N-Stalker Support Articles

Editing False Positive and Attack Restrictions

In this article, you will get an overview of how to configure false-positive and attack restrictions filters in N-Stalker Web Application Security Scanner 2009. False-positive filters are usually required when you have an application that is responding "200 OK" response to all request (including non-existent resources). We also recommend configuring "Attack Restrictions" to avoid testing N-Stalker against uncommon Cookies/HTTP parameters.

1. Open N-Stalker Web Application Security Scanner 2012.
   
   
   
   
2. Click on "New Scan" to initiate a new session. Enter all URL details (see User's Guide for more details);
   
   
3. Under "Optimize Settings", click on "Scan Settings" button;
   
   
4. Click on "False Positive Options" option under "False Positive" group. Under "False-Positive" Keyword Filter, click on "+" (plus) button to add new filtering expressions. You are allowed to use "regular expression" - for example: If you want to filter a web site that returns "Resource Not Found" in the body, you may use "[Rr]esource.[Nn]ot.[Ff]ound" (for either upper/lower case in the beginning letters)
   
   
    
5. If you want to exclude "Cookies" and "HTTP Parameters" or include "HTTP Headers" in security checks, click on "Attack Restriction" option under "False Positive" group;
   
   
6. To add a new exclusion filter for cookies for example, you will need to click on "+" (plus) button. N-Stalker usually recommends to exclude well-known session cookies such as PHPSESSIONID, JSESSIONID, etc as they might break the scanning behavior (by either logging out from application or providing false-positives).
   
   
7. Once everything is configured, click on "Back" button to get back to Scan Wizard. You can follow the rest of configuration in N-Stalker User's Guide.