Configuring Acunetix to exclude scanning a portion of a website
There are situations where you may need to configure Acunetix to exclude a portion of a web application from crawling and scanning. This might be required if the web application being scanned is too large, or if scanning part of the site might trigger unwanted actions such as submitting data.
Exclude paths from the site structure of an existing Crawl/Scan
One way to configure Acunetix to not scan parts of the site is to configure exclusions from the site structure following a crawl or a scan of the site.
How to add an excluded path
- Select Scans from the side menu.
- Click on your scan.
- Select the Site Structure tab.
- Click on the folder you want to exclude from the scan.
- Click Exclude to automatically configure exclusion for the specific path.
- The exclusion will be configured in the Target’s settings.
Exclude Paths in a Target’s Settings
Another method is to make use of the Excluded Paths option, which enables you to specify a list of directories and files to be excluded from a crawl. Multiple paths may be excluded for each Target.
How to add an excluded path
- Select Targets from the side menu.
- Click on your target to edit it.
- Scroll down to the Crawling section.
- In the Excluded Paths field, enter exclusions for any paths or files. Exclusions can be set using regular expressions, wildcards, and also normal strings. Click + (the plus icon) to add more exclusions.
- Click Save when you are finished.
Excluded paths formatting requirements
The format for creating exclusions is with a forward slash at the front (/) followed by the path that should be after the Target URL. For example if you wish to exclude /dir2 which is in directory /dir1 from www.example.com, the exclusion should be created as: /dir1/dir2/ where /dir2 will be ignored by the crawler. Note that /dir1 and everything in it (except /dir2) will still be scanned.
If you have a directory named /dir2 in the root, this directory will still be scanned since the exclusion we created was specifically for the directory named /dir2 which is in the /dir1 folder. These are not considered the same – even though they are named the same – because they are in two different locations.
Once a path is excluded from scanning, all its subdirectories will also be excluded from the scan because once a directory is not crawled, the scanner cannot know that there is anything below that directory that has been ignored. Slightly modifying the previous example, if /dir1 is excluded, the crawler will ignore this directory and anything below it, including /dir2.
Excluding Paths Based on Regular Expressions
Acunetix also allows path exclusions to contain regular expressions (RegEx). This is useful in situations where you want to exclude a URL pattern rather than a single URL. Acunetix accepts the widely-used Perl Compatible Regular Expressions (PCRE) syntax for defining regular expressions.
The following are examples of regular expressions you can configure in Acunetix to restrict URL patterns.
TIP: Before applying an exclusion RegEx in Acunetix, you may wish to test your RegEx in a tool such as Regex101.
Does not match (does not exclude path)
Exclude URLs more than 1-level deep
Exclude URLs more than 2-level deep
Exclude specific directories
Exclude all URLs (useful when supplying Acunetix with a list of URLs to scan)
TIP: For more information, refer to Configuring Acunetix to include only specific portions of a website.