Specification (v2 or v3) compliant and represented in either JSON or YAML format.

Setting Description
Add File Hyperlink that allows you to add one or more OpenAPI (v2 or v3) specification files. The specification files should be represented in either JSON or YAML format.

Scan Inclusion

The URLs you want the scanner to include, along with how you want the scanner to crawl them.

Note: If you add more than one target to your scan, these settings are disabled.

Setting Default Description
List of URLs none

A list of any URLs you want to ensure the scanner analyzes, in addition to the target URL you specified in the Basic settings.

Type each URL as an absolute URL.

Type each URL on a separate line.

Note: All URLs should have the same domain and wildcards are not allowed.

Specify how the scanner handles URLs found during the application crawl Crawl all URLs detected

Specifies the limits you want the scanner to adhere to as it crawls URLs.

Select one of the following:

  • Crawl all URLs detected — The scanner crawls all URLs and child paths it detects on the target URL's domain host.
  • Limit crawling to specified URLs and child paths — The scanner crawls only the target URL and child paths.
  • Limit crawling to specified URLs — The scanner crawls the target URL only. It does not crawl child paths for the target URL.

Scan Exclusion

The attributes of URLs you want the scanner to exclude from your scan.

Setting Default Value Description
Regex for Excluded URLs logout

Text box option in which you can specify a regex pattern that the scanner can look for in URLs to exclude from the scan. You can specify multiple regex patterns separated by new lines.

Note: The regex values should be values contained within the URL to be excluded. For example, in the URL http://www.example.com/blog/today.htm, valid regex values would be blog or today (not the full URL). Additionally, regex values are case-sensitive.

File Extensions to Exclude js, css, png, jpeg, gif, pdf, csv, svn-base, svg, jpg, ico, woff, woff2, exe, msi, zip

Text box option in which you can specify the file types you want the scanner to exclude from the scan.

Separate each file type with a comma.

Note: Excluding certain file extensions may be useful as the scanner may not realize something is not a web page and attempt to scan it, as if it actually is a web page. This wastes time and slows down the scan. You can add additional file extensions if you know you use them, and are certain they do not need to be scanned. For example, Tenable includes different image extensions by default: .png, .jpeg, etc.

Decompose Paths not selected

Check box option that allows you to specify whether you want the scanner to break down each URL identified during the scan into additional URLs, based on directory path level.

For example, if you specify www.example.com/dir1/dir2/dir3 as your target and select Decompose Paths, the scanner analyzes each of the following as separate URLs of the target:

  • www.example.com/dir1/dir2/dir3
  • www.example.com/dir1/dir2
  • www.example.com/dir1

Select this option to increase the surface coverage of your web application scan.

Note: Scans that include path decomposition can take longer to complete than scans that do not.

Exclude Binaries selected

Check box option that allows you to specify whether you want the scanner to audit URLs with responses in binary format.

Select this option to increase the surface coverage of your web application scan.

Note: Scans that include binaries can take longer to complete, because the scanner cannot read the binary responses.

Miscellaneous

Setting Description
Deduplicate Similar Pages Check box option that allows you to specify whether you want the scanner to ignore pages in situations when similar pages have already been audited.