Exclude URLs from active scan
14 views
Skip to first unread message
Peter Browning
Jan 7, 2026, 9:41:49 AM (3 days ago) Jan 7
to ZAP User Group
Good morning all,
Is it possible to exclude certain urls from the active scan job using automation framework?
Currently, we have the following layers to prevent the active scan from attacking third party services integrated in our web app:
We use the `-configfile` param pointing to a file with 20+ excluded regexes:
(If this is not the correct format, please let me know- there is not a lot of documentation on this specific issue)
Currently, we have the following layers to prevent the active scan from attacking third party services integrated in our web app:
We use the `-configfile` param pointing to a file with 20+ excluded regexes:
network.globalExclusions.exclusions.exclusion(0).name="Extensions"
network.globalExclusions.exclusions.exclusion(0).enabled=true
network.globalExclusions.exclusions.exclusion(0).value="(?i)^.*\.(?:gif|jpe?g|png|ico|icns|bmp|svg|webp|mp4|css|pdf|avi|mov|wmv|webm)$"
network.globalExclusions.exclusions.exclusion(1).name="DataDog"
network.globalExclusions.exclusions.exclusion(1).enabled=true
network.globalExclusions.exclusions.exclusion(1).value=".*datadoghq\\.com.*"
Inside of our context block of the automation plan, we specify exclusions again:
excludePaths:
- "https://subdomain1.${TARGET}.*"
- "https://subdomain2.${TARGET}.*"
- "https://subdomain3.${TARGET}.*"
- "https://subdomain4.${TARGET}.*"
- "(?!.*\\.${TARGET}).*"
- ".*thirdparty1.com"
- ".*thirdparty2.com"
- ".*thirdparty3.com"
- ".*\\.(png|jpeg|jpg|mp4|mp3|wav|jpg|gif|svg|ico|woff|woff2|ttf|css|js)$"
Yet, inspecting the traffic through a proxy reveals that a vast majority (80%+) of the traffic during the active scan job is part of the excluded list.
I previously asked a question regarding the feasibility of excluding such sites from the ajax spider and was told that it was not doable- is the answer the same for the active scan?
Furthermore, we use the `export` job to export a sitetree, and over 90% of the tree is made up of excluded sites- I noticed there was a `prune` job as well, but our sitemap ended up too large, and the prune job was unable to handle a file that large, causing an error in the logs.
Thanks in advance, and any pointers would be super helpful as I'm a bit stuck on what to do next.
Cheers,
Peter
Simon Bennetts
Jan 7, 2026, 12:06:25 PM (3 days ago) Jan 7
to ZAP User Group
Hiya Peter,
ZAP should not be attacking any endpoints that match the excludePath regexes.
Are you using the DOM XSS scan rule?
That will launch browsers, and we do not block requests from the browser as that can often break the target app.
If so you could try running the scan again without the DOM XSS scan rule to see if that is the culpret.
Cheers,
Simon
Peter Browning
Jan 8, 2026, 12:05:37 PM (2 days ago) Jan 8
to ZAP User Group
Hey Simon!
That was indeed the case! Disabling the DOM XSS rule showed only relevant traffic. Thank you!
Best,
Peter
Reply all
Reply to author
Forward
0 new messages