Articles on: Getting Started (Pentest)

How to use the Exclude URLs feature

What is the Exclude URLs feature?



The exclude URLs feature allows users to specify certain URLs that should be excluded from the vulnerability scanning process. This is useful for situations when some critical endpoints exist on a website which should not be tested by automated scanners or when a known vulnerability exists on a specific page, but the user does not want to address it at this time.

How to use the Exclude URLs feature?



Begin by launching your vulnerability scanner and navigating to the scanning setup process.
Look for a section labeled Exclude URLs (Step 7).
Once in the Exclude URLs section, you will see a text field where you can enter the URLs you wish to exclude from the scan.



When you click on the text field, you will be presented with two options - Contains and Regex.

The Contains feature allows you to exclude URLs that contain a specific word or phrase. To use this feature, type in the word or phrase that appears in the URLs you wish to exclude. For example, if you want to exclude all URLs that contain the phrase admin-dashboard, you would type that phrase into the text field.

The Regex feature allows you to exclude URLs that match a specific pattern. To use this feature, type in a regular expression that matches the pattern of the URLs you wish to exclude. For example, if you want to exclude all URLs that contains some product ID, you can use a regular expression like product-id-[0-9a-z]{7}.



Please find a table of useful regular expressions for common use cases below for your reference:
Use caseRegular expression
URLs ending with a certain string.*string
URLs containing a string anywhere.*string.*
URLs containing the string /blog.*/blog.*
Exclude all subdomains of another subdomain.*\.subdomain.getastra.com/.*


Please note: When using special regular expression characters as part of a string within your regular expression, be sure to escape them with a backslash. However, delimiters such as the forward slash ( /) do not require escaping. Additionally, to minimize the possibility of errors, it is recommended to utilize the Contains functionality when applicable, as it is less prone to human error.

Here are some sites to build regular expressions easily:
regex101
regexr

Once you have entered all the URLs you wish to exclude, click on Save & Next > to proceed with the scanning process.

Why use the Exclude URL feature?



The Exclude URL feature can be useful in several situations, such as:
When a user is aware of a specific vulnerability on a particular page, but they cannot fix it at the moment and want to exclude it from the scan.
When a user wants to exclude the development or staging site to avoid unnecessary alerts.
To avoid critical endpoints which can be damaged by automated scanners.

Updated on: 16/12/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!