How do I blacklist file types for web assessments?

You can blacklist specific file types to prevent them from being scanned during a web application assessment. This is useful when a web application contains large files that can significantly increase assessment duration or are not relevant to security testing.

When creating a new web application, several file types are excluded by default by the scanner.

File types excluded by default

The following file extensions are blacklisted by default and visible in the configuration.

.zip, .tar, .bz2, .gz, .pdf, .ppt, .pptx, .doc, .docx, .odp, .woff, .woff2, .mp4, .mp3, .mov, .avi, .flv, .swf, .wmv, .wav, .rar, .7z, .deb, .rpm, .iso, .bin, .dmg, .xls, .xlsx

Add or remove file types for a new web application

When creating a new web application, you can modify the default file type exclusions. This is described in the following article:

https://support.holmsecurity.com/hc/en-us/articles/213291009

Edit file type exclusions for an existing web application

To modify file type exclusions for an existing web application, follow these steps:

1. Log in to your Security Center.

2. In the main navigation bar, hover over Assets.

3. From the dropdown menu, select Web applications & APIs.

4. Click the Edit icon next to the web application you want to update.

5. Select Crawl exclusion list.

6. Under Blacklist → URL Extensions, you can:

   • Enable or disable URL extension blacklisting.

   • Add a new file extension by typing it and pressing Enter.

   • Remove an existing file extension by clicking the “x” next to it.

7. Click OK to save your changes.

The updated file type blacklist will be applied the next time the web application is assessed.