Hi all,
I have a questions regarding regex excludes of urls.
We have a couple of TYPO3 pages that we scan on a regular basis to improve overall security. This works very well and I’m happy with the results and how greenbone / openvas works.
But there is one thing that I try to find a solution but I failed. We use a cloned entity of the “full and fast” configuration.
TYPO3 stores a lot of static files like images in folders named _processed_. For example
/fileadmin/_processed_/e/3/
/fileadmin/_processed_/f/c/
/fileadmin/_processed_/2/0/
... and so on
Now the “full and fast” scanner treats this correctly as folders and tries to find vulnerabilites. Here are some examples of log entries on the TYPO3 servers:
/fileadmin/_processed_/e/3/install/make-config.php
/fileadmin/_processed_/7/d/roschedule.php
/fileadmin/_processed_/f/c/settings.php
... and so on
and so on. There are thousands and thousands of this log entries, and because all scan requests are done for each of the processed folders, we have a lot of repetitions of the same checks over and over again.
This basically ok, but because there is such a high number of this processed folders, the scan takes sometimes 2 or 3 days to finish. right now I’m running a scan on a middle sized page that is still running and shows 150.000 entries for the above calls. For lager pages we this goes into the millions.
I checked the options of a cloned “full and fast” scan config and I tried to modify the following options, but this does not help and the processed folders are still scanned:
In the “Global variable settings:” I added the _processed_ folder to the excluded directories:
“Regex pattern to exclude directories from CGI scanning:”
/(index\.php|image|img|css|js$|js/|javascript|style|theme|icon|jquery|graphic|grafik|picture|bilder|thumbnail|media/|skins?/|fileadmin/_processed_/|_processed_|assets/)
This did not work. I also added the folder name to the “Web mirroring:”
“Regex pattern to exclude cgi scripts:”
\.js$|\.css$|/(article|news-details|einzelmeldung|blog|footer|_?assets|fileadmin/_processed_/|_processed_)/
This also does not work. We also set the “Traversal depth to use for directory traversal attacks during CGI scanning:” to 2, but even if the depth of /fileadmin/_processed_/2/0/ is more then 2 level, the folders still get scanned.
Can anyone help me to figure out how to exclude some folder / url parts from any scan activity?
Regards
Michael