Support
Working with Scans

Excluding and Including Links from the Sitemap After Crawling

This document is for:
Invicti Standard

In Invicti Standard, you can exclude specific URLs and parameters that have already been crawled from a scan while the scan is running and before they are scanned. You can do this by using a feature that enables you to pause the scan after crawling. You need to pause the scan after the crawling phase in order to exclude or include crawled links before the attacking phase.

If you exclude a resource while it is being scanned, the vulnerability checks that were running while you excluded it will still run. Only pending ones will be halted.

Excluding a URL or Parameter from a Web Security Scan

Prior to scanning a website for vulnerabilities, the Invicti web vulnerability scanner crawls the website to discover all its pages and attack surfaces. Every resource that is crawled and is going to be attacked is added to the sitemap. For example, the web scanner can identify the file parameter in the file process.php before the scan has taken place.

How to Exclude a URL or Parameter from a Web Security Scan
  1. Open Invicti Standard.
  2. In the Home tab, click New. The Start a New Website or New Service Scan dialog is displayed.
  3. In the Target Website or Web Service URL field, enter the URL of the website you want to scan.
  4. Configure the Scan Policy and other fields as required.
  5. In the Crawling field, check Pause Scan After Crawling.

  1. Click Crawl and Wait.
  2. When the crawling stage is complete, in the Sitemap, highlight the object you want to exclude from the scan (e.g.the file parameter in the process.php resource).

  1. Right-click it and select Exclude from Attack.

Once an object is excluded, it is marked with a no entry icon or a diagonal score through as shown in the screenshot below.

  1. Click Resume to complete the scan.

Excluding a Branch from a Web Security Scan

You can also exclude a complete branch from a scan. For example, if you want to exclude all the files under a specific URL or folder such as /images/ highlight it and select Exclude this Branch from Attack.

How to Exclude a Branch from a Web Security Scan
  1. Open Invicti Standard.
  2. Complete steps 2 to 7 of How to Exclude a URL or Parameter from a Web Security Scan.
  3. Right-click the branch you want to exclude and select Exclude this Branch from Attack.

  1. Click Resume.

Include Resources Back in the Scan (Reversing the Exclusion)

If you would like to reverse your action and reintroduce a resource or branch in the scan, highlight the resource in question, right-click, and select Include in Attack or Include Branch in Attack.

How to Include Resources Back in the Scan
  1. Open Invicti Standard.
  2. Complete steps 2 to 7 of How to Exclude a URL or Parameter from a Web Security Scan.
  3. Right-click the branch you want to include and select Include this Branch in Attack.

  1. Click Resume.