Skip to main content

Input exclusions

One type of an application exclusion is an input exclusion. These exclusions let you exclude specific inputs from a Contrast agent's analysis. This exclusion type can be useful if you know certain inputs are safe and do not require monitoring, thereby reducing noise in your security reports.

Types of input exclusions

Contrast supports exclusions that use these types of inputs:

  • Parameter: Excludes specific parameters accessed through request methods, including parameters from the post body or query string itself.

  • Header: Excludes specific HTTP headers.

  • Query String: Excludes the entire query string.

  • Body: Excludes the entire request body.

  • Cookie: Excludes specific cookies.

Parameter Input exclusions

An input exclusion with an input type of parameter checks for any parameters in the request, like those from the query string or form body, that match the specified parameter, as long as the application retrieves it using that parameter name (for example, request.getParameter("foo")).

Example:

Image shows basic settings for a parameter input exclusions with foo being the excluded parameter

If you specify foo as the parameter to exclude, the following table shows examples of how Contrast handles the HTTP request.

HTTP request

If excluded...

If included...

GET /someRequest?

foo=excludedValue&bar=includedValue

Contrast excludes this parameter from monitoring:

foo=excludedValue

Contrast continues to monitor this parameter:

bar=includedValue

POST /someRequest

Content-Type: application/x-www-form-urlencoded

foo=excludedValue&bar=includedValue

Note

For a POST request, the exclusion only works for a body format of application/x-www-form-urlencoded body.

Contrast excludes this parameter from monitoring:

foo=excludedValue

Contrast continues to monitor this parameter:

bar=includedValue

Header input exclusions

Headers are specific HTTP headers that the application retrieves from the request (for example, request.getHeader("User-Agent")).

Example:

Image shows settings for a basic Header input exclusion for a the User Agent header.

If you specify User-Agent as a header to exclude, the following table shows examples of how Contrast handles HTTP requests.

HTTP request

If excluded...

If included...

GET /someRequest

User-Agent: excludedUser

AgentAccept: application/json

Contrast excludes this header from monitoring:

User-Agent: excludedUserAgent

Contrast continues to monitor this header:

Accept: application/json

Query string input exclusions

The query string exclusion applies to the entire query string, not individual parameters. This exclusion is useful when the application retrieves and parses the entire query string (for example, acting on the result of request.getQueryString()).

Example:

Image shows basic settings for a Query input exclusion.

Based on specified URLs, the following table shows examples of how Contrast handlws HTTP requests.

HTTP request

If excluded...

If included...

GET /someRequest?foo=excludedValue&bar=excludedValue

Contrast excludes the entire query string from monitoring

Contrast continues to monitor the entire query string

Body input exclusions

The body input exclusion applies to the entire body of the request. This type of exclusion is useful when the body contains data that the application parses (for example, acting on the result of request.getBody())

Example:

Image shows selections for a typical Body input exclusion

Based on specified URLs, the following table shows examples of how Contrast handles HTTP requests.

HTTP request

If excluded...

If included...

POST /someRequest

Content-Type: application/json

{ "foo": "excludedValue", "bar": "excludedValue" }

Contrast excludes the entire request body from monitoring

Contrast continues to monitor the entire request body

In this section: