There is a number of options to help you configure the testing scope to your specific requirements.
The "Include URLs" option is used to provide additional matching rules to include URLs in the scope. For example, you may wish to test all files that are hosted on your CDN and are not part of your target application domain. This option helps you define that.
The "Exclude URLs" option defines a list of regular expressions (one per line), which are used to match URLs to be ignored. For example, to force the scanner not to follow logout URLs you may use the following regular expression:
logout\.(asp|aspx|php|jsp). You may want to add additional rules to specifically prevent the spider from visiting sensitive application areas.
The limit URLs option helps you define a list of regular expressions to lock active testing within specific folders. For example, the rule
$\/users/.* will lock the testing inside the
/users/ application path and will not test
/admins/ application path.
This option defines the maximum number of folders allowed before considering the URL out of scope. For example, "Max Depth" of 2 will correctly scan
/folderA/folderB/file but will not scan
Pre-defined Exclusions Rules
There are a number of pre-defined exclusion rules you can use. For example, binary formats such as audio, videos and image files are not used by the scanner as this content is not interactive. These files are excluded by default. There are situations when you may want to spider these files too although it is generally noy recommended or required in the majority of the cases.
Styles, scripts and documents are also excluded by default as in most cases these are static assets, but as discussed there are a number of situations when this may not be desirable.