Add the ability to exclude paths from API Scans
Problem to solve
In baseline and full scans, users can exclude URLs to scan by using the
DAST_AUTH_EXCLUDE_PATHS configuration value. This is useful because often logout links will be scanned, which cause the rest of the scan to miss URLs that require authentication.
While logout is not a typical feature on an API, there may be other reasons why a user may want to exclude URLs.
The implementation of
_EXCLUDE_PATHS can be done by updating the configuration file
route entries using information from this variable. This will only require changes to
The format of
_EXLUDE_PATHS will be:
;to separate entries
- Provide only the path element, no query string scheme, or host.
?for single character wildcard
*for multiple character wildcard
Add a new variable
FUZZAPI_EXCLUDE_PATHSthat uses the same rules as the
routeinclude/exclude logic already available via API Security configuration files. This will make the implementation easier.
Add tests to
Add e2e test for exclude urls
Release new container image
Update DAST API documentation
Update API Fuzzing documentation to reflect new variable