Test Vectors and Parameter Exclusions

The Test Vectors settings let you choose which parts of requests SmartScanner will test (for example GET parameters, POST bodies, cookies), and to specify parameter exclusions so the scanner skips testing certain parameters.

Where to find it: open Scan Config (gear icon), Check the “Advanced Settings” box to reveal more options and choose the “Test Vectors” tab.

Vectors (what to enable)

• GET: Test query string parameters in URLs.
• POST: Test form/post body parameters.
• Cookie: Test values stored in cookies.
• Header: Test HTTP header values.
• URL path: Test URL path segments (parts of the path itself).

Enable only the vectors you need. For example, for an API you may enable GET and POST but not Cookie or Header.

Parameter Exclusion (skip testing for specific parameters)

• Use the Parameter Exclusion textarea to list rules telling the scanner which parameters not to test. Enter one rule per line.
• Rule format (simple): url;;name;;type;;value
  • url: the URL or URL pattern where the rule applies (use * to mean any URL)
  • name: the parameter name to exclude
  • type: optional but helpful to indicate vector (e.g., GET, POST, Cookie, Header, Path)
  • value: optional value pattern to match before excluding

Examples:

• Exclude query parameter token on any API endpoint:
  • /api/*;;token;;*;;*
• Exclude cookie sessionid globally:
  • *;;sessionid;;Cookie;;*

The UI tooltip lists supported wildcard tokens (for example *, ?, %, #) and special tokens like [md5], [guid] for convenience.

Practical tips

• Use exclusions to avoid testing sensitive or session-related parameters (session IDs, CSRF tokens) which can cause noise or unexpected side-effects.
• When in doubt, start with conservative exclusions and add more as you discover parameters you don’t want tested.

Notes

• Enter rules one per line. Empty lines are ignored.
• The scanner will use these rules to skip testing the specified parameters during the scan.