Regular expression reference for application exclusions

Use this table, and the examples below, for reference when creating application exclusions.

Effect

Pattern

Example pattern

Example match

Start of a string

^

^w+

Start of a string

End of a string

$

w+$

End of a string

A single character of: a, b or c

[abc]

[abc]+

a bb ccc

A character except: a, b or c

[^abc]

[^abc]+

Anythingbutabc.

A character in the range: a-z

[a-z]

[a-z]+

Only a-z

A character not in the range: a-z

[^a-z]

[^a-z]+

Anythingbuta-z.

A character in the range of: a-z or A-Z

[a-zA-Z]

[a-zA-Z]+

abc123DEF

Any single character

.

.+

a b c

Any whitespace character

\s

\s

anywhitespacecharacter

Any non-whitespace character

\S

\S+

any non-whitespace

Any digit

\d

\d

not 1 not 2

Any non-digit

\D

\D+

not 1 not 2

Matches either a or b

(a|b)

(a|b)

beach

Zero or one of a

a?

ba?

ba b a

Zero or more of a

a*

ba*

ba baa aaa ba b

One or more of a

a+

a+

a aa aaa aaaa bab baab

Exactly 3 of a

a{3}

a{3}

a aa aaa aaaa

3 or more of a

a{3,}

a{3,}

a aa aaa aaaa aaaaaa

Between 3 and 6 of a

a{3,6}

a{3,6}

a aa aaa aaaa aaaaaa aaaa

Exclusions can apply to these three areas:

  • Input: Any findings using this input will be suppressed.

    • For ParameterHeader and Cookie: You must specify the name of the particular input for which you wish to suppress findings. You can use wildcard .* to suppress all findings from the selected input type.

    • QueryString and Body: These will suppress findings from the entire QueryString and Body, respectively. The QueryString and Body may only be excluded in conjunction with the URL exclusion pattern defined below.

    In conjunction with the input type, you must choose how to apply URLs:

    • All URLs: Findings using the specified input type and name will be suppressed regardless of where they’ve come from.

      This table includes example input regular expressions:

      Type

      Desired Effect

      Regular Expression

      Effect

      Cookie

      Exclude cookies names starting with a value

      ^App

      Excludes all cookie names starting with App

      Parameter

      Exclude parameter names ending with a value

      testing$

      Excludes all parameter names ending with testing

      Header

      Exclude explicitly named header

      ignore

      Excludes the header ignore only

    • These URLs (allows regex): Specify a set of URLs to which to apply the exclusion.

      Tip

       Slash followed by wildcard is an acceptable substitute for listing all URLs./.*

  • URLs: Any URLs listed will be ignored.

    This table includes example URL regular expressions:

    Desired Effect

    Regular Expression

    Effect

    Exclude all subpaths

    /myapp/.*

    Excludes all paths with the initial URL of /myapp/

    Exclude one subpath explicitly

    ^/myapp/thispath$

    Excludes only /myapp/thispath

    Exclude path ending

    .*ignore$

    Excludes all path ending in ignore

    Exclude paths containing

    .*value.*

    Excludes all paths containing value

    Exclude paths containing digits

    /myapp/\d+

    Excludes all paths like /myapp/1234

    Exclude paths containing non-digits

    /myapp/\D+

    Excludes all paths like /myapp/word

  • Code: Specify a list of method signatures to be supressed. (Code allows regex.) The entire method signature must be present and not include a trailing parameter definition or any other extra characters.

    For example:

    If you have a method doLegacySecurity() inside a class called com.acme.OldSecurity that is being reported for using insecure cryptographic algorithms, you can ignore it by entering this line into the exclusion code block:

    com.acme.OldSecurity.doLegacySecurity

    This method signature is matched against the stacktrace for any vulnerabilities found. Any method signature containing a match is suppressed.