Excluding URLs in scans

You can specify one or more excluded URL patterns to avoid testing sections of a site during a scan. Web Security Scanner doesn't request resources that match any of the exclusions. The following sections describe the pattern matching that Web Security Scanner uses.

Pattern matching for excluded URLS

Excluded URL matching is based on a set of URLs defined by match patterns. A match pattern is a URL with 3 parts:

  • scheme: for example, http or *
  • host: for example, www.google.com or *.google.com or *
  • path: for example, /*, /foo*, or /foo/bar. *

Following is the basic syntax:

<exclude-pattern> := <scheme>://<host><path>
<scheme> := '*' | 'http' | 'https'
<host> := '*' | '*.' <any char except '/' and '*'>+
<path> := '/' <any chars>

The * in each part has the following function:

  • scheme: * matches either HTTP or HTTPS.
  • host:
    • * matches any host
    • *.hostname matches the specified host and any of its subdomains.
  • path: * matches 0 or more characters.

Valid Pattern Matches

The following table provides examples of valid patterns:

Pattern Behavior Sample matching URLs
http://*/* Matches any URL that uses the HTTP scheme.



http://*/foo* Matches any URL that uses the HTTP scheme, on any host, if the path starts with /foo.



https://*.google.com/foo*bar Matches any URL that uses the HTTPS scheme and is on a google.com host — like www.google.com, docs.google.com, or google.com) — if the path starts with /foo and ends with bar.



http://example.org/foo/bar.html Matches the specified URL. http://example.org/foo/bar.html* Matches any URL that uses the HTTP scheme and is on the host

*://mail.google.com/* Matches any URL that starts with http://mail.google.com or https://mail.google.com.



Invalid pattern matches

The following table provides examples of invalid patterns:

Pattern Reason
http://www.google.com The URL doesn't include a path.
http://*foo/bar * in the host can be followed only by a . or /.
http://foo.*.bar/baz If * is in the host, it must be the first character.
http:/bar The URL is scheme separator isn't properly formed. The "/" should be "//".
foo://* The URL scheme is invalid.