Skip to main content
availability

Deployment: Invicti Platform on-demand, Invicti Platform on-premises

Parameter exclusions

By default, Invicti Platform tests all discovered parameters for vulnerabilities. This document explains how to configure parameter exclusions to skip testing on specific inputs - for example, session tokens, framework-generated fields, or parameters that the scanner must not modify during a scan.

Misconfiguration risk

Misconfiguring advanced settings can break scans or produce inaccurate results. Only amend these settings if you're familiar with scanner behavior.

When to use parameter exclusions

Use parameter exclusions to prevent Invicti Platform from testing parameters that:

  • Are session or authentication tokens that must remain unmodified, for example PHPSESSID or ASP.NET_SessionId
  • Are framework-generated fields that cause errors if the scanner tampers with them, for example __VIEWSTATE or __EVENTVALIDATION
  • Produce false positives or irrelevant results when tested
  • Are known-safe parameters that slow down the scan without adding security value

Default exclusions

Invicti Platform includes a set of default parameter exclusions covering common session identifiers and framework fields, including:

  • ASP.NET session and state fields: ASP.NET_SessionId, __VIEWSTATE, __EVENTVALIDATION, __EVENTTARGET, __EVENTARGUMENT, and related fields
  • Java and PHP session IDs: JSESSIONID, PHPSESSID
  • ColdFusion session tokens: cfid, cftoken
  • Rails authenticity token: authenticity_token
  • Cloudflare and Akamai parameters

You can add to this list, but avoid removing default exclusions unless you have a specific reason to test those parameters.

Add a parameter exclusion

Prerequisites

The Advanced settings tab only appears when you enable the Allow users to configure advanced scan configuration option in Settings > Scanning. For more information, refer to Scanning settings.

  1. Select Inventory > Targets from the left-side menu.
  2. Find the target you want to configure and either:
    • Select anywhere on its row to open the target drawer, then select Edit.
    • Select the three-dot menu (⋮) at the far right of the row and choose Edit target.
  3. Select the Advanced settings tab.
  4. Locate Parameter exclusions in the Scanning section.
  5. Select Add item and fill in the fields described below.
  6. Save the target configuration.

Delete a parameter exclusion

  1. Select Inventory > Targets from the left-side menu.
  2. Find the target you want to configure and either:
    • Select anywhere on its row to open the target drawer, then select Edit.
    • Select the three-dot menu (⋮) at the far right of the row and choose Edit target.
  3. Select the Advanced settings tab.
  4. Locate Parameter exclusions in the Scanning section.
  5. Select the red bin icon next to the exclusion you want to remove.
  6. Save the target configuration.

When you delete an exclusion, Invicti Platform includes that parameter in testing during the next scan. If you delete a default exclusion - such as a session token or framework field - the scanner attempts to modify it, which can break the scan or generate false results. Only delete default exclusions if you have a specific reason to test those parameters.

Field reference

FieldDescription
NameA regex pattern that matches the parameter name to exclude. Use the (?i) flag for case-insensitive matching.
KindThe parameter type to match: cookie, get, post, or * to match any type.
URLOptional. A regex pattern scoping the exclusion to specific paths. Leave empty to apply the rule to all URLs on the target.
ActionSet to Exclude. This is the only available option and tells the scanner to skip testing the matched parameter.

Examples

Exclude a specific cookie:

NameKindURL
(?i)my_session_cookiecookie

Exclude a parameter by name across all types:

NameKindURL
(?i)^token$*

Exclude a GET parameter only on a specific path:

NameKindURL
(?i)^ref$get/checkout/

Best practices

  • Use the (?i) flag for case-insensitive matching to cover parameter name variations
  • Use ^ and $ anchors to match exact names and avoid unintended broad matches - for example, (?i)^sessionid$ rather than (?i)sessionid
  • Use * for Kind only when the same parameter appears in multiple request types
  • Scope exclusions to a URL pattern when a parameter should only be excluded on specific pages
  • Review the default list before adding rules - the parameter you want to exclude may already be covered

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?