N-Stalker Support Articles
Editing False Positive and Attack Restrictions
In this article, you will get an overview of how to configure false-positive and attack restrictions filters in N-Stalker Web Application Security Scanner 2012. False-positive filters are usually required when you have an application that is responding "200 OK" response to all request (including non-existent resources). We also recommend configuring "Attack Restrictions" to avoid testing N-Stalker against uncommon Cookies/HTTP parameters.
- Open N-Stalker Web Application Security Scanner 2012.
- Click on "New Scan" to initiate a new session. Enter all URL details (see User's Guide for more details);
- Under "Optimize Settings", click on "Scan Settings" button;
- Click on "False Positive Options" option under "False Positive" group. Under "False-Positive" Keyword Filter, click on "+" (plus) button to add new filtering expressions. You are allowed to use "regular expression" - for example: If you want to filter a web site that returns "Resource Not Found" in the body, you may use "[Rr]esource.[Nn]ot.[Ff]ound" (for either upper/lower case in the beginning letters)
- If you want to exclude "Cookies" and "HTTP Parameters" or include "HTTP Headers" in security checks, click on "Attack Restriction" option under "False Positive" group;
- To add a new exclusion filter for cookies for example, you will need to click on "+" (plus) button. N-Stalker usually recommends to exclude well-known session cookies such as PHPSESSIONID, JSESSIONID, etc as they might break the scanning behavior (by either logging out from application or providing false-positives).
- Once everything is configured, click on "Back" button to get back to Scan Wizard. You can follow the rest of configuration in N-Stalker User's Guide.