How to configure Acunetix to exclude scanning a portion of my website

There are situations where you may need to configure Acunetix to exclude a portion of web application from crawling and scanning. This might be required if the web application being scanned is too large, or if scanning part of the site might trigger unwanted actions such as submitting data. There are two ways to instruct Acunetix to omit scanning part of your web application.

Starting a Scan from a Directory

The simpler method, is to directly scan a directory on the site – ie. http://testphp.vulnweb.com/AJAX/. Acunetix will only scan the /AJAX directory of the site and the files and directories below it. Acunetix will not scan any URLs which are above the /AJAX path.

Exclude Paths in a Target’s Settings

The second method is to make use of the the Excluded Paths option, which enables you to specify a list of directories and files to be excluded from a crawl. Multiple paths may be excluded for each Target.

Adding an Excluded Path can be accomplished as follows.

  • Navigate to the Target to which you wish to add an Excluded Path.
  • Click on the Crawl tab of the Target’s settings
  • From the Crawling/Navigation Options section, under Excluded Paths, add the path of the directory or file you wish to exclude, starting after the Target URL
  • Click on Add to include that path in the exclusion list.

The format in which the exclusions should be created is with a forward slash at the front (/) and the path that should be after the Target URL. For example if you wish to exclude /dir2 which is in directory /dir1 from www.example.com, the exclusion should be created as such: /dir1/dir2/ where /dir2 will be ignored by the crawler. Do note that /dir1 and everything in it (except /dir2) will still be scanned.

If you have a directory named /dir2 in the root, this directory will still be scanned since the exclusion we created was specifically for the directory named /dir2 which is in the /dir1 folder. These are not considered the same – even though they are named the same – because they are in two different locations.

Once a path is excluded from scanning, all its subdirectories will be also excluded from the scan because once a directory is not crawled, the scanner cannot know that there is anything below that directory that has been ignored. Slightly modifying the previous example, if /dir1 is excluded, the crawler will ignore this directory and anything below it, including /dir2.

Excluding Paths Based on Regular Expressions

Acunetix also allows path exclusions to contain regular expressions (RegEx). This is useful in situations where you want to exclude a URL pattern rather than a single URL. Acunetix accepts the widely-used Perl Compatible Regular Expressions (PCRE) syntax for defining regular expressions.

The following are examples of regular expressions you can configure in Acunetix to restrict URL patterns.

Description Regular expression Matches (excludes path) Does not match (does not exclude path)
* Wildcard \/dir.*\/otherdir
  • /dir/otherdir
  • /dir1/otherdir
  • /dira/otherdir
  • /dir123/dir4/otherdir
  • /dir
  • /dir/dir1
  • /dir/dira
  • /dir/dir123
? Wildcard \/dir.?\/otherdir
  • /dir/otherdir
  • /dir1/otherdir
  • /dira/otherdir
  • /dir
  • /dir/dir1
  • /dir/dira
  • /dir/dir123
  • /dir123/otherdir
Digit Wildcard \/dir[\d]+\/otherdir
  • /dir1/otherdir
  • /dir01/otherdir
  • /dir9999/otherdir
  • /dir/otherdir
  • /dira/otherdir
  • /dir1a/otherdir
Exclude URLs more than 1-level deep (\/.+){2,}
  • /dir/dir1
  • /dir/dir1/dira
  • /dir/file.html
  • /dir/file.html?q=value
  • /dir
  • /file.html
  • /file.html?q=value
Exclude URLs more than 2-level deep (\/.+){3,}
  • /dir/dir1/dira
  • /dir/dir1/file.html?q=value
  • /dir
  • /dir/dir1
  • /dir/file.html
  • /dir/file.html?q=value
Exclude specific directories \/dir(\/.*)?$
  • /dir
  • /dir1/dir
  • /dir1
  • /dira/dirb
Exclude all URLs (useful when supplying Acunetix with a list of URLs to scan) ^\/.*$
  • /dir
  • /dir/file.html
  • /dir/file.html?q=value
Exclude URLs with specific parameter names \?*[?&]param=
  • /?param=value
  • /dir/file.html?param=value
  • /dir/?param=value
  • /dir/?param1=value&param=value
  • /?param1=value
  • /dir/file.html?parama=value
  • /dir/?paramb=value
  • /dir/?otherparam=value&paramc=value
Exclude URLs with specific parameter values \?.+=paramval(&.*)?$
  • /?param=paramval
  • /dir/file.html?param=paramval
  • /dir/?param=paramval
  • /dir/?param1=value&param=paramval
  • param=paramval1
  • /dir/?param=paramvala
  • /dir/?param1=paramvalb&param=value
Share this post
  • Hi,

    I’m missing a feature from Acunetix 10 where one could choose which files to scan after crawling. I do not find this feature in Acunetix 11 and sometimes I have to scan sites like webshops that have a boatload of products.

    For instance lets say all products are within one subdirectory. I usually only want to scan a few of these product pages not hundreds of them because they are usually identical except their text descriptions, pictures etc.

    I’ve tried setting regexes in the “Excluded Paths” option to exclude all products except the one that I’m specifying in the regex. Still it might happen that this particular product is not linked from any of the main pages anyway but maybe only from a different product and thus never getting crawled. This makes crawling as many pages as possible but subsequently only scanning certain things next to impossible, without a lot of manual configuration.

    One more feature in version 10 that could have been used for this purpose was the “export crawling results” option that I don’t seem to find in version 11.

    Is there a way to do this in version 11 or might we get this feature back at some point?

    Thanks,
    Ferdinand

    • Hi,

      In v11, you will need to use excluded paths for now. We are planning on re-introducing the options to start a scan from a crawl, and to selectively choose which files to scan from a previous crawl – this will happen in Q2.

  • Leave a Reply

    Your email address will not be published.