DocumentationAPI ExplorerRecipesCommunityChangelogRSS
Back to All
added

Web Application Scanning: DOM Element Exclusion

about 3 years ago by Lance Duvall

Tenable.io Web Application Scanning has added a new assessment setting to allow users to exclude DOM elements and their children. DOM element exclusions allow you to prevent scans from interacting with specific page elements like logout buttons or forms. You can configure DOM element exclusions when you create a scan configuration.

This update affects the following endpoints:

API EndpointNameChange
POST /was/v2/configsCreate scan configurationYou can now specify DOM element exclusions in the assessment settings.
PUT /was/v2/configs/{config_id}Upsert scan configurationYou can now specify DOM element exclusions in the assessment settings.

DOM elements can be selected based on either text values or CSS attribute key-value pairs. Exclusions can be specified with an element_exclusions object in the assessment settings object. The element_exclusions object supports the following parameters:

ParameterTypeDescription
element_typeStringThe type of element to exclude. Currently, only dom_element is supported.
selector_typeStringSpecifies the selector type. DOM elements can be selected based on either text values or CSS attributes. Use text for text contents or attribute for a CSS key-value pair.
selectorString or ObjectIf the selector_type is text, the selector value is a string. If the selector_type is attribute, the selector value is an object containing one key and value pair.

Example: Text Value

For example, to prevent the scanner from clicking a logout button that contains the text Log Out you could configure an exclusion based on the text value. To configure this exclusion, set the selector_type body parameter to text and the selector body parameter to the string Log Out.

{
  "target": "https://example4.com",
  "name": "Example Scan",
  "owner_id": "4dc05b61-8821-4280-be09-265ae01882b7",
  "template_id": "b223f18e-5a94-4e02-b560-77a4a8246cd3",
  "assessment": {
    "element_exclusions": [
      {
        "element_type": "dom_element",
        "selector_type": "text",
        "selector": "Log Out"
      }
    ]
  }
}

Example: CSS Attribute

For example, to prevent the scanner from interacting with a form that contains the the CSS attribute key-value pair id="logout" you could configure an exclusion based on the CSS attribute. To configure this exclusion, set the selector_type body parameter to attribute and the selector body parameter to an object containing the key-value pair id and logout.

{
  "target": "https://example4.com",
  "name": "Example Scan",
  "owner_id": "4dc05b61-8821-4280-be09-265ae01882b7",
  "template_id": "b223f18e-5a94-4e02-b560-77a4a8246cd3",
  "assessment": {
    "element_exclusions": [
      {
        "element_type": "dom_element",
        "selector_type": "attribute",
        "selector": {
          "id": "logout"
        }
      }
    ]
  }
}