Skip to main content

Exclude elements from scanning

When scanning web applications, you may need to prevent the scanner from interacting with specific page elements to avoid unintended consequences or optimize scan performance. This document explains how to exclude elements using CSS selectors and XPath expressions.

Why exclude elements?

There are several scenarios where excluding elements from scanning is beneficial:

Prevent destructive actions:

  • Logout buttons that would terminate user sessions
  • Delete buttons that could remove critical data
  • Submit buttons for irreversible operations
  • Reset forms that clear important configurations

Protect sensitive areas:

  • Payment processing forms
  • User account management sections
  • Administrative functions
  • Third-party widgets with restricted access

Improve scan efficiency:

  • Large file upload forms
  • Resource-intensive multimedia players
  • Complex interactive widgets that don't affect security
  • Redundant navigation elements

Avoid rate limiting:

  • Elements that trigger API calls with strict rate limits
  • Forms that send emails or notifications
  • Search functions with heavy backend processing
Prerequisites

To access element exclusion settings, you must first enable the Allow users to configure advanced scan configuration option in Settings > Scanning. For more information, refer to Scanning settings.

How to set up element exclusions

  1. Select Inventory > Targets from the left-side menu.
  2. Find the target you want to edit and either:
    • Select anywhere on its row to open the target drawer, then select Edit.
    • Select the three-dot menu (⋮) at the far right of the row and choose Edit target.
  3. Navigate to the Advanced settings tab.
  4. Use Ctrl+F and search for "Exclude by CSS" to quickly locate the element exclusion options in the DeepScan Settings section.
note

The Advanced settings tab only appears when the feature is enabled in Settings > Scanning. The tab contains comprehensive scan configuration options, so using the browser search function (Ctrl+F) is the most efficient way to find the element exclusion settings.

Exclusion methods

Using CSS selectors

CSS selectors are ideal when you need to exclude elements based on their styling classes, IDs, or simple HTML structure.

When to use CSS selectors:

  • You want to exclude all elements with a specific class or ID
  • The target elements have consistent CSS styling
  • You need a simple, readable exclusion rule
  • You're familiar with CSS syntax

Field location: In Advanced settings > DeepScan Settings > Exclude by CSS Selector

Example: .class1, #id2, div > .class3

Common use cases:

  • .logout-button - Prevents interaction with logout functionality
  • #delete-account - Protects account deletion buttons
  • form[action*="delete"] - Excludes any form that performs delete operations
  • .modal, .popup - Avoids triggering modal windows or popups
  • [data-action="reset"] - Prevents accidental form resets

Using XPath expressions

XPath expressions provide more powerful and flexible element selection when CSS selectors aren't sufficient.

When to use XPath:

  • You need to select elements based on their text content
  • The target elements don't have unique CSS identifiers
  • You need complex selection logic based on element relationships
  • You want to select elements based on attributes that CSS can't easily target

Field location: In Advanced settings > DeepScan Settings > Exclude by XPath expression

Common use cases:

  • //button[contains(text(), 'Delete')] - Prevents clicking any button with "Delete" text
  • //form[@method='POST' and contains(@action, 'admin')] - Avoids submitting admin forms
  • //a[starts-with(@href, 'mailto:')] - Skips email links that might trigger email clients
  • //input[@type='file'] - Excludes file upload inputs that could cause performance issues
  • //button[contains(@onclick, 'confirm')] - Avoids buttons that trigger confirmation dialogs

Implementation best practices

Start with testing:

  1. Use browser developer tools (F12) to test your selectors before applying them
  2. For CSS selectors: Use document.querySelectorAll('your-selector') in the console
  3. For XPath: Use $x('your-xpath-expression') in the console
  4. Verify that your selectors target only the intended elements

Choose the right approach:

  • Use CSS selectors for simple, style-based exclusions
  • Use XPath for complex logic or content-based selections
  • Combine both methods when different elements require different selection strategies

Be strategic:

  • Be specific to avoid accidentally excluding important elements
  • Start small - add exclusions gradually and test scan results
  • Document your choices - make note of why specific elements are excluded
  • Regular review - revisit exclusions when your application changes

Monitor results:

  • Review scan reports to ensure critical security checks aren't being skipped
  • Test excluded elements manually if needed
  • Adjust exclusions based on scan performance and coverage needs

Combining with other exclusion methods

Element exclusions work alongside other Invicti exclusion features:

  • Path exclusions: Use for excluding entire URLs or directories
  • Element exclusions (this document): Use for specific page elements
  • Input exclusions: Configure in Advanced settings for specific form inputs

By combining these methods, you can create a comprehensive exclusion strategy that protects sensitive functionality while maintaining thorough security coverage.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?