IBM Support

How to optimize scans and jobs by setting correct "Redundant Path Limit"

Technote (FAQ)


How to optimize scans by setting correct "Redundant Path Limit" in IBM Security AppScan Standard, IBM Security AppScan Enterprise, and Rational Policy Tester.


In AppScan Standard and AppScan Enterprise, the Redundant Path Limit is set by default to 5.


In AppScan Standard version 9.0.3 there was a new feature introduced called DOM Filtering. This feature make obsolete the technique described here. DOM Filtering was discussed in an OpenMic session recorded at Scanning with DOM Filtering in AppScan.

How is the Redundant Path limit counted?

The Redundant Path limit setting restricts the number of requests to a URL, which does not include the query parameters.

For example, these three paths:
     http: //
     http: //
     http: //
are counted as redundant paths. The unique path is represented by: folder1/folder2/index.jsp

(In AppScan Enterprise, due to its integration with Policy Tester where the focus is content scanning, the query is included in the redundant path limit calculations.)

Why Redundant Paths can be limited?

Consider a site with biography pages for different artists, which contains of a unique path biography.jsp, and a value of a query parameter called artist, as follows:


The structure of the pages will be the same for all three pages. The only difference between them is the text of the biography and the picture(s) that are displayed in the page. If there is a Cross-Site Scripting vulnerability on the session parameter, it will exist on all of them. Then it does not make sense to navigate to all of them. It is enough to navigate to the biography.jsp path only once.

Why is the redundant path limit set to 5 by default

There are situations where parameters have effect on the structure of the page. For example the navigational parameters that are encountered in MegaScript applications (review Handling MegaScript sites with AppScan Standard.) In this case, the vulnerabilities may be different depending on which parameter is used.

The restriction to 5 redundant paths was set in an attempt to find a middle ground between parameters that affect the page content and parameters that affect the page structure. However, if the parameters only affect the page content and the site has 200 pages, AppScan will discover 1000 pages and take 5 times longer to explore the site.

Can you change the redundant path limit?

In cases where where AppScan runs out of resources, or scanning takes too long time, you can decrease the redundant path limit, even to 1, if there is no parameters that have effect on the structure of the pages. However, if there is a limited number of pages that change their structure based on parameters values, you may use manual explore or multi-step operations to explorer those pages.

Consult white paper How to avoid scanning the same item multiple times

How to change the redundant path limit?

You can change redundant path limit with the following switches:

  • In AppScan Standard: Scan Configuration > Explore Options > Redundant Path Limit
  • In AppScan Enterprise and Policy Tester: Edit job properties > Explore Options > Redundant Path limit

Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security AppScan Enterprise Scan: Performance
Security Rational Policy Tester Performance

Document information

More support for: IBM Security AppScan Standard
Scan: Performance

Software version: 8.7,, 8.8, 9.0,, 9.0.1,, 9.0.2,, 9.0.3,,,

Operating system(s): Windows

Reference #: 1612674

Modified date: 06 September 2016

Translate this page: