Scope Settings in Tenable Web App Scanning Scans

Configure Scope settings to specify the URLs and file types that you want to include in or exclude from your scan.

You can configure Scope settings when you create a scan or user-defined scan template and select the Overview or Scan template type. For more information, see Scan Templates.

Tip: If you want to save your settings configurations and apply them to other scans, you can create and configure a user-defined scan template.

The Scope settings include the following sections:

Crawl Scripts
OpenAPI (Swagger) Specification
Scan Inclusion
Scan Exclusion

Crawl Scripts

Selenium scripts you want to add to your scan to enable the scanner to analyze pages with complex access logic.

Note: If you add more than one target to your scan, these settings are disabled.

Setting	Description
Add File	Hyperlink that allows you to add one or more recorded Selenium script files to your scan. Your script must be added as a .side file.

Setting

Description

Add File

Hyperlink that allows you to add one or more recorded Selenium script files to your scan.

Your script must be added as a .side file.

OpenAPI (Swagger) Specification

The specification (file upload or URL of the file location) for the RESTful API that you want to scan. The file should be OpenAPI Specification (v2 or v3) compliant and represented in either JSON or YAML format.

Setting	Description
File	Selecting this option in the drop-down list enables you to add one or more OpenAPI (v2 or v3) specification files as a file upload. The specification files should be represented in either JSON or YAML format.
URL	Selecting this option in the drop-down list enables you to add one or more OpenAPI (v2 or v3) specification files by entering the URL of the file location. The specification files should be represented in either JSON or YAML format.

Scan Inclusion

The URLs you want the scanner to include, along with how you want the scanner to crawl them.

Note: If you add more than one target to your scan, these settings are disabled.

Setting	Default	Description
List of URLs	none	A list of any URLs you want to ensure the scanner analyzes, in addition to the target URL you specified in the Basic settings. Type each URL as an absolute URL. Type each URL on a separate line. Note: All URLs should have the same domain and wildcards are not allowed.
Specify how the scanner handles URLs found during the application crawl	Crawl all URLs detected	Specifies the limits you want the scanner to adhere to as it crawls URLs. Select one of the following: Crawl all URLs detected — The scanner crawls all URLs and child paths it detects on the target URL's domain host. Limit crawling to specified URLs, sibling paths, and child paths — The scanner crawls the target URLs, sibling, and child paths only. Limit crawling to specified URLs and child paths — The scanner crawls only the target URL and child paths. Limit crawling to specified URLs — The scanner crawls the target URL only. It does not crawl child paths for the target URL.

Setting

Default

Description

List of URLs

none

A list of any URLs you want to ensure the scanner analyzes, in addition to the target URL you specified in the Basic settings.

Type each URL as an absolute URL.

Type each URL on a separate line.

Note: All URLs should have the same domain and wildcards are not allowed.

Specify how the scanner handles URLs found during the application crawl

Crawl all URLs detected

Specifies the limits you want the scanner to adhere to as it crawls URLs.

Select one of the following:

Crawl all URLs detected — The scanner crawls all URLs and child paths it detects on the target URL's domain host.
Limit crawling to specified URLs, sibling paths, and child paths — The scanner crawls the target URLs, sibling, and child paths only.
Limit crawling to specified URLs and child paths — The scanner crawls only the target URL and child paths.
Limit crawling to specified URLs — The scanner crawls the target URL only. It does not crawl child paths for the target URL.

Scan Exclusion

The attributes of URLs you want the scanner to exclude from your scan.

Setting	Default Value	Description
Regex for Excluded URLs	logout	Text box option in which you can specify a regex pattern that the scanner can look for in URLs to exclude from the scan. You can specify multiple regex patterns separated by new lines. Note: The regex values should be values contained within the URL to be excluded. For example, in the URL http://www.example.com/blog/today.htm, valid regex values would be blog or today (not the full URL). Additionally, regex values are case-sensitive.
File Extensions to Exclude	js, css, png, jpeg, gif, pdf, csv, svn-base, svg, jpg, ico, woff, woff2, exe, msi, zip	Text box option in which you can specify the file types you want the scanner to exclude from the scan. Separate each file type with a comma. Note: Excluding certain file extensions may be useful as the scanner may not realize something is not a web page and attempt to scan it, as if it actually is a web page. This wastes time and slows down the scan. You can add additional file extensions if you know you use them, and are certain they do not need to be scanned. For example, Tenable includes different image extensions by default: .png, .jpeg, etc.
Decompose Paths	not selected	Check box option that allows you to specify whether you want the scanner to break down each URL identified during the scan into additional URLs, based on directory path level. For example, if you specify www.example.com/dir1/dir2/dir3 as your target and select Decompose Paths, the scanner analyzes each of the following as separate URLs of the target: www.example.com/dir1/dir2/dir3 www.example.com/dir1/dir2 www.example.com/dir1 Select this option to increase the surface coverage of your web application scan. Note: Scans that include path decomposition can take longer to complete than scans that do not.
Exclude Binaries	selected	Check box option that allows you to specify whether you want the scanner to audit URLs with responses in binary format. Select this option to increase the surface coverage of your web application scan. Note: Scans that include binaries can take longer to complete, because the scanner cannot read the binary responses.

Miscellaneous

Setting	Description
Deduplicate Similar Pages	Checkbox option that allows you to specify whether you want the scanner to ignore pages in situations when similar pages have already been audited.