Scope Settings in Tenable Web App Scanning Scans
Configure Scope settings to specify the URLs and file types that you want to include in or exclude from your scan.
You can configure Scope settings when you create a scan or user-defined scan template and select the Overview or Scan template type. For more information, see Scan Templates.
Tip: If you want to save your settings configurations and apply them to other scans, you can create and configure a user-defined scan template.
The Scope settings include the following sections:
Selenium scripts you want to add to your scan to enable the scanner to analyze pages with complex access logic.
Setting | Description |
---|---|
Add File |
Hyperlink that allows you to add one or more recorded Selenium script files to your scan. Your script must be added as a .side file. |
OpenAPI (Swagger) Specification
The specification (file upload or URL of the file location) for the RESTful API that you want to scan. The file should be OpenAPI Specification (v2 or v3) compliant and represented in either JSON or YAML format.
Setting | Description |
---|---|
File | Selecting this option in the drop-down list enables you to add one or more OpenAPI (v2 or v3) specification files as a file upload. The specification files should be represented in either JSON or YAML format. |
URL | Selecting this option in the drop-down list enables you to add one or more OpenAPI (v2 or v3) specification files by entering the URL of the file location. The specification files should be represented in either JSON or YAML format. |
The URLs you want the scanner to include, along with how you want the scanner to crawl them.
Setting | Default | Description |
---|---|---|
List of URLs | none |
A list of any URLs you want to ensure the scanner analyzes, in addition to the target URL you specified in the Basic settings. Type each URL as an absolute URL. Type each URL on a separate line.
Note: All URLs should have the same domain and wildcards are not allowed.
|
Specify how the scanner handles URLs found during the application crawl | Crawl all URLs detected |
Specifies the limits you want the scanner to adhere to as it crawls URLs. Select one of the following:
|
The attributes of URLs you want the scanner to exclude from your scan.
Setting | Default Value | Description |
---|---|---|
Regex for Excluded URLs | logout |
Text box option in which you can specify a regex pattern that the scanner can look for in URLs to exclude from the scan. You can specify multiple regex patterns separated by new lines. Note: The regex values should be values contained within the URL to be excluded. For example, in the URL http://www.example.com/blog/today.htm, valid regex values would be blog or today (not the full URL). Additionally, regex values are case-sensitive. |
File Extensions to Exclude | js, css, png, jpeg, gif, pdf, csv, svn-base, svg, jpg, ico, |
Text box option in which you can specify the file types you want the scanner to exclude from the scan. Separate each file type with a comma. Note: Excluding certain file extensions may be useful as the scanner may not realize something is not a web page and attempt to scan it, as if it actually is a web page. This wastes time and slows down the scan. You can add additional file extensions if you know you use them, and are certain they do not need to be scanned. For example, Tenable includes different image extensions by default: .png, .jpeg, etc. |
Decompose Paths | not selected |
Check box option that allows you to specify whether you want the scanner to break down each URL identified during the scan into additional URLs, based on directory path level. For example, if you specify www.example.com/dir1/dir2/dir3 as your target and select Decompose Paths, the scanner analyzes each of the following as separate URLs of the target:
Select this option to increase the surface coverage of your web application scan. Note: Scans that include path decomposition can take longer to complete than scans that do not. |
Exclude Binaries | selected |
Check box option that allows you to specify whether you want the scanner to audit URLs with responses in binary format. Select this option to increase the surface coverage of your web application scan. Note: Scans that include binaries can take longer to complete, because the scanner cannot read the binary responses. |
Setting | Description |
---|---|
Deduplicate Similar Pages | Checkbox option that allows you to specify whether you want the scanner to ignore pages in situations when similar pages have already been audited. |